(aws-s3): retention on S3 autoDeleteObjects lambda CloudWatch log group is Never expire

[ozeebee]

Describe the bug

Currently, when setting autoDeleteObjects on a S3 bucket to true, the lambda creates a log group whose retention is set to 'Never expire'.
When deploying/destroying a lot of stacks (typically during development), this generates a lot of log groups (with pattern /aws/lambda/$StackName-CustomS3AutoDeleteObjects-$someid) that will stay there forever unless manually cleaned up.

Expected Behavior

We should be able to override the default log group retention or have a reasonable log retetion period for those logs (for instance 3 months).

Current Behavior

The log group is kept forever, retention is 'Never expire'.

Reproduction Steps

Create a bucket with autoDeleteObjects such as:

const bucket = new s3.Bucket(this, 'MyTempFileBucket', {
  removalPolicy: cdk.RemovalPolicy.DESTROY,
  autoDeleteObjects: true,
});

Then deploy/destroy the stack mulitple times, this will generate a different log group for each cycle, and all of them will be on CW logs forever unitl manually deleted.

Possible Solution

Either expose a log retention period for the lambda, for instance:

const bucket = new s3.Bucket(this, 'MyTempFileBucket', {
  removalPolicy: cdk.RemovalPolicy.DESTROY,
  autoDeleteObjects: true,
  autoDeleteObjectsLambdaLogRetention: logs.RetentionDays.THREE_MONTHS
});

or set a default log retention period other than 'Never expire' (3 months seems reasonnable).

Additional Information/Context

No response

CDK CLI Version

2.69.0 (build 60a5b2a)

Framework Version

No response

Node.js Version

v18.12.0

OS

macOS 12.6

Language

Typescript

Language Version

4.9.5

Other information

No response

[peterwoodworth]

This makes sense, thanks for the request.

We take contributions 🙂 We probably won't be able to get to this for a long time if this issue doesn't get enough 👍🏻 support

[FelixFeliciant]

Hello, we are facing the same issue, any workaround for this?
ideally I would prefer that such log group would not be created at all if possible, but setting it for 1 day is good as well.

Thank you.

[kishiel]

I spent some time trying to solve this myself, and I think I've chased it to the bottom. In order for this to work as currently implemented we'll need:

1. A new interface property autoDeleteObjectsLambdaLogRetention in bucket.ts that accepts aws-logs/RetentionDays.
2. Add a new property logRetention?: RetentionDays to CustomResourceProviderOptions in shared.ts
3. Add a new dimension LoggingConfig to the properties section of the CfnResource definition in custom-resource-provider-base
4. extend the functionality of the existing AWS::Lambda::Function LoggingConfig to incorporate the Log Duration as a dimension.

Related: aws-cloudformation/cloudformation-coverage-roadmap#147

There's a lot more complexity in this than I expected, to be honest. This is hard because we're not leveraging native CDK constructs to build the resource, but rather we're leveraging Cloudformation Templates.

I suspect we could get around this by implementing the autoDeleteObjects handler as a custom-resource. This seems like a better long-term solution, but I know it will present some headaches in the near-term.

Edit: #28737 was merged into the aws-cdk-lib release one hour after this post. This deprecates logRetention in favor of logGroup, which doesn't really change this post, but it will make the interface a bit weirder.

[github-actions]

This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.