fix(events_targets): installing latest aws sdk fails in cn partition (#29374)

GavinZZ · web-flow · commit f0383d65c7cc · 2024-03-06T19:38:31.000Z
### Issue # (if applicable) Closes #29373 ### Reason for this change AWS Log Group event target by default installs the latest aws sdk for its custom resource and this would fail in `aws-cn` partition. This PR exposes the `installLatestAwsSdk` to the surface and allows users to optionally turn off `installLatestAwsSdk` for cloudwatch log events target. ### Description of changes Allow users to override the value, if unset default to true which is the same behaviour as current. ### Description of how you validated changes all tests pass. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-events-targets/README.md b/packages/aws-cdk-lib/aws-events-targets/README.md
@@ -120,6 +120,20 @@ rule.addTarget(new targets.CloudWatchLogGroup(logGroup, {
 }));
 ```
 
+The cloudwatch log event target will create an AWS custom resource internally which will default
+to set `installLatestAwsSdk` to `true`. This may be problematic for CN partition deployment. To
+workaround this issue, set `installLatestAwsSdk` to `false`.
+
+```ts
+import * as logs from 'aws-cdk-lib/aws-logs';
+declare const logGroup: logs.LogGroup;
+declare const rule: events.Rule;
+
+rule.addTarget(new targets.CloudWatchLogGroup(logGroup, {
+  installLatestAwsSdk: false,
+}));
+```
+
 ## Start a CodeBuild build
 
 Use the `CodeBuildProject` target to trigger a CodeBuild project.
diff --git a/packages/aws-cdk-lib/aws-events-targets/lib/log-group-resource-policy.ts b/packages/aws-cdk-lib/aws-events-targets/lib/log-group-resource-policy.ts
@@ -15,6 +15,12 @@ export interface LogGroupResourcePolicyProps {
    * The policy statements for the log group resource logs
    */
   readonly policyStatements: [iam.PolicyStatement];
+  /**
+   * Whether to install latest AWS SDK for the custom resource
+   *
+   * @default - install latest AWS SDK
+   */
+  readonly installLatestAwsSdk?: boolean;
 }
 
 /**
@@ -39,6 +45,7 @@ export class LogGroupResourcePolicy extends cr.AwsCustomResource {
         },
         physicalResourceId: cr.PhysicalResourceId.of(id),
       },
+      installLatestAwsSdk: props.installLatestAwsSdk,
       onDelete: {
         service: 'CloudWatchLogs',
         action: 'deleteResourcePolicy',
diff --git a/packages/aws-cdk-lib/aws-events-targets/lib/log-group.ts b/packages/aws-cdk-lib/aws-events-targets/lib/log-group.ts
@@ -78,6 +78,14 @@ export interface LogGroupProps extends TargetBaseProps {
    * @default - the entire EventBridge event
    */
   readonly logEvent?: LogGroupTargetInput;
+
+  /**
+   * Whether the custom resource created wll default to
+   * install latest AWS SDK
+   *
+   * @default - install latest AWS SDK
+   */
+  readonly installLatestAwsSdk?: boolean;
 }
 
 /**
@@ -109,6 +117,7 @@ export class CloudWatchLogGroup implements events.IRuleTarget {
 
     if (!this.logGroup.node.tryFindChild(resourcePolicyId)) {
       new LogGroupResourcePolicy(logGroupStack, resourcePolicyId, {
+        installLatestAwsSdk: this.props.installLatestAwsSdk,
         policyStatements: [new iam.PolicyStatement({
           effect: iam.Effect.ALLOW,
           actions: ['logs:PutLogEvents', 'logs:CreateLogStream'],
diff --git a/packages/aws-cdk-lib/aws-events-targets/test/logs/log-group.test.ts b/packages/aws-cdk-lib/aws-events-targets/test/logs/log-group.test.ts
@@ -158,6 +158,46 @@ test('logEvent with defaults', () => {
   });
 });
 
+test('can set install latest AWS SDK value to false', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+  const logGroup = new logs.LogGroup(stack, 'MyLogGroup', {
+    logGroupName: '/aws/events/MyLogGroup',
+  });
+  const rule1 = new events.Rule(stack, 'Rule', {
+    schedule: events.Schedule.rate(cdk.Duration.minutes(1)),
+  });
+
+  // WHEN
+  rule1.addTarget(new targets.CloudWatchLogGroup(logGroup, {
+    installLatestAwsSdk: false,
+  }));
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('Custom::CloudwatchLogResourcePolicy', {
+    InstallLatestAwsSdk: false,
+  });
+});
+
+test('default install latest AWS SDK is true', () => {
+  // GIVEN
+  const stack = new cdk.Stack();
+  const logGroup = new logs.LogGroup(stack, 'MyLogGroup', {
+    logGroupName: '/aws/events/MyLogGroup',
+  });
+  const rule1 = new events.Rule(stack, 'Rule', {
+    schedule: events.Schedule.rate(cdk.Duration.minutes(1)),
+  });
+
+  // WHEN
+  rule1.addTarget(new targets.CloudWatchLogGroup(logGroup));
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('Custom::CloudwatchLogResourcePolicy', {
+    InstallLatestAwsSdk: true,
+  });
+});
+
 test('can use logEvent', () => {
   // GIVEN
   const stack = new cdk.Stack();
