From 0379878c2f573450f1839a61580e1332dad999eb Mon Sep 17 00:00:00 2001 From: Hung Tran <40334379+phuhung273@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:44:15 +0700 Subject: [PATCH] fix(logs): `DataProtectionPolicy` template key must be PascalCase (#33462) ### Issue # (if applicable) Closes #33408 Closes #26728 ### Reason for this change Invalid DataProtectionPolicy syntax ### Description of changes Change template key from camelCase > PascalCase ### Description of how you validated changes Unit + integration ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- ...efaultTestDeployAssertA9999A13.assets.json | 2 +- .../aws-cdk-log-group-integ.assets.json | 6 +- .../aws-cdk-log-group-integ.template.json | 54 +++--- .../test/integ.log-group.js.snapshot/cdk.out | 2 +- .../integ.log-group.js.snapshot/integ.json | 2 +- .../integ.log-group.js.snapshot/manifest.json | 24 ++- .../integ.log-group.js.snapshot/tree.json | 75 ++++---- .../test/aws-logs/test/integ.log-group.ts | 1 - .../aws-logs/lib/data-protection-policy.ts | 73 +++----- .../aws-cdk-lib/aws-logs/lib/log-group.ts | 10 +- .../aws-logs/test/loggroup.test.ts | 168 +++++++++--------- 11 files changed, 214 insertions(+), 203 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/LogGroupIntegDefaultTestDeployAssertA9999A13.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/LogGroupIntegDefaultTestDeployAssertA9999A13.assets.json index ae909aa8e60f1..f08da1c1a8e85 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/LogGroupIntegDefaultTestDeployAssertA9999A13.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/LogGroupIntegDefaultTestDeployAssertA9999A13.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.assets.json index 7231fdfea0584..1a63f09b0460b 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.assets.json @@ -1,7 +1,7 @@ { - "version": "36.0.0", + "version": "39.0.0", "files": { - "c9d3adbcf070c1262907aa9c9d22f9d2427fdc881127e5f141072f7608acd1a8": { + "f73440b0e32a261b64b3f44b72f9e681bc775595740055ca82b47830bc9b3535": { "source": { "path": "aws-cdk-log-group-integ.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "c9d3adbcf070c1262907aa9c9d22f9d2427fdc881127e5f141072f7608acd1a8.json", + "objectKey": "f73440b0e32a261b64b3f44b72f9e681bc775595740055ca82b47830bc9b3535.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json index 9fc5f4bbf97cd..67ad305cbcb04 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/aws-cdk-log-group-integ.template.json @@ -17,21 +17,13 @@ "Type": "AWS::Logs::LogGroup", "Properties": { "DataProtectionPolicy": { - "name": "policy-name", - "description": "policy description", - "version": "2021-06-01", - "configuration": { - "customDataIdentifier": [ - { - "name": "EmployeeId", - "regex": "EmployeeId-\\d{9}" - } - ] - }, - "statement": [ + "Name": "policy-name", + "Description": "policy description", + "Version": "2021-06-01", + "Statement": [ { - "sid": "audit-statement-cdk", - "dataIdentifier": [ + "Sid": "audit-statement-cdk", + "DataIdentifier": [ { "Fn::Join": [ "", @@ -58,16 +50,16 @@ }, "EmployeeId" ], - "operation": { - "audit": { - "findingsDestination": { - "cloudWatchLogs": { - "logGroup": { + "Operation": { + "Audit": { + "FindingsDestination": { + "CloudWatchLogs": { + "LogGroup": { "Ref": "LogGroupLambdaAuditF8F47F46" } }, - "s3": { - "bucket": { + "S3": { + "Bucket": { "Ref": "auditbucketidE6660EBD" } } @@ -76,8 +68,8 @@ } }, { - "sid": "redact-statement-cdk", - "dataIdentifier": [ + "Sid": "redact-statement-cdk", + "DataIdentifier": [ { "Fn::Join": [ "", @@ -104,13 +96,21 @@ }, "EmployeeId" ], - "operation": { - "deidentify": { - "maskConfig": {} + "Operation": { + "Deidentify": { + "MaskConfig": {} } } } - ] + ], + "Configuration": { + "CustomDataIdentifier": [ + { + "Name": "EmployeeId", + "Regex": "EmployeeId-\\d{9}" + } + ] + } }, "RetentionInDays": 731 }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/cdk.out index 1f0068d32659a..91e1a8b9901d5 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"39.