diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json index 991ddded5e515..c0a9982083c4d 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/aws-cdk-log-group-encrypted-integ.template.json @@ -37,7 +37,7 @@ "kms:ReEncrypt*" ], "Condition": { - "ArnLike": { + "ArnEquals": { "kms:EncryptionContext:aws:logs:arn": { "Fn::Join": [ "", @@ -54,7 +54,7 @@ { "Ref": "AWS::AccountId" }, - ":*" + ":log-group:aws-cdk-log-group-encrypted-integLogGroupDECB5FC9" ] ] } @@ -87,6 +87,7 @@ "LogGroupF5B46931": { "Type": "AWS::Logs::LogGroup", "Properties": { + "LogGroupName": "aws-cdk-log-group-encrypted-integLogGroupDECB5FC9", "KmsKeyId": { "Fn::GetAtt": [ "Key961B73FD", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json index c31f8f1450dfe..ba7e6632cad13 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group-encrypted.js.snapshot/tree.json @@ -118,6 +118,7 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", "aws:cdk:cloudformation:props": { + "logGroupName": "aws-cdk-log-group-encrypted-integLogGroupDECB5FC9", "kmsKeyId": { "Fn::GetAtt": [ "Key961B73FD", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json index 86157f4999268..2fe426bc90528 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json @@ -3,6 +3,7 @@ "LogGroupLambdaAuditF8F47F46": { "Type": "AWS::Logs::LogGroup", "Properties": { + "LogGroupName": "aws-cdk-log-group-integLogGroupLambdaAudit8AB75176", "RetentionInDays": 731 }, "UpdateReplacePolicy": "Retain", @@ -16,6 +17,7 @@ "LogGroupLambdaAC756C5B": { "Type": "AWS::Logs::LogGroup", "Properties": { + "LogGroupName": "aws-cdk-log-group-integLogGroupLambda9924FF7D", "DataProtectionPolicy": { "name": "policy-name", "description": "policy description", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json index 8c2e70be9b477..101e234ed0d0b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json @@ -18,6 +18,7 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", "aws:cdk:cloudformation:props": { + "logGroupName": "aws-cdk-log-group-integLogGroupLambdaAudit8AB75176", "retentionInDays": 731 } }, @@ -64,6 +65,7 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", "aws:cdk:cloudformation:props": { + "logGroupName": "aws-cdk-log-group-integLogGroupLambda9924FF7D", "dataProtectionPolicy": { "name": "policy-name", "description": "policy description", diff --git a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts index 8838d40a7cb35..1eb67c7ec3c14 100644 --- a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts +++ b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts @@ -9,7 +9,7 @@ import { ILogSubscriptionDestination, SubscriptionFilter } from './subscription- import * as cloudwatch from '../../aws-cloudwatch'; import * as iam from '../../aws-iam'; import * as kms from '../../aws-kms'; -import { Annotations, Arn, ArnFormat, RemovalPolicy, Resource, Stack, Token } from '../../core'; +import { Annotations, Arn, ArnFormat, Lazy, Names, RemovalPolicy, Resource, Stack, Token } from '../../core'; export interface ILogGroup extends iam.IResourceWithPolicy { /** @@ -491,7 +491,9 @@ export class LogGroup extends LogGroupBase { constructor(scope: Construct, id: string, props: LogGroupProps = {}) { super(scope, id, { - physicalName: props.logGroupName, + physicalName: props.logGroupName ?? Lazy.string({ + produce: () => Names.uniqueResourceName(this, { maxLength: 512, allowedSpecialCharacters: '-_' }), + }), }); let retentionInDays = props.retention; @@ -547,8 +549,8 @@ export class LogGroup extends LogGroupBase { ], resources: ['*'], conditions: { - ArnLike: { - 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:*`, + ArnEquals: { + 'kms:EncryptionContext:aws:logs:arn': `arn:${this.stack.partition}:logs:${this.env.region}:${this.env.account}:log-group:${this.physicalName}`, }, }, })); diff --git a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts index ee0b50610dcc7..6cd8fd1949baf 100644 --- a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts +++ b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts @@ -71,7 +71,7 @@ describe('log group', () => { }, }, Condition: { - ArnLike: { + ArnEquals: { 'kms:EncryptionContext:aws:logs:arn': { 'Fn::Join': [ '', @@ -88,7 +88,7 @@ describe('log group', () => { { Ref: 'AWS::AccountId', }, - ':*', + ':log-group:LogGroup', ], ], },