Skip to content

aws-logs: add AccountPolicy L2 construct #34130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks
garysassano opened this issue Apr 13, 2025 · 1 comment
Open
2 tasks

aws-logs: add AccountPolicy L2 construct #34130

garysassano opened this issue Apr 13, 2025 · 1 comment
Labels
@aws-cdk/aws-logs Related to Amazon CloudWatch Logs feature-request A feature should be added or improved. p2

Comments

@garysassano
Copy link
Contributor

garysassano commented Apr 13, 2025
edited
Loading

Describe the feature

The L2 construct equivalent of CfnAccountPolicy, aimed at reducing boilerplate code and simplifying configuration; it should help to prevent common pitfalls (see #31266).

Use Case

See above.

Proposed Solution

The AccountPolicy construct should accept an input of type AccountPolicyType, an enum with the following possible values:

  • LAMBDA
  • KINESIS_DATA_STREAM
  • DATA_FIREHOSE

Depending on the selected AccountPolicyType, you’ll need to provide a different kind of target. For example, if LAMBDA is specified, you must provide an IFunction. The required permissions for the target resource will be automatically attached when the AccountPolicy is created.

Other Information

Creating an account-level subscription filter involves 4 steps:

  1. Create the target resource for the subscription filter (Lambda, Kinesis Data Stream, or Data Firehose).
  2. Grant CloudWatch Logs permission to use the target resource.
  3. Add a dependency in the CDK resource graph to ensure the subscription filter is not created before the permission is granted.
  4. Create the account-level subscription filter.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.189.0

Environment details (OS name and version, etc.)

Ubuntu 24.04
@garysassano garysassano added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Apr 13, 2025
@github-actions github-actions bot added the @aws-cdk/aws-logs Related to Amazon CloudWatch Logs label Apr 13, 2025
@ykethan
Copy link
Contributor

ykethan commented Apr 14, 2025

Hey @garysassano, 👋 thank you for filing this feature request.

The current L1 construct usage requires usage similar to the following

const cfnAccountPolicy = new logs.CfnAccountPolicy(this, 'MyCfnAccountPolicy', {
    RoleArn: role.roleArn,
    DestinationArn: kinesisStream.streamArn,
    FilterPattern: "ERROR",
    Distribution: "Random"
  }),
  policyName: 'MySubscriptionFilterPolicy',
  policyType: 'SUBSCRIPTION_FILTER_POLICY',
  scope: 'ALL',
  selectionCriteria: 'LogGroupName NOT IN ["LogGroupToExclude1"]'
});

from the top of my mind we could look into implement something similar to the following L2 construct to simplify this

const accountPolicy = new logs.AccountPolicy(this, 'MyAccountPolicy', {
  policyType: logs.AccountPolicyType.KINESIS_DATA_STREAM,
  target: kinesisStream,  // IStream
  filterPattern: logs.FilterPattern.literal("ERROR"),
  distribution: logs.SubscriptionFilterDistribution.RANDOM,
  excludeLogGroups: ['LogGroupToExclude1']
});

But leave it to the team to dive into this implementation. we do accept new pull requests on this repository as well.

@ykethan ykethan added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Apr 14, 2025
@ScottRobinson03 ScottRobinson03 mentioned this issue Apr 16, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-logs Related to Amazon CloudWatch Logs feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@garysassano @ykethan