Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #101 +/- ##
=======================================
Coverage 99.67% 99.67%
=======================================
Files 153 153
Lines 3070 3070
Branches 738 737 -1
=======================================
Hits 3060 3060
Misses 9 9
Partials 1 1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| // Create explicit log group with retention | ||
| // Log group naming: /aws/lambda/{prefix}-{stage}-{functionName} | ||
| // This enables easy Splunk searches: source="/aws/lambda/kms-sit-*" | ||
| const logGroup = new logs.LogGroup(scope, `${sanitizedKey}-LogGroup`, { |
There was a problem hiding this comment.
Did you deploy this already? I know AWS automatically creates log groups, does this override the existing log groups already created? I'm wondering if you'll get conflicts trying to explicity create a log group with a retention policy that was automatically already created.
There was a problem hiding this comment.
maybe something like this: const logRetention = new logs.LogRetention(scope, `${sanitizedKey}-LogRetention`, { logGroupName, retention: this.logRetentionDays }). then you are not recreating the log group.
| new LogForwardingSetup(this, 'LogForwarding', { | ||
| prefix, | ||
| stage, | ||
| account: logDestinationAccount || this.account, |
There was a problem hiding this comment.
I think this may be over-parameterized. If the destination name is always keyed by the current/source account, shouldn’t this just be this.account? Carrying a separate logDestinationAccount here feels redundant unless we have a real case where that suffix differs from the current account.`
There was a problem hiding this comment.
Now using logDestinationArn.
| if (!lambdaFunction) { | ||
| const nodejsFunctionProps: NodejsFunctionProps = { | ||
| functionName: `${this.props.prefix}-${functionName}`, | ||
| functionName: `${this.props.prefix}-${this.props.stage}-${functionName}`, |
There was a problem hiding this comment.
One thing I’d like to double-check here: changing the function name to ${prefix}-${stage}-${functionName} looks like it will replace all existing KMS Lambdas on deploy, not just add log forwarding. Was that intentional for this ticket? If not, it may be worth avoiding the rename so we don’t widen the rollout impact of a logging change.`
There was a problem hiding this comment.
I can see the value in this even though it forces a one-time Lambda replacement. It gives us consistent stage-aware naming and makes the log-group/log-forwarding story cleaner.
| stage, | ||
| account: logDestinationAccount || this.account, | ||
| region: this.region, | ||
| secLogAccount: secLogAccount!, |
There was a problem hiding this comment.
Since SEC_LOG_ACCOUNT is already validated in main.ts for non-localstack deploys, could we make it required in the stack/construct props as well instead of carrying it as optional and asserting with !? I think that would make the contract a little clearer and keep the typing aligned with the actual runtime requirement.
There was a problem hiding this comment.
Now using logDestinationArn
4 participants
Overview
What is the feature?
Ensure KMS logs from the lambdas are available in Splunk
What is the Solution?
What areas of the application does this impact?
Logging now forwarded to Splunk. Example for sit env:
log_group="/aws/lambda/kms-sit*"
Testing
Invoke kms endpoints, use log_group above in Splunk to search for logs.
Attachments
N/A
Checklist