aws · colifran · May 31, 2023 · May 31, 2023 · Jun 1, 2023 · Jun 1, 2023
diff --git a/...1e8c0a11e863e63dc82832599412ed/index.d.ts → ...d33908ddbf95f3c01cb19aa6cf3602/index.d.ts b/...1e8c0a11e863e63dc82832599412ed/index.d.ts → ...d33908ddbf95f3c01cb19aa6cf3602/index.d.ts
diff --git a/....snapshot/asset.03f4865a5a0af55ce1833e693c97d42df8d33908ddbf95f3c01cb19aa6cf3602/index.js b/....snapshot/asset.03f4865a5a0af55ce1833e693c97d42df8d33908ddbf95f3c01cb19aa6cf3602/index.js
diff --git a/...3a1e8c0a11e863e63dc82832599412ed/index.ts → ...f8d33908ddbf95f3c01cb19aa6cf3602/index.ts b/...3a1e8c0a11e863e63dc82832599412ed/index.ts → ...f8d33908ddbf95f3c01cb19aa6cf3602/index.ts
@@ -121,6 +121,64 @@ async function setRetentionPolicy(logGroupName: string, region?: string, options
   } while (true); // exit happens on retry count check
 }
 
+/**
+ * Tags and untags a log group. This includes adding new tags and updating existing tags.
+ *
+ * @param logGroupName the name of the log group to create
+ * @param tags the tags to propagate to the log group
+ * @param region the region of the log group
+ * @param options CloudWatch API SDK options
+ */
+async function setLogGroupTags(logGroupName: string, tags: AWS.CloudWatchLogs.Tags[], region?: string, options?: SdkRetryOptions) {
+  // The same as in createLogGroupSafe(), here we could end up with the race
+  // condition where a log group is either already being created or its retention
+  // policy is being updated. This would result in an OperationAbortedException,
+  // which we will try to catch and retry the command a number of times before failing
+  let retryCount = options?.maxRetries == undefined ? 10 : options.maxRetries;
+  const delay = options?.retryOptions?.base == undefined ? 10 : options.retryOptions.base;
+  do {
+    try {
+      const cloudwatchlogs = new AWS.CloudWatchLogs({ apiVersion: '2014-03-28', region, ...options });
+      const tagsOnLogGroup = (await cloudwatchlogs.listTagsLogGroup({ logGroupName }).promise()).tags ?? {};
+
+      const tagsToSet: { [key: string]: string } = {};
+      const tagsKeys: string[] = [];
+      for (const tag of tags) {
+        if (tagsOnLogGroup[tag.Key] === undefined || tagsOnLogGroup[tag.Key] !== tag.Value) {
+          tagsToSet[tag.Key] = tag.Value;
+        }
+        tagsKeys.push(tag.Key);
+      }
+
+      const tagsToDelete = tagsOnLogGroup
+        ? Object.keys(tagsOnLogGroup).filter(tag => !tagsKeys.includes(tag))
+        : [];
+
+      if (Object.keys(tagsToSet).length > 0) {
+        await cloudwatchlogs.tagLogGroup({ logGroupName, tags: tagsToSet }).promise();
+      }
+
+      if (tagsToDelete.length > 0) {
+        await cloudwatchlogs.untagLogGroup({ logGroupName, tags: tagsToDelete }).promise();
+      }
+
+      return;
+    } catch (error: any) {
+      if (error.code === 'OperationAbortedException') {
+        if (retryCount > 0) {
+          retryCount--;
+          await new Promise(resolve => setTimeout(resolve, delay));
+          continue;
+        } else {
+          // The log group is still being created by another execution but we are out of retries
+          throw new Error('Out of attempts to create a logGroup');
+        }
+      }
+      throw error;
+    }
+  } while (true);
+}
+
 export async function handler(event: AWSLambda.CloudFormationCustomResourceEvent, context: AWSLambda.Context) {
   try {
     console.log(JSON.stringify({ ...event, ResponseURL: '...' }));
@@ -138,7 +196,11 @@ export async function handler(event: AWSLambda.CloudFormationCustomResourceEvent
       // Act on the target log group
       await createLogGroupSafe(logGroupName, logGroupRegion, retryOptions);
       await setRetentionPolicy(logGroupName, logGroupRegion, retryOptions, parseInt(event.ResourceProperties.RetentionInDays, 10));
+      if (event.ResourceProperties.PropagateTags === 'true') {
+        await setLogGroupTags(logGroupName, event.ResourceProperties.Tags ?? [], logGroupRegion, retryOptions);
+      }
 
