How to ensure that if ever the stack is deleted, the log group do not get deleted. I would want to keep the log group with the streams even if the stack is deleted.
Log group won't be deleted as you have not explicitly defined that in your template.
Because it might be using this canned policy in the Lambda Execution Role.
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
How to tag the log group? I have used stack tags, and tags inside deploymentBucket, and in provider as well. However, the log group does not get tagged.
If you want to tag the resources, then you have to define the log group inside the template and then reference the same. But unofortuantely tagging log groups is not supported yet
AWS::Logs::LogGroup tag support #77 in Cloudformation. You can achieve this by Cloudformation Custom resources
I included an example custom resource for tagging the log group
DeletionPolicy attribute as you are now including the log group creation inside the template.
Description: "tag log groups"
Parameters:
LogGroupName:
Type: "String"
Description: "Log Groups Name"
Default: "myloggroup"
Resources:
myLogGroup:
Type: AWS::Logs::LogGroup
DeletionPolicy: Retain
Properties:
LogGroupName: !Ref LogGroupName
RetentionInDays: 7
LogGroupTaggingFunctionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies:
- PolicyName: TagLogGroupPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- logs:TagLogGroup
Resource: "*"
TagLogGroupFunction:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: 'tag log groups'
Handler: index.lambda_handler
Runtime: python3.7
Timeout: 60
Role: !GetAtt LogGroupTaggingFunctionRole.Arn
Code:
ZipFile: |
import boto3
import json
import os
import cfnresponse
sts = boto3.client('logs')
log_group_name = os.environ['LOG_GROUP_NAME']
def lambda_handler(event, context):
print('Event:', json.dumps(event))
request_type = event.get('RequestType', 'Update').upper()
if request_type == 'CREATE':
response = client.tag_log_group(
logGroupName=log_group_name,
tags={
'Name': 'MyLogGroup'
}
)
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
print(json.dumps(response))
else:
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
Environment:
Variables:
LOG_GROUP_NAME:
Ref: LogGroupName
InvokeLogGroupTaggingLambda:
Type: AWS::CloudFormation::CustomResource
Properties:
ServiceToken: !GetAtt TagLogGroupFunction.Arn
