aws-cdk-lib/aws-logs: Setting logGroupAuditDestination causes deploy error

[JohanZackrisson]

Describe the bug

When trying to setup a DataProtectionPolicy that has a logGroupAuditDestination set, the deploy is failing with Failed to update CloudWatch Logs resource policy due to policy document length constraints

Regression Issue

• [ ] Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

It should work as described in the documentation, or at least be better documented so that it can be set up properly.

Current Behavior

Deploy error Failed to update CloudWatch Logs resource policy due to policy document length constraints

Reproduction Steps

const auditLogGroup = new logs.LogGroup(this, 'PolicyAudit');

const dataProtectionPolicy = new logs.DataProtectionPolicy({
  name: 'FilterLogs',
  description: 'Filter logs',
  identifiers: [
    logs.DataIdentifier.DRIVERSLICENSE_US,

  ],
  // works without, but not with this line                <----------------
  // logGroupAuditDestination: auditLogGroup,
});

const logGroup = new logs.LogGroup(this, 'Logs', {
  retention: logs.RetentionDays.ONE_MONTH,
  dataProtectionPolicy,
});

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

10.9.0

Framework Version

No response

Node.js Version

v22.11.0

OS

Mac os 14.7.1

Language

TypeScript

Language Version

typescript@5.3.3

Other information

No response

[khushail]

Hi @JohanZackrisson , thanks for reaching out.

The given code works fine for me and even succeeds in deployment. Sharing the code and relevant snippets -

Code -

    const auditLogGroup = new logs.LogGroup(this, 'PolicyAudit');

    const dataProtectionPolicy = new logs.DataProtectionPolicy({
      name: 'FilterLogs',
      description: 'Filter logs',
      identifiers: [
        logs.DataIdentifier.DRIVERSLICENSE_US,

      ],
      // uncommented , works with below line              <----------------
      logGroupAuditDestination: auditLogGroup,
    });

    const logGroup = new logs.LogGroup(this, 'Logs', {
      retention: logs.RetentionDays.ONE_MONTH,
      dataProtectionPolicy,
    });

    new cdk.CfnOutput(this, 'LogGroupArn', {
      value: logGroup.logGroupArn,
      });

Generated synth template -

{
 "Resources": {
  "PolicyAudit907D4D27": {
   "Type": "AWS::Logs::LogGroup",
   "Properties": {
    "RetentionInDays": 731
   },
   "UpdateReplacePolicy": "Retain",
   "DeletionPolicy": "Retain",
   "Metadata": {
    "aws:cdk:path": "LogIssueStack/PolicyAudit/Resource"
   }
  },
  "Logs6819BB44": {
   "Type": "AWS::Logs::LogGroup",
   "Properties": {
    "DataProtectionPolicy": {
     "name": "FilterLogs",
     "description": "Filter logs",
     "version": "2021-06-01",
     "configuration": {
      "customDataIdentifier": []
     },
     "statement": [
      {
       "sid": "audit-statement-cdk",
       "dataIdentifier": [
        "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
       ],
       "operation": {
        "audit": {
         "findingsDestination": {
          "cloudWatchLogs": {
           "logGroup": {
            "Ref": "PolicyAudit907D4D27"
           }
          }
         }
        }
       }
      },
      {
       "sid": "redact-statement-cdk",
       "dataIdentifier": [
        "arn:aws:dataprotection::aws:data-identifier/DriversLicense-US"
       ],
       "operation": {
        "deidentify": {
         "maskConfig": {}
        }
       }
      }
     ]
    },
    "RetentionInDays": 30
   },
   "UpdateReplacePolicy": "Retain",
   "DeletionPolicy": "Retain",
   "Metadata": {
    "aws:cdk:path": "LogIssueStack/Logs/Resource"
   }
  },

Deployment-

Please see I am using CDK Version - 2.166.0.

Since I am not able to repro the issue, could you please share some more information which can be helpful to repro the mentioned scenario? Also pls check the CDK Version as well.