+      // propagate tags to custom resource logs
       if (event.RequestType === 'Create') {
         // Set a retention policy of 1 day on the logs of this very function.
         // Due to the async nature of the log group creation, the log group for this function might

diff --git a/....snapshot/asset.0f8a80f5f2310ea7e3295258fdbb79c43a1e8c0a11e863e63dc82832599412ed/index.js b/....snapshot/asset.0f8a80f5f2310ea7e3295258fdbb79c43a1e8c0a11e863e63dc82832599412ed/index.js
diff --git a/.../aws-lambda/test/integ.log-retention.js.snapshot/aws-cdk-lambda-log-retention.assets.json b/.../aws-lambda/test/integ.log-retention.js.snapshot/aws-cdk-lambda-log-retention.assets.json
@@ -1,28 +1,28 @@
 {
-  "version": "31.0.0",
+  "version": "32.0.0",
   "files": {
-    "0f8a80f5f2310ea7e3295258fdbb79c43a1e8c0a11e863e63dc82832599412ed": {
+    "03f4865a5a0af55ce1833e693c97d42df8d33908ddbf95f3c01cb19aa6cf3602": {
       "source": {
-        "path": "asset.0f8a80f5f2310ea7e3295258fdbb79c43a1e8c0a11e863e63dc82832599412ed",
+        "path": "asset.03f4865a5a0af55ce1833e693c97d42df8d33908ddbf95f3c01cb19aa6cf3602",
         "packaging": "zip"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "0f8a80f5f2310ea7e3295258fdbb79c43a1e8c0a11e863e63dc82832599412ed.zip",
+          "objectKey": "03f4865a5a0af55ce1833e693c97d42df8d33908ddbf95f3c01cb19aa6cf3602.zip",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
     },
-    "53d9f93777a59c056d47bcb74a136aae7c53c3e010fe62d984859dd0aa334457": {
+    "5837b4ebbd132ab8d64342d61a9901b7025321ebe297ec312c313e1c64161039": {
       "source": {
         "path": "aws-cdk-lambda-log-retention.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "53d9f93777a59c056d47bcb74a136aae7c53c3e010fe62d984859dd0aa334457.json",
+          "objectKey": "5837b4ebbd132ab8d64342d61a9901b7025321ebe297ec312c313e1c64161039.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...ws-lambda/test/integ.log-retention.js.snapshot/aws-cdk-lambda-log-retention.template.json b/...ws-lambda/test/integ.log-retention.js.snapshot/aws-cdk-lambda-log-retention.template.json
@@ -116,6 +116,64 @@
        ],
        "Effect": "Allow",
        "Resource": "*"
+      },
+      {
+       "Action": [
+        "logs:ListTagsLogGroup",
+        "logs:TagLogGroup",
+        "logs:UntagLogGroup"
+       ],
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":logs:",
+           {
+            "Ref": "AWS::Region"
+           },
+           ":",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":log-group:/aws/lambda/",
+           {
+            "Ref": "OneMonth64E966BF"
+           },
+           ":*"
+          ]
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           "arn:",
+           {
+            "Ref": "AWS::Partition"
+           },
+           ":logs:",
+           {
+            "Ref": "AWS::Region"
+           },
+           ":",
+           {
+            "Ref": "AWS::AccountId"
+           },
+           ":log-group:/aws/lambda/",
+           {
+            "Ref": "OneYearA82EBDA9"
+           },
+           ":*"
+          ]
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"
