fix(stepfunctions): disabling logging still requires LogGroup #30816
Conversation
github-actions
bot
added
the
admired-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
|
|
aws-cdk-automation
added
the
pr/reviewer-clarification-requested
aws-cdk-automation
added
the
pr/needs-community-review
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
| if (logOptions.level !== LogLevel.OFF && !logOptions.destination) { | ||
| throw new Error('Logs destination is required when level is not OFF.'); | ||
| } |
There was a problem hiding this comment.
shall this validation be done earlier (at line 427) with other validations instead?
if (!logs && !logs.level != LogLevel.OFF && !logs.destination) { ...
reasons for ask:
- with current change, validations will be split across various places and as this file is big (and keep getting bigger), hence, it will become difficult to have complete picture of validation
- ideally, caller shall not even call
buildLoggingConfigurationif prerequisites are not met
There was a problem hiding this comment.
added a separate validation method validateLogOptions()
| if (logOptions.destination) { | ||
| // https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html#cloudwatch-iam-policy | ||
| this.addToRolePolicy(new iam.PolicyStatement({ | ||
| effect: iam.Effect.ALLOW, | ||
| actions: [ | ||
| 'logs:CreateLogDelivery', | ||
| 'logs:GetLogDelivery', | ||
| 'logs:UpdateLogDelivery', | ||
| 'logs:DeleteLogDelivery', | ||
| 'logs:ListLogDeliveries', | ||
| 'logs:PutResourcePolicy', | ||
| 'logs:DescribeResourcePolicies', | ||
| 'logs:DescribeLogGroups', | ||
| ], | ||
| resources: ['*'], | ||
| })); | ||
| } | ||
|
|
||
| return { | ||
| destinations: [{ | ||
| destinations: logOptions.destination ? [{ | ||
| cloudWatchLogsLogGroup: { logGroupArn: logOptions.destination.logGroupArn }, | ||
| }], | ||
| }] : undefined, |
There was a problem hiding this comment.
if we do this like as follows - will it reduce need to check logOptions.destination twice and simplify a bit?
let destinations = undefined;
if (logOptions.destination) {
// Policy addition
destinations = [{
cloudWatchLogsLogGroup: { logGroupArn: logOptions.destination.logGroupArn },
}];
}
return {
destinations,
...,
level: logOptions.level || LogLevel.ERROR
}
| */ | ||
| readonly destination: logs.ILogGroup; | ||
| readonly destination?: logs.ILogGroup; |
There was a problem hiding this comment.
will this not be a breaking change for existing usage? example:
const logOptions: LogOptions = {
destination: <LogGroup>
}
const stateMachine: StateMachine = new StateMachine(parent, 'ID', {
logs: logOptions,
...
}
...
stateMachine.logs.destination.logGroupName // Error
stateMachine.logs.destination!.logGroupName // Change needed
Some user(s) might be utilising ILogGroup's public properties from logOptions which will now cause issues because now such users will need to make non-null assertions before using such properties (e.g. with !)
There was a problem hiding this comment.
According to the jsii-diff documentation:
You are allowed to make inputs optional
So i think this change is not a breaking change.
|
|
||
| expect(() => { | ||
| new sfn.StateMachine(stack, 'MyStateMachine', { | ||
| definitionBody: sfn.DefinitionBody.fromChainable(sfn.Chain.start(new sfn.Pass(stack, 'Pass'))), |
There was a problem hiding this comment.
can we not directly pass new sfn.Pass(stack, 'Pass') to DefintionBody.fromChainable as Pass implements IChainable?
There was a problem hiding this comment.
it's just a copy & paste.
README also uses sfn.Chain.start() instead of bare sfn.Pass.
Tietew
changed the title
LogOptions.destination optional
github-actions
bot
added
the
effort/small
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Issue # (if applicable)
Closes #30814.
Reason for this change
To disable logging on a StateMachine (with logging enabled), we should specify
LogLevel.OFFtoLogOptions.level. But cannot remove the LogGroup becauseLogOptions.destinationis required.Description of changes
LogOptions.destinationoptional.LogOptions.destinationis present whenLogOptions.levelis notOFF.Description of how you validated changes
Unit and integ tests that verify
LogOptions.destinationis opitional whenLogOptions.levelisOFFand throw an exception otherwise.Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license