feat(custom-resources): add logging property to AwsSdkCall and create Logging class

[colifran]

Reason for this change

SDK v2 and v3 handlers for AwsCustomResource log the event object passed to the handler, API responses, and caught /uncaught errors for each SDK call made. This can potentially result in logging sensitive information that a user may wish to hide. This PR introduces a new logging property on the AwsSdkCall interface that can be used to provide more control over logging in the SDK v2 and v3 handlers on a per SDK call basis. The logging flag is configurable via a new Logging class which exposes two static methods:

• all: all logging during lambda execution is turned on
• withDataHidden: hides all logged data associated with the API call response. This includes the raw response as well as the Data field on the response object

Additional logging configurations can be added in the future.

Description of changes

Added a logging flag to the AwsSdkCall interface which is configurable via the new Logging class. The Logging class has an internal render method which renders the specified logging configuration which is passed as part of the create, update, and delete ResourceProperties to the lambda handler. These logging properties are then used throughout the handler to control what is logged based on their value

Description of how you validated changes

• A new integ test with logging as withDataHidden was added
• Unit tests to ensure calling render on a Logging instance produces the expected result
• Unit tests to ensure that using logging with AwsSdkCall while using AwsCustomResource produces the correct CloudFormation template

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[vinayak-kukreja]

I agree with the changes. But, we should get consensus among the team too about this. Especially stakeholders you have already synced with about this.

[vinayak-kukreja]

I think we should add an example of Response Object here so that we explicitly mention what we will still be logging with this. And also add this to our documentation

[colifran]

Updated.

[vinayak-kukreja]

NIT

Suggested change

	The underlying lamdda function used by the `AwsCustomResource` construct logs the following information:
	The underlying lambda function used by the `AwsCustomResource` construct logs the following information:

[colifran]

Updated.

[vinayak-kukreja]

Lets add an example Response Object in these docs

[colifran]

Good call out. This has been updated.

[TheRealAmazonKendra]

Did you close the original PR altogether? I was looking for my comments on it but couldn't find them. This still has the issue of this being a boolean without an option for additional customization.

[colifran]

@TheRealAmazonKendra Can you provide more detail on why you think that? We can provide this flag and still keep the door open for additional customization. This flag would only control the logging of the Data field in the response object. Any additional customization could come with a future PR and this flag could be set or unset without blocking a future property that focuses on customization.

Say, for example, we wanted to add something to control log levels. If logApiResponseData is set to false and the log level is DEBUG then CloudWatch Logs still has all errors (caught and uncaught), the event received by the handler, and the response object (just without the Data field). That would open the door for a user to have all the benefits of a DEBUG log level while making an API call that returns sensitive data. Except now they don't have to worry about exposing data in CloudWatch Logs that they want hidden. If that isn't an issue for them then they can ignore logApiResponseData or explicitly set it to true.

The previous PR is linked here. The flag proposed in that PR was too overbearing and would have blocked us from implementing additional customization in the future (as you correctly stated). I don't think this has that problem.

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[colifran]

@TheRealAmazonKendra pushed initial changes we discussed offline. To summarize we should provide a Logging class that consolidates all of logging levels into an enum-like class. Additionally, this doesn't need to follow standard logging convention (info, trace, debug, etc.). We can provide something like on, off, and selective where selective would give granular control over logged data to the user.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[scanlonp]

One comment as a point of discussion. But overall good from me.

[scanlonp]

Question on if this property should be optional or not. By the way we have set up the logic with _render(), we will always have a value for this field, so it can be "required".

@colifran and I talked offline, I do not think that this is a problem. The main discussion is at what level we decide to set the default, and having it passed explicitly to the call is fine.

[colifran]

For historical purposes, I want to make sure it is clear that the AwsSdkCall interface referenced above is not a type used in the aws-cdk-lib. Instead, this is a mirror of AwsSdkCall which is defined as part of the AwsCustomResource construct. However, the format of this represents the AwsSdkCall type as it would be received by the v2 and v3 handler, e.g., after render has been called on a Logging instance and all Logging properties are rendered. This interface just exists to provide a strongly typed call in the v2 and v3 handlers.

My opinion is that we should set the default prior to passing the event so that the event properties are visible in the synthesized CloudFormation template.

Code has been updated following this review. The review is no longer relevant to the current code.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 1f08e31
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).