class DataProtectionPolicy not working as expected

[ericxinzhang]

I'd like to apply a data protection policy to a log group and exactly followed the document but it's not working.

I believe the reason is somehow in the generated CFN template, all the field names (e.g. statement) of the DataProtectionPolicy property for the log group are in lower case while it should be in uppercase as per the doc.

I tried cdk deploy and the template can be deployed successfully, but the policy is not taking effect.

Could someone please enlighten me what I did wrong here?

Please refer to the following console log for details.

➜  data-protection git:(main) ✗ cdk init --language typescript app                                                                                                                                                                                 
Applying project template app for typescript
# Welcome to your CDK TypeScript project

This is a blank project for CDK development with TypeScript.

The `cdk.json` file tells the CDK Toolkit how to execute your app.

## Useful commands

* `npm run build`   compile typescript to js
* `npm run watch`   watch for changes and compile
* `npm run test`    perform the jest unit tests
* `cdk deploy`      deploy this stack to your default AWS account/region
* `cdk diff`        compare deployed stack with current state
* `cdk synth`       emits the synthesized CloudFormation template

Executing npm install...
✅ All done!

➜  data-protection git:(main) ✗ cdk --version                                                                                                                                                                                                      
2.90.0 (build 8c535e4)

➜  data-protection git:(main) ✗ cat bin/data-protection.ts        

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { DataProtectionStack } from '../lib/data-protection-stack';

const app = new cdk.App();
new DataProtectionStack(app, 'DataProtectionStack', {
});

➜  data-protection git:(main) ✗ cat lib/data-protection-stack.ts    

import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";

export class DataProtectionStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const dataProtectionPolicy = new cdk.aws_logs.DataProtectionPolicy({
      name: "EmailAndLatLngProrectionPolicy",
      identifiers: [
        cdk.aws_logs.DataIdentifier.EMAILADDRESS,
        cdk.aws_logs.DataIdentifier.LATLONG,
      ],
    });

    new cdk.aws_logs.LogGroup(this, "TestLogGroup", {
      logGroupName: "TestLogGroup",
      dataProtectionPolicy,
    });
  }
}

➜  data-protection git:(main) ✗ cdk synth 

Resources:
  TestLogGroup4EEF7AD4:
    Type: AWS::Logs::LogGroup
    Properties:
      DataProtectionPolicy:
        name: EmailAndLatLngProrectionPolicy
        description: cdk generated data protection policy
        version: "2021-06-01"
        statement:
          - sid: audit-statement-cdk
            dataIdentifier:
              - Fn::Join:
                  - ""
                  - - "arn:"
                    - Ref: AWS::Partition
                    - :dataprotection::aws:data-identifier/EmailAddress
              - Fn::Join:
                  - ""
                  - - "arn:"
                    - Ref: AWS::Partition
                    - :dataprotection::aws:data-identifier/LatLong
            operation:
              audit:
                findingsDestination: {}
          - sid: redact-statement-cdk
            dataIdentifier:
              - Fn::Join:
                  - ""
                  - - "arn:"
                    - Ref: AWS::Partition
                    - :dataprotection::aws:data-identifier/EmailAddress
              - Fn::Join:
                  - ""
                  - - "arn:"
                    - Ref: AWS::Partition
                    - :dataprotection::aws:data-identifier/LatLong
            operation:
              deidentify:
                maskConfig: {}
      RetentionInDays: 731
    UpdateReplacePolicy: Retain
    DeletionPolicy: Retain
    Metadata:
      aws:cdk:path: DataProtectionStack/TestLogGroup/Resource
      ... (omitted)

[peterwoodworth]

@github-actions proposed-answer I copied the exact snippet you posted - and I'm reproducing the behavior where the template has these lowercase properties. In fact, the tests in the PR that introduced this feature are like this as well

However, when I attempt to deploy the snippet you posted, and then check the Data Protection policy on this log group in the console, it has the Data Protection policy specified in the code and template. What behavior are you experiencing exactly - Is it deploying but without a correct Data Protection policy?

[ericxinzhang]

After my deployment, in Log group policy section, the status is ON, but Data identifiers is empty which seems no data identifier is taking effect. After I clicked on Syntax button and manually changed all property names to upper case Data identifiers is showing EmailAddress.

[ericxinzhang]

Further update:

It seems the data identifier is working even in lowercase but I tested email address only. I think the current outcome of CDK is very confusing. Firstly, the policy generated is inconsistent (property name lowercase vs uppercase) with what documented in the offical doc. Secondly, the console could not pick the data identifiers up and is misleading.

[peterwoodworth]

Yes I'm seeing the same behavior @ericxinzhang. I'm going to convert this to a bug report so that this will behave properly in the console

[peterwoodworth]

#26728

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.