Description
Describe the bug
When creating a LogGroup in another account, then granting read/write permissions, it applies to the base log group but not all the log streams.
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Library Version
No response
Expected Behavior
Permissions are granted to all log group streams as is with same account/imported LogGroups
Current Behavior
Permissions were restricted to the LogGroup level
Reproduction Steps
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
class LogStack extends cdk.Stack {
public readonly logGroup: cdk.aws_logs.LogGroup;
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
this.logGroup = new cdk.aws_logs.LogGroup(this, 'ExampleGroup', {
logGroupName: 'examaple/group',
});
}
}
class RoleStack extends cdk.Stack {
constructor(scope: Construct, id: string, props: cdk.StackProps, logs: cdk.aws_logs.LogGroup) {
super(scope, id, props);
const role = new cdk.aws_iam.Role(this, 'ExampleRole', {
assumedBy: new cdk.aws_iam.AnyPrincipal()
});
logs.grantWrite(role);
logs.grantRead(role);
}
}
const app = new cdk.App();
const logStack = new LogStack (app, 'LogStack', { env: {account: '12345678901234', region: 'us-east-1'}});
const roleStack = new RoleStack(app, 'RoleStack', { env: {account: '98765432104321', region: 'us-east-1'}}, logStack.logGroup);
Relevant Template CFN from the RoleStack:
"ExampleRole576372CE": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "*"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "RoleStack/ExampleRole/Resource"
}
},
"ExampleRoleDefaultPolicy688DB891": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:GetLogGroupFields",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:us-east-1:12345678901234:log-group:examaple/group"
}
],
"Version": "2012-10-17"
},
"PolicyName": "ExampleRoleDefaultPolicy688DB891",
"Roles": [
{
"Ref": "ExampleRole576372CE"
}
]
},
"Metadata": {
"aws:cdk:path": "RoleStack/ExampleRole/DefaultPolicy/Resource"
}
},
Expected Resource": "arn:aws:logs:us-east-1:12345678901234:log-group:examaple/group:*
Possible Solution
When setting the LogGroup.logGroupArn, many of the cases explicitly add the ':*' to match CloudFormation's behavior with !Ref LogGroup.Arn
Example in LogGroup.fromLogGroupName: https://github.com/aws/aws-cdk/blob/1418204c40cdea59ced042768ae7f57b1f47eeb6/packages/aws-cdk-lib/aws-logs/lib/log-group.ts#L604C9-L604C47
In the constructor however, it does not include that provision:
Normally, if same stack, it'll just use the !Ref. Additionally, if the same environment, it'll export it as a Stack Output, then import it into the second stack. However, in this case, as they are neither same stack or account, it appears that it manually formats the arn, which causes this edge case.
Additional Information/Context
No response
AWS CDK Library version (aws-cdk-lib)
2.195.0
AWS CDK CLI version
2.1016.0
Node.js Version
v18.20.8
OS
Amazon Linux 2023
Language
TypeScript
Language Version
No response
Other information
No response