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/integ.json index ebf1849ed0eb7..350b731b880c4 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "testCases": { "LogGroupInteg/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/manifest.json index 747121a7f5f11..4cdf84372be65 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "39.0.0", "artifacts": { "aws-cdk-log-group-integ.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c9d3adbcf070c1262907aa9c9d22f9d2427fdc881127e5f141072f7608acd1a8.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/f73440b0e32a261b64b3f44b72f9e681bc775595740055ca82b47830bc9b3535.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -34,18 +34,38 @@ "aws-cdk-log-group-integ.assets" ], "metadata": { + "/aws-cdk-log-group-integ/LogGroupLambdaAudit": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/aws-cdk-log-group-integ/LogGroupLambdaAudit/Resource": [ { "type": "aws:cdk:logicalId", "data": "LogGroupLambdaAuditF8F47F46" } ], + "/aws-cdk-log-group-integ/audit-bucket-id": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], "/aws-cdk-log-group-integ/audit-bucket-id/Resource": [ { "type": "aws:cdk:logicalId", "data": "auditbucketidE6660EBD" } ], + "/aws-cdk-log-group-integ/LogGroupLambda": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "dataProtectionPolicy": "*" + } + } + ], "/aws-cdk-log-group-integ/LogGroupLambda/Resource": [ { "type": "aws:cdk:logicalId", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json index 771a00e630e04..4f4b3c111c0da 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.js.snapshot/tree.json @@ -29,7 +29,10 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_logs.LogGroup", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "audit-bucket-id": { @@ -51,7 +54,10 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_s3.Bucket", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + "*" + ] } }, "LogGroupLambda": { @@ -65,21 +71,13 @@ "aws:cdk:cloudformation:type": "AWS::Logs::LogGroup", "aws:cdk:cloudformation:props": { "dataProtectionPolicy": { - "name": "policy-name", - "description": "policy description", - "version": "2021-06-01", - "configuration": { - "customDataIdentifier": [ - { - "name": "EmployeeId", - "regex": "EmployeeId-\\d{9}" - } - ] - }, - "statement": [ + "Name": "policy-name", + "Description": "policy description", + "Version": "2021-06-01", + "Statement": [ { - "sid": "audit-statement-cdk", - "dataIdentifier": [ + "Sid": "audit-statement-cdk", + "DataIdentifier": [ { "Fn::Join": [ "", @@ -106,16 +104,16 @@ }, "EmployeeId" ], - "operation": { - "audit": { - "findingsDestination": { - "cloudWatchLogs": { - "logGroup": { + "Operation": { + "Audit": { + "FindingsDestination": { + "CloudWatchLogs": { + "LogGroup": { "Ref": "LogGroupLambdaAuditF8F47F46" } }, - "s3": { - "bucket": { + "S3": { + "Bucket": { "Ref": "auditbucketidE6660EBD" } } @@ -124,8 +122,8 @@ } }, { - "sid": "redact-statement-cdk", - "dataIdentifier": [ + "Sid": "redact-statement-cdk", + "DataIdentifier": [ { "Fn::Join": [ "", @@ -152,13 +150,21 @@ }, "EmployeeId" ], - "operation": { - "deidentify": { - "maskConfig": {} + "Operation": { + "Deidentify": { + "MaskConfig": {} } } } - ] + ], + "Configuration": { + "CustomDataIdentifier": [ + { + "Name": "EmployeeId", + "Regex": "EmployeeId-\\d{9}" + } + ] + } }, "retentionInDays": 731 } @@ -171,7 +177,12 @@ }, "constructInfo": { "fqn": "aws-cdk-lib.aws_logs.LogGroup", - "version": "0.0.0" + "version": "0.0.0", + "metadata": [ + { + "dataProtectionPolicy": "*" + } + ] } }, "BootstrapVersion": { @@ -209,7 +220,7 @@ "path": "LogGroupInteg/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } }, "DeployAssert": { @@ -255,7 +266,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.3.0" + "version": "10.4.2" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.ts index e17661e15ebc9..162e76687dfa0 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-logs/test/integ.log-group.ts @@ -28,4 +28,3 @@ class LogGroupIntegStack extends Stack { const app = new App(); const stack = new LogGroupIntegStack(app, 'aws-cdk-log-group-integ'); new IntegTest(app, 'LogGroupInteg', { testCases: [stack] }); -app.synth(); diff --git a/packages/aws-cdk-lib/aws-logs/lib/data-protection-policy.ts b/packages/aws-cdk-lib/aws-logs/lib/data-protection-policy.ts index 8452eeabef356..68f7632ee711e 100644 --- a/packages/aws-cdk-lib/aws-logs/lib/data-protection-policy.ts +++ b/packages/aws-cdk-lib/aws-logs/lib/data-protection-policy.ts @@ -23,33 +23,33 @@ export class DataProtectionPolicy { const description = this.dataProtectionPolicyProps.description || 'cdk generated data protection policy'; const version = '2021-06-01'; - const findingsDestination: PolicyFindingsDestination = {}; + const findingsDestination: any = {}; if (this.dataProtectionPolicyProps.logGroupAuditDestination) { - findingsDestination.cloudWatchLogs = { - logGroup: this.dataProtectionPolicyProps.logGroupAuditDestination.logGroupName, + findingsDestination.CloudWatchLogs = { + LogGroup: this.dataProtectionPolicyProps.logGroupAuditDestination.logGroupName, }; } if (this.dataProtectionPolicyProps.s3BucketAuditDestination) { - findingsDestination.s3 = { - bucket: this.dataProtectionPolicyProps.s3BucketAuditDestination.bucketName, + findingsDestination.S3 = { + Bucket: this.dataProtectionPolicyProps.s3BucketAuditDestination.bucketName, }; } if (this.dataProtectionPolicyProps.deliveryStreamNameAuditDestination) { - findingsDestination.firehose = { - deliveryStream: this.dataProtectionPolicyProps.deliveryStreamNameAuditDestination, + findingsDestination.Firehose = { + DeliveryStream: this.dataProtectionPolicyProps.deliveryStreamNameAuditDestination, }; } const identifiers: string[] = []; - const customDataIdentifiers: PolicyCustomDataIdentifier[] = []; + const customDataIdentifiers = []; for (let identifier of this.dataProtectionPolicyProps.identifiers) { if (identifier instanceof CustomDataIdentifier) { identifiers.push(identifier.name); customDataIdentifiers.push({ - name: identifier.name, - regex: identifier.regex, + Name: identifier.name, + Regex: identifier.regex, }); } else { identifiers.push(Stack.of(_scope).formatArn({ @@ -64,59 +64,32 @@ export class DataProtectionPolicy { const statement = [ { - sid: 'audit-statement-cdk', - dataIdentifier: identifiers, - operation: { - audit: { - findingsDestination: findingsDestination, + Sid: 'audit-statement-cdk', + DataIdentifier: identifiers, + Operation: { + Audit: { + FindingsDestination: findingsDestination, }, }, }, { - sid: 'redact-statement-cdk', - dataIdentifier: identifiers, - operation: { - deidentify: { - maskConfig: {}, + Sid: 'redact-statement-cdk', + DataIdentifier: identifiers, + Operation: { + Deidentify: { + MaskConfig: {}, }, }, }, ]; - const configuration: PolicyConfiguration = { - customDataIdentifier: customDataIdentifiers, + const configuration = { + CustomDataIdentifier: customDataIdentifiers, }; return { name, description, version, configuration, statement }; } } -interface PolicyConfiguration { - customDataIdentifier?: PolicyCustomDataIdentifier[]; -} - -interface PolicyCustomDataIdentifier { - name: string; - regex: string; -} - -interface PolicyFindingsDestination { - cloudWatchLogs?: PolicyCloudWatchLogsDestination; - firehose?: PolicyFirehoseDestination; - s3?: