AwsCustomResource: Response too long when doing Securityhub:createConfigurationPolicy

[kabo]

Describe the bug

We're trying to set up a securityhub configuration policy. There's no native cloudformation support for this so we figured a custom resource would be suitable.

    new AwsCustomResource(this, 'CreatePolicy', {
      resourceType: 'Custom::ConfigurationPolicy',
      installLatestAwsSdk: true,
      logRetention: RetentionDays.ONE_MONTH,
      onCreate: {
        service: 'Securityhub',
        action: 'createConfigurationPolicy',
        ignoreErrorCodesMatching: '.*',
        parameters: {
          Name: 'MyPolicy',
          ConfigurationPolicy: {
            SecurityHub: {
              EnabledStandardIdentifiers: [
                'arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0',
              ],
              SecurityControlsConfiguration: {
                DisabledSecurityControlIdentifiers: [
                  'Macie.1',
                ],
              },
              ServiceEnabled: true,
            },
          },
        },
        physicalResourceId: PhysicalResourceId.of('MyPolicy'),
      },
      policy: AwsCustomResourcePolicy.fromSdkCalls({
        resources: AwsCustomResourcePolicy.ANY_RESOURCE,
      }),
    })

This fails with Response object is too long. Event though we've tried to ignore all errors with ignoreErrorCodesMatching: '.*'.

The policy is successfully created, but the resource shows it as failing.

Expected Behavior

The custom resource to be created successfully.

Current Behavior

Resource fails with Response object is too long

Reproduction Steps

See above

Possible Solution

Handle the longer response objects? Escape hatch similar to ignoreErrorCodesMatching to ignore this type of failure?

Additional Information/Context

No response

CDK CLI Version

2.115.0 (build 58027ee)

Framework Version

No response

Node.js Version

20

OS

Artix Linux

Language

TypeScript

Language Version

TypeScript 5.3.3

Other information

No response

[kabo]

Workaround: provide your own lambda to do the creation

    const lambda = new NodejsFunction(this, 'CreatePolicyLambda', {
      entry: join(dirname, './create-policy/index.ts'),
      logRetention: RetentionDays.ONE_MONTH,
      runtime: Runtime.NODEJS_20_X,
      architecture: Architecture.ARM_64,
      memorySize: 256,
      timeout: Duration.seconds(60),
      bundling: {
        minify: true,
        sourceMap: false,
        mainFields: [ 'module', 'main' ],
        target: 'node20',
        format: OutputFormat.ESM,
        externalModules: [],
      },
    })
    lambda.addToRolePolicy(new PolicyStatement({
      actions: [
        'securityHub:CreateConfigurationPolicy',
      ],
      resources: [
        '*',
      ],
    }))

    const provider = new Provider(this, 'CreatePolicyProvider', {
      onEventHandler: lambda,
    })
    new CustomResource(this, 'CreatePolicy', {
      serviceToken: provider.serviceToken,
      resourceType: 'Custom::CreatePolicy',
    })

[pahud]

Generally, for all the response too long or response too large issues from AwsCustomResource, you can always specify outputPaths to filter its output.

For example:

aws-cdk/packages/@aws-cdk/aws-msk-alpha/lib/cluster.ts

Lines 725 to 727 in 6b2585a

	outputPaths: [
	'ClusterInfo.ZookeeperConnectString',
	'ClusterInfo.ZookeeperConnectStringTls',

[kabo]

I think outputPaths solves this issue. Closing.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.