(custom-resources): CustomResourceProvider should destroy log group when stack deleted

[hakanson]

Describe the feature

Delete Log Groups created by auto-created a CustomResourceProvider when stack is destroyed. These are sometimes an "implementation detail" of constructs like s3.Bucket, so a CDK user may not be aware they need to clean them up.

Use Case

My CDK created an s3.Bucket with autoDeleteObjects: true, and when I destroy the stack, I noticed there was still a CloudWatch Log Group not cleaned up.

[/aws/lambda/XXXXXXXXXXXStack-CustomS3AutoDeleteObjectsCustomRe-xxxxxxxxxxxx

This appears to be a result of the auto-created Log Group for the CustomResourceProvider Lambda. This leaves cruft in the AWS account, which the user didn't intent to create.

Proposed Solution

after the CustomResourceProvider 'AWS::Lambda::Function' is created, also create the "AWS::Logs::LogGroup" and set RemovalPolicy to destroy

https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/core/lib/custom-resource-provider/custom-resource-provider.ts#L307

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.88.0 (build 5d497f9)

Environment details (OS name and version, etc.)

macOS 12.6.6

[peterwoodworth]

Can you use LogRetention as described here? #26538 (comment)

[hakanson]

Since I don't create the custom resource, but the s3.Bucket does, I'm not sure how to find the CustomS3AutoDeleteObjectsCustomResourceProviderHandlerXXXXXXXX node (?) to change LogRetention. Any tips n that. I do see the aws:cdk:path is deterministic.

   "Metadata": {
    "aws:cdk:path": "MyStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler",

[peterwoodworth]

You can view the construct path in cdk.out/tree.json

Alternative to this, you can try creating an AwsCustomResource which makes the delete log group API call on stack deletion

[hakanson]

I don't know what to do with that last comment. I found the "Custom::S3AutoDeleteObjectsCustomResourceProvider" in the tree.json but the s3.bucket creates it. Is there an CDK api to find this node by id or by path, then navigate from the children to the handler? This should probably be handled by s3.bucket`, but I'm looking for an escape hatch to fix what was created. How would creating my own custom resource help?

          "Custom::S3AutoDeleteObjectsCustomResourceProvider": {
            "id": "Custom::S3AutoDeleteObjectsCustomResourceProvider",
            "path": "MyStack/Custom::S3AutoDeleteObjectsCustomResourceProvider",
            "children": {
              "Handler": {
                "id": "Handler",
                "path": "MyStack/Custom::S3AutoDeleteObjectsCustomResourceProvider/Handler",
                "constructInfo": {
                  "fqn": "aws-cdk-lib.CfnResource",
                  "version": "2.88.0"
                }
              }

[amid0]

Faced with the same issue.
For lambda function for now resolved with manually creating LogGroup for each lambda.
But for library custom resources (such as S3 auto delete or Bucket deployment) - still an issue.
There is an idea of how to solve this - its customer resource on stack delete will go through all lambda functions in stack -> construct log group name for each -> delete if exists.
And this customer resource probably should be executed last one on stack destroy.
For now, I do not know if it is possible to tell this custom resource to be executed last on destroy and if all function names (that potentially already deleted, at the moment custom resource execution? function names available)