fix(elasticsearch): log policies are overwritten when creating 2 doma…

…ins which also results in a failure while destroying the stack (#12056) 2 Domains in same account/region each create & delete LogGroup Resource Policies statically named 'ESLogPolicy'. Fixes #12016 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Dec 14, 2020 · 889d089 · 889d089
1 parent dfb5405
commit 889d089
Show file tree

Hide file tree

Showing 4 changed files with 249 additions and 24 deletions.
diff --git a/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts b/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts
@@ -1414,8 +1414,9 @@ export class Domain extends DomainBase implements IDomain {
 
       // Use a custom resource to set the log group resource policy since it is not supported by CDK and cfn.
       // https://github.com/aws/aws-cdk/issues/5343
-      logGroupResourcePolicy = new LogGroupResourcePolicy(this, 'ESLogGroupPolicy', {
-        policyName: 'ESLogPolicy',
+      logGroupResourcePolicy = new LogGroupResourcePolicy(this, `ESLogGroupPolicy${this.node.addr}`, {
+        // create a cloudwatch logs resource policy name that is unique to this domain instance
+        policyName: `ESLogPolicy${this.node.addr}`,
         policyStatements: [logPolicyStatement],
       });
     }

diff --git a/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts b/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts
@@ -233,6 +233,38 @@ describe('log groups', () => {
     });
   });
 
+  test('log group policy is uniquely named for each domain', () => {
+    new Domain(stack, 'Domain1', {
+      version: ElasticsearchVersion.V7_4,
+      logging: {
+        appLogEnabled: true,
+      },
+    });
+    new Domain(stack, 'Domain2', {
+      version: ElasticsearchVersion.V7_4,
+      logging: {
+        appLogEnabled: true,
+      },
+    });
+
+    // Domain1
+    expect(stack).toHaveResourceLike('Custom::CloudwatchLogResourcePolicy', {
+      Create: {
+        parameters: {
+          policyName: 'ESLogPolicyc836fd92f07ec41eb70c2f6f08dc4b43cfb7c25391',
+        },
+      },
+    });
+    // Domain2
+    expect(stack).toHaveResourceLike('Custom::CloudwatchLogResourcePolicy', {
+      Create: {
+        parameters: {
+          policyName: 'ESLogPolicyc8f05f015be3baf6ec1ee06cd1ee5cc8706ebbe5b2',
+        },
+      },
+    });
+  });
+
 });
 
 describe('grants', () => {