Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

custom-resources: Provider logs Data from response with NoEcho: true #30275

Open
cgatt opened this issue May 20, 2024 · 2 comments
Open

custom-resources: Provider logs Data from response with NoEcho: true #30275

cgatt opened this issue May 20, 2024 · 2 comments
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1

Comments

@cgatt
Copy link

cgatt commented May 20, 2024
edited

Describe the bug

When using a Provider to create a custom resource, the request and response objects are logged by the provider function. There is no apparent way to prevent or redact this logging, resulting in secrets being logged if returned in the custom resource's Data object. By extension, if secret values are passed in the resource's ResourceProperties they will be logged as well.

Expected Behavior

When the custom resource response has NoEcho: true, the log output from the Provider function should redact the values from the Data object.

[provider-framework] onEvent returned: 
{
    "NoEcho": true,
    "PhysicalResourceId": "2262225",
    "Data": {
        "clientId": "***",
        "clientSecret": "***"
    },
    "Status": "SUCCESS"
}

Current Behavior

The provider function logged the full Data payload

[provider-framework] onEvent returned: 
{
    "NoEcho": true,
    "PhysicalResourceId": "2262225",
    "Data": {
        "clientId": "3a415657c61047fe9b790501254",
        "clientSecret": "475343b8<manually redacted>"
    },
    "Status": "SUCCESS"
}

Reproduction Steps

import { App, Stack } from 'aws-cdk-lib';
import { Provider } from 'aws-cdk-lib/custom-resources';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';

const app = new App();
const stack = new Stack(app, 'cr-demo-stack');

const handler = new Function(stack , 'my-handler', {
  runtime: Runtime.NODEJS_20_X,
  handler: 'index.handler',
  code: Code.fromInline(`
  exports.handler = async (event, context) => {
    return {
      PhysicalResourceId: '1234',
      NoEcho: true,
      Data: {
        mySecret: 'secret-value',
      },
    };
  };`),
});

const provider = new Provider(stack , 'my-provider', {
  onEventHandler: handler,
});

new CustomResource(stack , 'my-cr', {
  serviceToken: provider.serviceToken,
});

Deploy this stack and you can see the following log:

[provider-framework] event: {
  "PhysicalResourceId": "1234",
  "NoEcho": true,
  "Data": {
    "mySecret": "secret-value"
  }
}
[provider-framework] submit response to cloudformation <stack-id> {
  "Status": "SUCCESS",
  "Reason": "SUCCESS",
  "StackId": "<stack-id>",
  "RequestId": "bab8ac9b-c6a7-45d4-9828-71dc260ebef7",
  "PhysicalResourceId": "1234",
  "LogicalResourceId": "clientapplication",
  "NoEcho": true,
  "Data": {
    "mySecret": "secret-value"
  }
}

Possible Solution

Add logic to the provider handler code to redact the Data object if NoEcho = true

Add properties to the Provider construct to redact some/all of the ResourceProperties from the provider logs.

Additional Information/Context

No response

CDK CLI Version

2.133.0 (build dcc1e75)

Framework Version

2.133.0

Node.js Version

20

OS

Ubuntu

Language

TypeScript

Language Version

No response

Other information

No response
@cgatt cgatt added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 20, 2024
@github-actions github-actions bot added the @aws-cdk/custom-resources Related to AWS CDK Custom Resources label May 20, 2024
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels May 20, 2024
@khushail khushail self-assigned this May 21, 2024
@pahud
Copy link
Contributor

pahud commented May 21, 2024

If you are using CustomResource Provider Framework, at this moment, there's no way to turn off the logging:

aws-cdk/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/framework.ts

Line 38 in 32e9b02

log('event:', onEventResult);

If you use AwsCustomResource, you can disable not logging the Data object with Logging.withDataHidden(). See here for more details.

Looks like you are using custom CustomResource Provider Framework?

@pahud pahud added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 21, 2024
@pahud
Copy link
Contributor

pahud commented May 21, 2024

Making it a p1 feature request to disable the logging for the CR provider framework.

@pahud pahud added p1 feature-request A feature should be added or improved. and removed bug This issue is a bug. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels May 21, 2024
@khushail khushail removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label May 22, 2024
@khushail khushail removed their assignment May 22, 2024
@pahud pahud added the effort/medium Medium work item – several days of effort label May 22, 2024
This was referenced May 27, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @cgatt @khushail