feat(events-targets): add CloudWatch LogGroup Target #10598
Conversation
|
Still working on it. Just realized we need a CloudWatch log group with a name that starts with |
…name required prefix
DaWyz
force-pushed
the
DaWyz/events-target-loggroup
branch
from
d8d2120
to
1ebf625
Compare
|
The LogGroup name is a token so the validation doesn't work. Adding comments in the docstring and in the README.md. Please, let me know if there is a way to validate it! I also have a question about the |
@DaWyz for tokens, we skip validation since they're late bound values. if you do a quick search for re: |
|
@shivlaks , I updated the code and added the check on the LogGroup name. About the import * as events from '@aws-cdk/aws-events';
import * as logs from '@aws-cdk/aws-logs';
import * as cdk from '@aws-cdk/core';
import { RemovalPolicy } from '@aws-cdk/core';
// I copied the logGroup Target file locally. You will need to change this.
import { LogGroup } from '../lib/loggroup';
const app = new cdk.App();
const stack = new cdk.Stack(app, 'log-group-events');
const rule = new events.Rule(stack, 'rule', {
eventPattern: {
source: [stack.account],
},
});
const logGroup = new logs.LogGroup(stack, 'MyLogGroup', {
logGroupName: '/aws/events/MyLogGroup',
removalPolicy: RemovalPolicy.DESTROY,
});
rule.addTarget(
new LogGroup(logGroup, {
event: events.RuleTargetInput.fromObject({
status: events.EventField.fromPath('$.detail.status'),
instanceId: events.EventField.fromPath('$.detail.instance-id'),
}),
}),
);It is generating the following template: Resources:
ruleF2C1DCDC:
Type: AWS::Events::Rule
Properties:
EventPattern:
source:
- Ref: AWS::AccountId
State: ENABLED
Targets:
- Arn:
Fn::Join:
- ""
- - "arn:aws:logs:"
- Ref: AWS::Region
- ":"
- Ref: AWS::AccountId
- ":log-group:"
- Ref: MyLogGroup5C0DAD85
Id: Target0
InputTransformer:
InputPathsMap:
detail-status: $.detail.status
detail-instance-id: $.detail.instance-id
InputTemplate: '{"status":<detail-status>,"instanceId":<detail-instance-id>}'
Metadata:
aws:cdk:path: log-group-events/rule/Resource
MyLogGroup5C0DAD85:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: /aws/events/MyLogGroup
RetentionInDays: 731
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: log-group-events/MyLogGroup/ResourceThe rule is triggered but It's reported as failed invocation. Creating everything from the AWS Console has the same result. I didn't find a way to investigate the failed invocation. Can't seem to find it in CloudTrail. Let me know if you need anything else. |
|
@DaWyz thanks for sharing the snippet - I'll prioritize taking a look at this error tomorrow. It will probably be a good exercise to get caught up on this PR and close the loop on that issue. |
|
@shivlaks , just an FYI, I added a DLQ to my Event Rule to see if I would get more information but it doesn't help... See below.
I'm going to fix the conflicts later today or tomorrow. |
|
|
mergify
bot
dismissed
shivlaks’s stale review
Pull request has been modified.
DaWyz
force-pushed
the
DaWyz/events-target-loggroup
branch
from
91cf3fb
to
ca31660
Compare
|
@shivlaks I updated the PR so we can target any log groups. Someone in the issue pointed out it's possible to make it work as long as we add a resource policy. Please, check this out. Also, If you agree, I would like to remove the Input part for the rule as it doesn't seem to work anyway regardless of CDK. This way, we can make it available sooner. Let me know what you think. |
@DaWyz ack! taking a look at this today!! |
shivlaks
changed the title
There was a problem hiding this comment.
hey @DaWyz - took another pass through the code, getting closer!
Do you mind also filling in the implementation details in the commit body? I think it's important to capture the context and the decisions we're making in the PR.
packages/@aws-cdk/aws-events-targets/lib/log-group-resource-policy.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/aws-events-targets/lib/log-group-resource-policy.ts
Outdated
Show resolved
Hide resolved
| /** | ||
| * The log group resource policy name | ||
| */ | ||
| readonly policyName: string; |
There was a problem hiding this comment.
does this need to be required? - I think there are a few places in the repo where we automatically generate if not provided (by using the logical ID of the policy resource)
There was a problem hiding this comment.
