Skip to content

[SVLS-8314] add lambda cloudwatch command#2097

Merged
ava-silver merged 17 commits intomasterfrom
ava.silver/svls-8314/add-lambda-commands-for-enabling/disabling-cw-logs
Feb 13, 2026
Merged

[SVLS-8314] add lambda cloudwatch command#2097
ava-silver merged 17 commits intomasterfrom
ava.silver/svls-8314/add-lambda-commands-for-enabling/disabling-cw-logs

Conversation

@ava-silver
Copy link
Contributor

@ava-silver ava-silver commented Feb 10, 2026
edited
Loading

What and why?

This PR adds a new lambda cloudwatch command to the Lambda plugin that accepts enable or disable as an action. This allows users to disable CloudWatch Logs for Lambda functions by attaching a deny IAM policy, and re-enable them by removing that policy. This provides a way to control CloudWatch logging costs while maintaining Lambda function operation.

How?

  • Added a unified LambdaCloudwatchCommand that takes an action parameter (enable or disable)
  • Implemented the corresponding plugin command that handles AWS interactions
  • Created CloudWatch-specific functions for managing IAM policies
  • Added a renderer for CloudWatch-related output
  • Added comprehensive tests for the command
  • Updated the CLI command registry to include the new command

Testing

Note, for all commands below, alias:

alias aws-sso='aws-vault exec sso-serverless-sandbox-account-admin -- '

Dry run:

aws-sso yarn launch lambda cloudwatch disable --dry-run -f <function-arn>
aws-sso yarn launch lambda cloudwatch enable --dry-run -f <function-arn>

Live test:

aws-sso yarn launch lambda cloudwatch disable -f <function-arn>
# Verify it gets added:
aws-sso aws iam get-role-policy --role-name <role-from-output> --policy-name DenyCloudWatchLogs

aws-sso yarn launch lambda cloudwatch enable -f <function-arn>
# Verify: above command should now return NoSuchEntity

# Multi-function & regex
aws-sso yarn launch lambda cloudwatch disable --dry-run --functions-regex 'my-prefix' -r us-east-1
aws-sso yarn launch lambda cloudwatch disable --dry-run -f <arn1> -f <arn2>

Example notebook

Review checklist

  • Feature or bugfix MUST have appropriate tests (unit, integration)

@ava-silver Graphite App
Copy link
Contributor Author

ava-silver commented Feb 10, 2026
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ava-silver ava-silver added enhancement New feature or request serverless Related to [aas, cloud-run, lambda, stepfunctions] labels Feb 10, 2026
@ava-silver ava-silver closed this Feb 11, 2026
@ava-silver ava-silver reopened this Feb 11, 2026
@ava-silver ava-silver force-pushed the ava.silver/svls-8314/add-lambda-commands-for-enabling/disabling-cw-logs branch from 9061911 to 023d83b Compare February 11, 2026 21:04
@datadog-datadog-prod-us1

This comment has been minimized.

Sign in to view
@ava-silver ava-silver mentioned this pull request Feb 12, 2026
Merged
1 task
@ava-silver ava-silver marked this pull request as ready for review February 12, 2026 17:42
@ava-silver ava-silver requested review from a team as code owners February 12, 2026 17:42
duncanista
duncanista approved these changes Feb 12, 2026
View reviewed changes
Copy link
Contributor

@duncanista duncanista left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, wondering if it would make sense to not make it Lambda specific? I know right now we are just disabling for Lambda functions, but is there a world where we add more services where we disable CWL?

@ava-silver
Copy link
Contributor Author

ava-silver commented Feb 12, 2026
edited
Loading

This looks great, wondering if it would make sense to not make it Lambda specific? I know right now we are just disabling for Lambda functions, but is there a world where we add more services where we disable CWL?

Good question -- I can't think of anything immediately, is this something we'd want to do for something like ECR? or were there other AWS products you were thinking of?

Update: We chatted offline, and there aren't any other resource types that we'd need to handle that would also have cloudwatch logs enabled by default

avangelillo
avangelillo reviewed Feb 12, 2026
View reviewed changes
@ava-silver ava-silver force-pushed the ava.silver/svls-8314/add-lambda-commands-for-enabling/disabling-cw-logs branch from 5c87826 to 262be3d Compare February 12, 2026 19:28
@ava-silver ava-silver changed the title [SVLS-8314] add lambda commands for enabling/disabling cw logs [SVLS-8314] add lambda cloudwatch command Feb 13, 2026
@ava-silver ava-silver merged commit ab5c32b into master Feb 13, 2026
26 checks passed
@ava-silver ava-silver deleted the ava.silver/svls-8314/add-lambda-commands-for-enabling/disabling-cw-logs branch February 13, 2026 15:00
@ava-silver ava-silver mentioned this pull request Feb 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@duncanista duncanista duncanista approved these changes

@avangelillo avangelillo avangelillo approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request serverless Related to [aas, cloud-run, lambda, stepfunctions]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ava-silver @duncanista @avangelillo