Open cgatt opened 1 month ago
If you are using CustomResource Provider Framework, at this moment, there's no way to turn off the logging:
If you use AwsCustomResource, you can disable not logging the Data
object with Logging.withDataHidden(). See here for more details.
Looks like you are using custom CustomResource Provider Framework?
Making it a p1 feature request to disable the logging for the CR provider framework.
Describe the bug
When using a Provider to create a custom resource, the request and response objects are logged by the provider function. There is no apparent way to prevent or redact this logging, resulting in secrets being logged if returned in the custom resource's Data object. By extension, if secret values are passed in the resource's ResourceProperties they will be logged as well.
Expected Behavior
When the custom resource response has
NoEcho: true
, the log output from the Provider function should redact the values from the Data object.Current Behavior
The provider function logged the full Data payload
Reproduction Steps
Deploy this stack and you can see the following log:
Possible Solution
Add logic to the provider handler code to redact the Data object if NoEcho = true
Add properties to the Provider construct to redact some/all of the ResourceProperties from the provider logs.
Additional Information/Context
No response
CDK CLI Version
2.133.0 (build dcc1e75)
Framework Version
2.133.0
Node.js Version
20
OS
Ubuntu
Language
TypeScript
Language Version
No response
Other information
No response