PolicyS3Destination; -} - -interface PolicyCloudWatchLogsDestination { - logGroup: string; -} - -interface PolicyFirehoseDestination { - deliveryStream: string; -} - -interface PolicyS3Destination { - bucket: string; -} - /** * Interface representing a data protection policy */ @@ -143,7 +116,7 @@ interface DataProtectionPolicyConfig { /** * Configuration of the data protection policy. Currently supports custom data identifiers */ - readonly configuration: PolicyConfiguration; + readonly configuration: any; /** * Statements within the data protection policy. Must contain one Audit and one Redact statement diff --git a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts index 6fb68471c0293..9ed431de8d39a 100644 --- a/packages/aws-cdk-lib/aws-logs/lib/log-group.ts +++ b/packages/aws-cdk-lib/aws-logs/lib/log-group.ts @@ -629,12 +629,20 @@ export class LogGroup extends LogGroupBase { Annotations.of(this).addWarningV2('@aws-cdk/aws-logs:propertyNotSupported', `The LogGroupClass property is not supported in the following regions: ${logGroupClassUnsupportedRegions}`); } + const dataProtectionPolicy = props.dataProtectionPolicy?._bind(this); + const resource = new CfnLogGroup(this, 'Resource', { kmsKeyId: props.encryptionKey?.keyArn, logGroupClass, logGroupName: this.physicalName, retentionInDays, - dataProtectionPolicy: props.dataProtectionPolicy?._bind(this), + dataProtectionPolicy: dataProtectionPolicy ? { + Name: dataProtectionPolicy?.name, + Description: dataProtectionPolicy?.description, + Version: dataProtectionPolicy?.version, + Statement: dataProtectionPolicy?.statement, + Configuration: dataProtectionPolicy?.configuration, + } : undefined, }); resource.applyRemovalPolicy(props.removalPolicy); diff --git a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts index 4b3382343086a..c12a7570253bd 100644 --- a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts +++ b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts @@ -572,13 +572,13 @@ describe('log group', () => { Template.fromStack(stack).hasResourceProperties('AWS::Logs::LogGroup', { LogGroupName: logGroupName, DataProtectionPolicy: { - name: 'test-policy-name', - description: 'test description', - version: '2021-06-01', - statement: [ + Name: 'test-policy-name', + Description: 'test description', + Version: '2021-06-01', + Statement: [ { - sid: 'audit-statement-cdk', - dataIdentifier: [ + Sid: 'audit-statement-cdk', + DataIdentifier: [ { 'Fn::Join': [ '', @@ -590,15 +590,15 @@ describe('log group', () => { ], }, ], - operation: { - audit: { - findingsDestination: {}, + Operation: { + Audit: { + FindingsDestination: {}, }, }, }, { - sid: 'redact-statement-cdk', - dataIdentifier: [ + Sid: 'redact-statement-cdk', + DataIdentifier: [ { 'Fn::Join': [ '', @@ -610,9 +610,9 @@ describe('log group', () => { ], }, ], - operation: { - deidentify: { - maskConfig: {}, + Operation: { + Deidentify: { + MaskConfig: {}, }, }, }, @@ -642,13 +642,13 @@ describe('log group', () => { Template.fromStack(stack).hasResourceProperties('AWS::Logs::LogGroup', { LogGroupName: logGroupName, DataProtectionPolicy: { - name: 'test-policy-name', - description: 'test description', - version: '2021-06-01', - statement: [ + Name: 'test-policy-name', + Description: 'test description', + Version: '2021-06-01', + Statement: [ { - sid: 'audit-statement-cdk', - dataIdentifier: [ + Sid: 'audit-statement-cdk', + DataIdentifier: [ { 'Fn::Join': [ '', @@ -660,15 +660,15 @@ describe('log group', () => { ], }, ], - operation: { - audit: { - findingsDestination: {}, + Operation: { + Audit: { + FindingsDestination: {}, }, }, }, { - sid: 'redact-statement-cdk', - dataIdentifier: [ + Sid: 'redact-statement-cdk', + DataIdentifier: [ { 'Fn::Join': [ '', @@ -680,9 +680,9 @@ describe('log group', () => { ], }, ], - operation: { - deidentify: { - maskConfig: {}, + Operation: { + Deidentify: { + MaskConfig: {}, }, }, }, @@ -717,13 +717,13 @@ describe('log group', () => { Template.fromStack(stack).hasResourceProperties('AWS::Logs::LogGroup', { LogGroupName: logGroupName, DataProtectionPolicy: { - name: 'data-protection-policy-cdk', - description: 'cdk generated data protection policy', - version: '2021-06-01', - statement: [ + Name: 'data-protection-policy-cdk', + Description: 'cdk generated data protection policy', + Version: '2021-06-01', + Statement: [ { - sid: 'audit-statement-cdk', - dataIdentifier: [ + Sid: 'audit-statement-cdk', + DataIdentifier: [ { 'Fn::Join': [ '', @@ -735,19 +735,19 @@ describe('log group', () => { ], }, ], - operation: { - audit: { - findingsDestination: { - cloudWatchLogs: { - logGroup: { + Operation: { + Audit: { + FindingsDestination: { + CloudWatchLogs: { + LogGroup: { Ref: 'LogGroupAudit2C8B7F73', }, }, - firehose: { - deliveryStream: auditDeliveryStreamName, + Firehose: { + DeliveryStream: auditDeliveryStreamName, }, - s3: { - bucket: { + S3: { + Bucket: { Ref: 'BucketAudit1DED3529', }, }, @@ -756,8 +756,8 @@ describe('log group', () => { }, }, { - sid: 'redact-statement-cdk', - dataIdentifier: [ + Sid: 'redact-statement-cdk', + DataIdentifier: [ { 'Fn::Join': [ '', @@ -769,9 +769,9 @@ describe('log group', () => { ], }, ], - operation: { - deidentify: { - maskConfig: {}, + Operation: { + Deidentify: { + MaskConfig: {}, }, }, }, @@ -801,37 +801,37 @@ describe('log group', () => { Template.fromStack(stack).hasResourceProperties('AWS::Logs::LogGroup', { LogGroupName: logGroupName, DataProtectionPolicy: { - name: 'test-policy-name', - description: 'test description', - version: '2021-06-01', - configuration: { - customDataIdentifier: [ + Name: 'test-policy-name', + Description: 'test description', + Version: '2021-06-01', + Configuration: { + CustomDataIdentifier: [ { - name: 'EmployeeId', - regex: 'EmployeeId-\\d{9}', + Name: 'EmployeeId', + Regex: 'EmployeeId-\\d{9}', }, ], }, - statement: [ + Statement: [ { - sid: 'audit-statement-cdk', - dataIdentifier: [ + Sid: 'audit-statement-cdk', + DataIdentifier: [ 'EmployeeId', ], - operation: { - audit: { - findingsDestination: {}, + Operation: { + Audit: { + FindingsDestination: {}, }, }, }, { - sid: 'redact-statement-cdk', - dataIdentifier: [ + Sid: 'redact-statement-cdk', + DataIdentifier: [ 'EmployeeId', ], - operation: { - deidentify: { - maskConfig: {}, + Operation: { + Deidentify: { + MaskConfig: {}, }, }, }, @@ -861,21 +861,21 @@ describe('log group', () => { Template.fromStack(stack).hasResourceProperties('AWS::Logs::LogGroup', { LogGroupName: logGroupName, DataProtectionPolicy: { - name: 'test-policy-name', - description: 'test description', - version: '2021-06-01', - configuration: { - customDataIdentifier: [ + Name: 'test-policy-name', + Description: 'test description', + Version: '2021-06-01', + Configuration: { + CustomDataIdentifier: [ { - name: 'EmployeeId', - regex: 'EmployeeId-\\d{9}', + Name: 'EmployeeId', + Regex: 'EmployeeId-\\d{9}', }, ], }, - statement: [ + Statement: [ { - sid: 'audit-statement-cdk', - dataIdentifier: [ + Sid: 'audit-statement-cdk', + DataIdentifier: [ 'EmployeeId', { 'Fn::Join': [ @@ -888,15 +888,15 @@ describe('log group', () => { ], }, ], - operation: { - audit: { - findingsDestination: {}, + Operation: { + Audit: { + FindingsDestination: {}, }, }, }, { - sid: 'redact-statement-cdk', - dataIdentifier: [ + Sid: 'redact-statement-cdk', + DataIdentifier: [ 'EmployeeId', { 'Fn::Join': [ @@ -909,9 +909,9 @@ describe('log group', () => { ], }, ], - operation: { - deidentify: { - maskConfig: {}, + Operation: { + Deidentify: { + MaskConfig: {}, }, }, },