I can't get the logical ID until the parent constructor is called (super()). And I have to pass the policyName as part of the parent constructor parameters. Tried scope.node.uniqueId() but it didn't work. I'm afraid it needs to be mandatory.
There was a problem hiding this comment.
gotcha, it's worth a comment so this context isn't lost
There was a problem hiding this comment.
So, I didn't know about cdk.Lazy.stringValue. Using it, I can generate a uniqueId as a default policyName.
let policyName = props.policyName || cdk.Lazy.stringValue({ produce: () => cdk.Names.uniqueId(this) });I updated the code accordingly and removed the value I had initially created for the policyName!
mergify
bot
dismissed
shivlaks’s stale review
Pull request has been modified.
|
@shivlaks Thanks for the review. Just a quick note on the Let me know if you have a better idea about this. |
|
@shivlaks any chance you would have time to look into the PR this week ? |
There was a problem hiding this comment.
@DaWyz - I think this is shaping up well and we're close. I had some minor suggestions, but looks great overall!
re: custom resource - since this is borrowed from the elasticsearch module which is experimental and this module is stable, we should ensure we address whatever sticks out as something we're not proud of. what stood out as potential problems / poor structure to you? perhaps we can improve on it without over-indexing on it to find a nice balance.
is there anything that you feel might result in us needing to make a breaking change? if we're good with the API itself, the implementation details can always be smoothed out in the future.
let me know what you think!!
| /** | ||
| * The log group resource policy name | ||
| */ | ||
| readonly policyName: string; |
There was a problem hiding this comment.
gotcha, it's worth a comment so this context isn't lost
| /** | ||
| * Customize the CloudWatch LogGroup Event Target | ||
| */ | ||
| export interface LogGroupProps { |
There was a problem hiding this comment.
can a role also be supplied? - some of our other event targets accept a role / create a singleton role for the target.
There was a problem hiding this comment.
It is not possible to pass a role when using a LogGroup as a target. I tried it initially and got an CloudFormation error back.
There was a problem hiding this comment.
gotcha, thanks for clarifying
| policy: cr.AwsCustomResourcePolicy.fromSdkCalls({ | ||
| // putResourcePolicy and deleteResourcePolicy don't support resource-level permissions. We must specify all resources ("*"). | ||
| // https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatchlogs.html | ||
| resources: ['*'], |
There was a problem hiding this comment.
I think we could use AwsCustomResourcePolicy.ANY_RESOURCE here instead of *. This way, this piece of code would be aligned with AwsCustomResources readme.
https://docs.aws.amazon.com/cdk/api/latest/docs/custom-resources-readme.html#execution-policy-1
mergify
bot
dismissed
shivlaks’s stale review
Pull request has been modified.
@shivlaks I think it's pretty stable. The CustomResource module is So I'm guessing we should highlight the fact that I'm happy to add a comment to this Pull Request and/or in the I don't think anything would result in a breaking change here. And we could definitely move Let me know if it make sense and I will highlight this in the PR/code. |
DaWyz
force-pushed
the
DaWyz/events-target-loggroup
branch
from
e58c248
to
90c19bb
Compare
@DaWyz go for it! let's ship this one out!! |
@shivlaks I modified the PR text to highlight it. I didn't change the code since I'm not sure how/where to write this down (top of the file? top of the class? add a todo?). Please, feel free to add a comment in the file if you think it make sense. Thanks again for your time reviewing this! |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Implementation
Update package
@aws-cdk/aws-events-targetsto include support forCloudWatch LogGroups.The
CloudWatchLogGroupevent target must add a resource policy to CloudWatch LogGroups to allow events to be posted to the LogGroup. It requires aCustomResourceto do so as it's not supported by CloudFormation.The
log-group-resource-policy.tsfile should be moved to another module related to LogGroups so it can be easily shared. At the time of this pull request, it is not possible to add it into theaws-logsmodule because of a circular dependency issue.Closes #9953
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license