8

After creating a Lambda function in Cloudformation, I would like to be able to setup the Cloudwatch Logs expiration in the same Cloudformation script.

eg:

MyLambdaRole:
  Type: AWS::Iam::Role
    ...
    Properties:
      ...
      Policies:
        -
          PolicyName: "myPolicy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource: "arn:aws:logs:*:*:*"

MyLambda:
  Type: AWS::Lambda::Function
  Properties:
    ...
    Role: !GetAtt [ MyLambdaRole, Arn ]

However, CloudFormation does not allow to modify/update Logs that are reserved for AWS: "Log groups starting with AWS/ are reserved for AWS."

Is there a workaround for this? Since there is no way to setup the log name in the Lambda resource creation, maybe there is some way to specify it in the Role definition I can't find.

Efren
  • 4,003
  • 4
  • 33
  • 75

3 Answers3

11

Try this and use RetentionInDays attribute to change the logs expire after time

LogGroup:
  Type: AWS::Logs::LogGroup
  Properties:
    LogGroupName: !Join ['/', ['/aws/lambda', !Ref MyLambda]]
    RetentionInDays: 7 # days

Note: the issue of the LogGroup failing to create will appear if the log group name already exists( will exist if MyLambda already exists). The workaround would be to delete and create stack.

roxxypoxxy
  • 2,973
  • 1
  • 21
  • 28
  • 1
    Note this is not possible for [API GW Logs](https://docs.aws.amazon.com/apigateway/latest/developerguide/view-cloudwatch-log-events-in-cloudwatch-console.html): `Do not manually API Gateway API log groups or streams...This is because API Gateway creates log groups or log streams for an API stage at the time when it is deployed` – Efren Dec 14 '18 at 05:17
  • Just tested that at the moment, it's possible to create an API GW Log at least, if the Log does not exist. – Efren Jan 14 '19 at 01:51
  • that's why I added `if the log group name already exists` there – roxxypoxxy Jan 15 '19 at 11:39
  • 1
    Yes, but the workaround of deleting would only work if the log was first created from the stack. The post was about `modify/update Logs` for a resource that was not in the stack in the first place, it's automatically created by AWS, so just adding this comment after testing that the log was deleted manually and then the stack created. – Efren Jan 16 '19 at 01:03
0

No, there is not. As you wrote, it's a log group owned by AWS and you can't give yourself more permissions in a role than AWS would allow. Therefore, you can't allow yourself to modify their log group.

  • 2
    This is incorrect, I can modify the log group through the awscli with the [put-retention-policy](https://docs.aws.amazon.com/cli/latest/reference/logs/put-retention-policy.html) command. I guess it seems that only cloudformation is limited so far. – Efren May 21 '18 at 02:39
  • Never thought about that, thanks. If I have a good answer, I'll try again –  May 22 '18 at 04:34
-3

Use the AWS Serverless application Model, takes care of the deployment, roles and logs outbox and you always can add your custom cloudformation code https://github.com/awslabs/serverless-application-model they already have a lot of examples ready to go.

Douglas Lopez
  • 396
  • 3
  • 4
  • I can't find where that tool does the specific thing I ask in the question, the [example](https://github.com/awslabs/serverless-application-model/blob/develop/examples/apps/cloudwatch-logs-to-loggly/template.yaml) for cloudwatch logs looks pretty much like using cloudformation script directly – Efren May 17 '18 at 01:37
  • The sam template takes care of the IAM role, and configuration of cloudwatch logs, that is the reason why looks so simple – Douglas Lopez May 17 '18 at 01:40
  • Ok, can you please add an example to the answer? I can't find where the cloudwatch log would be configured with an "expiry days" number. – Efren May 17 '18 at 01:42
  • It looks like the [function resource](https://github.com/awslabs/serverless-application-model/blob/develop/versions/2016-10-31.md#awsserverlessfunction) in SAM, doesn't have a way to configure the lambda log group expiry date. – Efren May 17 '18 at 01:45