aws-lambda: Cannot set removal policy on auto-created log group

[DFEvans]

Describe the bug

After creating an AWS Lambda function with a log retention period, CDK will auto-generate a LogGroup. When trying to set the removal policy on that auto-generated log group via apply_removal_policy, I receive an error referring to no child or not a CfnResource which appears to be an internal CDK issue.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

I am able to set the log group removal policy

Current Behavior

CDK fails the operation with:

jsii.errors.JavaScriptError:
  @jsii/kernel.RuntimeError: Error: Cannot apply RemovalPolicy: no child or not a CfnResource. Apply the removal policy on the CfnResource directly.
      at Kernel._Kernel_ensureSync (/tmp/tmpfvt728k1/lib/program.js:927:23)
      at Kernel.invoke (/tmp/tmpfvt728k1/lib/program.js:294:102)
      at KernelHost.processRequest (/tmp/tmpfvt728k1/lib/program.js:15467:36)
      at KernelHost.run (/tmp/tmpfvt728k1/lib/program.js:15427:22)
      at Immediate._onImmediate (/tmp/tmpfvt728k1/lib/program.js:15428:46)
      at process.processImmediate (node:internal/timers:505:21)

Reproduction Steps

import aws_cdk
import aws_cdk.aws_lambda
import aws_cdk.aws_logs
app = aws_cdk.App()
stack = aws_cdk.Stack(app, "stack")
f = aws_cdk.aws_lambda.Function(
	stack,
	"function",
	code=aws_cdk.aws_lambda.Code.from_inline("def handler(event, context): pass"),
	runtime=aws_cdk.aws_lambda.Runtime.PYTHON_3_12,
	log_retention=aws_cdk.aws_logs.RetentionDays.ONE_DAY,
	handler="index.handler",
)
f.log_group.apply_removal_policy(aws_cdk.RemovalPolicy.DESTROY)

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.200.1

AWS CDK CLI version

2.1018.0

Node.js Version

23.11.0

OS

Ubuntu under WSL

Language

Python

Language Version

3.10.12

Other information

No response

[pahud]

Hi @DFEvans,

Thank you for reporting this issue! I've identified the root cause of the problem.

Root Cause

When you use logRetention on a Lambda function, CDK creates a LogRetention custom
resource which uses a Custom::LogRetention CloudFormation resource under the hood. However,
the logGroup property exposed by the Lambda function is created using
LogGroup.fromLogGroupArn(), which creates an imported log group reference that doesn't have
an underlying CfnResource child.

The applyRemovalPolicy() method in the Resource base class requires the construct to have a
node.defaultChild that is a CfnResource, which imported resources don't have.

Workaround

For now, you can work around this by providing the removal policy directly to the LogRetention
custom resource:

f = aws_cdk.aws_lambda.Function(
    stack,
    "function",
    code=aws_cdk.aws_lambda.Code.from_inline("def handler(event, context): pass"),
    runtime=aws_cdk.aws_lambda.Runtime.PYTHON_3_12,
    log_retention=aws_cdk.aws_logs.RetentionDays.ONE_DAY,
    handler="index.handler",
)

# Access the LogRetention custom resource and find its CfnResource
log_retention_resource = f._log_retention.node.find_child("Resource")
log_retention_resource.apply_removal_policy(aws_cdk.RemovalPolicy.DESTROY)

Long-term Solution

This issue should be fixed by either:

1. Adding a logRetentionRemovalPolicy property to the Lambda Function props that gets passed
   to the LogRetention constructor
2. Modifying the LogRetention class to return a proper LogGroup construct that supports
   removal policies

This is a valid bug that affects the usability of the log group removal policy functionality.
Contributions via pull request would be very welcome!

Thank you for helping to improve the CDK!

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.