how.wtf

Specify a log group for a lambda function in AWS CloudFormation

· Thomas Taylor

By default, lambda functions will create their own log groups if they are given proper permissions.

Specifying a log group for a Lambda Function

The following CloudFormation template creates two resources:

  1. AWS::IAM::Role
  2. AWS::Lambda::Function
 1AWSTemplateFormatVersion: '2010-09-09'
 2Resources:
 3  LambdaExecutionRole:
 4    Type: 'AWS::IAM::Role'
 5    Properties:
 6      AssumeRolePolicyDocument:
 7        Version: '2012-10-17'
 8        Statement:
 9        - Effect: Allow
10          Principal:
11            Service:
12            - lambda.amazonaws.com
13          Action:
14          - sts:AssumeRole
15      Policies:
16      - PolicyName: logs
17        PolicyDocument:
18          Version: '2012-10-17'
19          Statement:
20          - Effect: Allow
21            Action:
22            - logs:CreateLogGroup
23            - logs:CreateLogStream
24            - logs:PutLogEvents
25            Resource: '*'
26  LambdaFunction:
27    Type: 'AWS::Lambda::Function'
28    Properties:
29      FunctionName: 'LambdaTest'
30      Handler: index.handler
31      Runtime: nodejs18.x
32      Role: !GetAtt LambdaExecutionRole.Arn
33      Code:
34        ZipFile: |
35          exports.handler = async (event) => {
36            return 'Hello World!'
37          }

The LambdaTest function defaults to writing log events to a group named /aws/lambda/LambdaTest with a default retention of Never expire. To circumvent this behavior, a AWS::Logs::LogGroup resource can be explicitly created.

 1AWSTemplateFormatVersion: '2010-09-09'
 2Resources:
 3  LambdaFunctionLogGroup:
 4      Type: 'AWS::Logs::LogGroup'
 5      Properties:
 6        LogGroupName: "/aws/lambda/LambdaTest"
 7        RetentionInDays: 1
 8  LambdaFunction:
 9    Type: 'AWS::Lambda::Function'
10    DependsOn: LambdaFunctionLogGroup
11    Properties:
12      FunctionName: 'LambdaTest'
13      Handler: index.handler
14      Runtime: nodejs18.x
15      Role: !GetAtt LambdaExecutionRole.Arn
16      Code:
17        ZipFile: |
18          exports.handler = async (event) => {
19            return 'Hello World!'
20          }          
21  LambdaExecutionRole:
22    Type: 'AWS::IAM::Role'
23    Properties:
24      AssumeRolePolicyDocument:
25        Version: '2012-10-17'
26        Statement:
27        - Effect: Allow
28          Principal:
29            Service:
30            - lambda.amazonaws.com
31          Action:
32          - sts:AssumeRole
33      Policies:
34      - PolicyName: logs
35        PolicyDocument:
36          Version: '2012-10-17'
37          Statement:
38          - Effect: Allow
39            Action:
40            - logs:CreateLogGroup
41            - logs:CreateLogStream
42            - logs:PutLogEvents
43            Resource: !GetAtt LambdaFunctionLogGroup.Arn

A few aspects are different:

  1. A new AWS::Logs::LogGroup was created with a retention period of 1 day
  2. The LambdaTest resource uses DependsOn: LambdaFunctionLogGroup
  3. The LambdaExecutionRole only allows writing logs to the LambdaFunctionLogGroup.Arn resource

Warning: If the log group already exists from a prior deployment, it will need to be deleted.

#aws  

Reply to this post by email ↪