@@ -145,7 +203,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "0f8a80f5f2310ea7e3295258fdbb79c43a1e8c0a11e863e63dc82832599412ed.zip"
+     "S3Key": "03f4865a5a0af55ce1833e693c97d42df8d33908ddbf95f3c01cb19aa6cf3602.zip"
     },
     "Role": {
      "Fn::GetAtt": [
@@ -187,6 +245,16 @@
        ]
       ]
      }
+    ],
+    "Tags": [
+     {
+      "Key": "dept",
+      "Value": "sales"
+     },
+     {
+      "Key": "env",
+      "Value": "prod"
+     }
     ]
    }
   },
@@ -202,8 +270,19 @@
       "Arn"
      ]
     },
+    "FunctionName": "OneMonthFunction",
     "Handler": "index.handler",
-    "Runtime": "nodejs14.x"
+    "Runtime": "nodejs14.x",
+    "Tags": [
+     {
+      "Key": "dept",
+      "Value": "sales"
+     },
+     {
+      "Key": "env",
+      "Value": "prod"
+     }
+    ]
    },
    "DependsOn": [
     "OneMonthServiceRoleFBD1064F"
@@ -229,7 +308,18 @@
       ]
      ]
     },
-    "RetentionInDays": 30
+    "RetentionInDays": 30,
+    "PropagateTags": true,
+    "Tags": [
+     {
+      "Key": "dept",
+      "Value": "sales"
+     },
+     {
+      "Key": "env",
+      "Value": "prod"
+     }
+    ]
    }
   },
   "OneYearServiceRole24D47762": {
@@ -260,6 +350,12 @@
        ]
       ]
      }
+    ],
+    "Tags": [
+     {
+      "Key": "dept",
+      "Value": "eng"
+     }
     ]
    }
   },
@@ -275,8 +371,15 @@
       "Arn"
      ]
     },
+    "FunctionName": "OneYearFunction",
     "Handler": "index.handler",
-    "Runtime": "nodejs14.x"
+    "Runtime": "nodejs14.x",
+    "Tags": [
+     {
+      "Key": "dept",
+      "Value": "eng"
+     }
+    ]
    },
    "DependsOn": [
     "OneYearServiceRole24D47762"
@@ -302,7 +405,14 @@
       ]
      ]
     },
-    "RetentionInDays": 365
+    "RetentionInDays": 365,
+    "PropagateTags": true,
+    "Tags": [
+     {
+      "Key": "dept",
+      "Value": "eng"
+     }
+    ]
    }
   }
  },

diff --git a/...-cdk-testing/framework-integ/test/aws-lambda/test/integ.log-retention.js.snapshot/cdk.out b/...-cdk-testing/framework-integ/test/aws-lambda/test/integ.log-retention.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"31.0.0"}
+{"version":"32.0.0"}
diff --git a/...k-testing/framework-integ/test/aws-lambda/test/integ.log-retention.js.snapshot/integ.json b/...k-testing/framework-integ/test/aws-lambda/test/integ.log-retention.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "31.0.0",
+  "version": "32.0.0",
   "testCases": {
     "integ.log-retention": {
       "stacks": [

diff --git a/...esting/framework-integ/test/aws-lambda/test/integ.log-retention.js.snapshot/manifest.json b/...esting/framework-integ/test/aws-lambda/test/integ.log-retention.js.snapshot/manifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "31.0.0",
+  "version": "32.0.0",
   "artifacts": {
     "aws-cdk-lambda-log-retention.assets": {
       "type": "cdk:asset-manifest",
@@ -17,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/53d9f93777a59c056d47bcb74a136aae7c53c3e010fe62d984859dd0aa334457.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5837b4ebbd132ab8d64342d61a9901b7025321ebe297ec312c313e1c64161039.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [