custom resources: Generated step function generates finding due to missing logging #27283
Description
Describe the bug
When custom resources with provider framework has a completedHandler function it generates a aws step function for polling for completion with a configured interval and total timeout.
This generated step function however has no logging configuration. Which causes the StepFunctions.1 rule from the AWS Foundational Security Best Practices (FSBP) standard set to be triggered.
This is due to the missing logging configuration. The provider construct however also does not provide any option to configure this logging.
Expected Behavior
The provider construct adds logging by default following the foundational best practice and/or allows this to be configured.
Current Behavior
The provider construct does not add logging configuration on step function nor does it allow for it to be configured through construct props.
Reproduction Steps
Enable StepFunctions.1 rule.
Create stack with custom resource with both evenHandler and isCompleteHandler to trigger generation of state machine.
Deploy generated template
This template should triggger the rule due to missing logging configuration
Possible Solution
- Add logging configuration by default (with logRetention from props if provided)
- And/or allow for loggroup (configuration) to be provided to provider construct for use in state machine.
Additional Information/Context
No response
CDK CLI Version
2.96.0
Framework Version
No response
Node.js Version
18
OS
Ubuntu 20.04
Language
Typescript
Language Version
No response
Other information
No response