search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.35k stars 3.77k forks source link

custom-resources: Provider logs Data from response with NoEcho: true #30275

Open cgatt opened 1 month ago

cgatt commented 1 month ago

Describe the bug

When using a Provider to create a custom resource, the request and response objects are logged by the provider function. There is no apparent way to prevent or redact this logging, resulting in secrets being logged if returned in the custom resource's Data object. By extension, if secret values are passed in the resource's ResourceProperties they will be logged as well.

Expected Behavior

When the custom resource response has NoEcho: true, the log output from the Provider function should redact the values from the Data object.

[provider-framework] onEvent returned: 
{
    "NoEcho": true,
    "PhysicalResourceId": "2262225",
    "Data": {
        "clientId": "***",
        "clientSecret": "***"
    },
    "Status": "SUCCESS"
}

Current Behavior

The provider function logged the full Data payload

[provider-framework] onEvent returned: 
{
    "NoEcho": true,
    "PhysicalResourceId": "2262225",
    "Data": {
        "clientId": "3a415657c61047fe9b790501254",
        "clientSecret": "475343b8<manually redacted>"
    },
    "Status": "SUCCESS"
}

Reproduction Steps

import { App, Stack } from 'aws-cdk-lib';
import { Provider } from 'aws-cdk-lib/custom-resources';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';

const app = new App();
const stack = new Stack(app, 'cr-demo-stack');

const handler = new Function(stack , 'my-handler', {
  runtime: Runtime.NODEJS_20_X,
  handler: 'index.handler',
  code: Code.fromInline(`
  exports.handler = async (event, context) => {
    return {
      PhysicalResourceId: '1234',
      NoEcho: true,
      Data: {
        mySecret: 'secret-value',
      },
    };
  };`),
});

const provider = new Provider(stack , 'my-provider', {
  onEventHandler: handler,
});

new CustomResource(stack , 'my-cr', {
  serviceToken: provider.serviceToken,
});

Deploy this stack and you can see the following log:

[provider-framework] event: {
  "PhysicalResourceId": "1234",
  "NoEcho": true,
  "Data": {
    "mySecret": "secret-value"
  }
}
[provider-framework] submit response to cloudformation <stack-id> {
  "Status": "SUCCESS",
  "Reason": "SUCCESS",
  "StackId": "<stack-id>",
  "RequestId": "bab8ac9b-c6a7-45d4-9828-71dc260ebef7",
  "PhysicalResourceId": "1234",
  "LogicalResourceId": "clientapplication",
  "NoEcho": true,
  "Data": {
    "mySecret": "secret-value"
  }
}

Possible Solution

Add logic to the provider handler code to redact the Data object if NoEcho = true

Add properties to the Provider construct to redact some/all of the ResourceProperties from the provider logs.

Additional Information/Context

No response

CDK CLI Version

2.133.0 (build dcc1e75)

Framework Version

2.133.0

Node.js Version

20

OS

Ubuntu

Language

TypeScript

Language Version

No response

Other information

No response

pahud commented 1 month ago

If you are using CustomResource Provider Framework, at this moment, there's no way to turn off the logging:

https://github.com/aws/aws-cdk/blob/32e9b022e345d96a7d68e758567fe75ee568d746/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/framework.ts#L38

If you use AwsCustomResource, you can disable not logging the Data object with Logging.withDataHidden(). See here for more details.

Looks like you are using custom CustomResource Provider Framework?

pahud commented 1 month ago

Making it a p1 feature request to disable the logging for the CR provider framework.