feat(logs): add support for fieldIndexPolicies in log group L2 Construct

[yashkh-amzn]

Issue # (if applicable)

#33366

Closes #33366

Reason for this change

Field Indexing for CloudWatch Logs (CWL) was launched in Nov 2024. A lot of CWL customers are asking for indexing support in L2 construct. This feature will enable that property under FieldIndexPolicies as a JSON object in the LogGroup construct.

Description of changes

The change here is just populating the fieldIndexPolicies property of the LogGroup CFN with the list of fields provided by the user. The format of this property will be like this:

const fieldIndexPolicy = new FieldIndexPolicy({
  fields: ['Operation', 'RequestId'],
});

new LogGroup(this, 'LogGroupLambda', {
  dataProtectionPolicy: dataProtectionPolicy,
  fieldIndexPolicies: [fieldIndexPolicy],
});

Describe any new or updated permissions being added

No new permissions have been added.

Description of how you validated changes

Added unit tests. Will add integ tests after getting a confirmation from the CDK team on the implementation.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[yashkh-amzn]

Clarification Request

[aaythapa]

Clarification Request

Hi @yashkh-amzn thank you for contributing!

I see the PR is missing integ tests and read me changes. To learn more about our integ test process and how to make them you can refer to this doc.

As for README changes they will presumably go here.

Note that until the linter and build passes this PR won't show up on our radar to review. Let us know if there is anything else you need clarifying.

[yashkh-amzn]

Clarification Request

Hi @yashkh-amzn thank you for contributing!

I see the PR is missing integ tests and read me changes. To learn more about our integ test process and how to make them you can refer to this doc.

As for README changes they will presumably go here.

Note that until the linter and build passes this PR won't show up on our radar to review. Let us know if there is anything else you need clarifying.

Hey @aaythapa, I had a sync up with your team during the CDK office hours. I was told that the CDK team first wanted to align with the business logic and hence it was okay to submit a PR first for an initial review. Once there would be an alignment, I can update the integ tests and README.
cc: @kaizencc @shikha372 @gracelu0

[aaythapa]

Clarification Request

Hi @yashkh-amzn thank you for contributing!
I see the PR is missing integ tests and read me changes. To learn more about our integ test process and how to make them you can refer to this doc.
As for README changes they will presumably go here.
Note that until the linter and build passes this PR won't show up on our radar to review. Let us know if there is anything else you need clarifying.

Hey @aaythapa, I had a sync up with your team during the CDK office hours. I was told that the CDK team first wanted to align with the business logic and hence it was okay to submit a PR first for an initial review. Once there would be an alignment, I can update the integ tests and README. cc: @kaizencc @shikha372 @gracelu0

Ah ok, thanks for letting me know. I'll bring this up with the team and wait for a response

[shikha372]

is this going to be changed in the near future ? if yes then we should remove this check from CDK else we won't know when it will be allowed to set more than 1.

[yashkh-amzn]

It can be changed in the future but for now this condition does exist - https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_logs.CfnLogGroup.html#fieldindexpolicies. Can't we just remove this condition once we decide to support the array with multiple entries?

[yashkh-amzn]

Will remove this condition and keep the check on the service side. Confirmed after testing that if we provide multiple field indexes without this condition, CFN fails:

[shikha372]

what is the difference between this test and one above

[yashkh-amzn]

Good catch! This was a dedup. I'll remove this test case.

[shikha372]

is this something enforced through CFN handler ?, as it is not mentioned in the documentation
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html#cfn-logs-loggroup-fieldindexpolicies

[yashkh-amzn]

This is something which is enforced from the service side. From the official doc - https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CloudWatchLogs-Field-Indexing-Syntax.html.

As many as 20 fields can be included in the policy.

[shikha372]

since this is allowed only for STANDARD log group, can we check the type of log group class.
Ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html#cfn-logs-loggroup-fieldindexpolicies

Only log groups in the Standard log class support field index policies. 

[yashkh-amzn]

Sure thing, I can check that and update

[yashkh-amzn]

Confirmed with the team that we can support Infrequent Access log groups in the future. So to keep the implementation consistent, we will not keep this condition to avoid having to make changes in the future and relying on the service side changes.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.17%. Comparing base (47cae25) to head (8fc94cc).
Report is 24 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #33416   +/-   ##
=======================================
  Coverage   82.17%   82.17%           
=======================================
  Files         119      119           
  Lines        6862     6862           
  Branches     1158     1158           
=======================================
  Hits         5639     5639           
  Misses       1120     1120           
  Partials      103      103           

Flag	Coverage Δ
suite.unit	82.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	82.17% <ø> (ø)

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 8fc94cc
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[GavinZZ]

Removing the reviewer-clarification-requested label as it's been clarified that README and Integ test will be added once an initial review was done by the team and the contributor has added them now.