LogGroup Not Deleted

[ambsw-technology]

We're using cloudformation/cfn-resource-provider.yaml as a nested stack in another CF Template. When that stack fails to deploy, the log group is not cleaned up.

My best guess is that this is the cause. Specifically the Log Group is destroyed while another lambda is still running. When it completes, it logs messages which (due to its permissions) recreate the log.

This seems to be resolved by revoking logs:CreateLogGroup (since CF handles the create anyway) e.g. by reducing the logs permissions from logs:* to:

- logs:CreateLogStream
- logs:PutLogEvents

The log is created and completely deleted. I've tried it twice both ways in an effort to confirm.

EDIT: It's also possible (but untested) that reversing the DependsOn (so the lambda is deleted before the Log Group) would be adequate.

[ambsw-technology]

FWIW I would also restrict these permissions to the actual log group that's being created i.e.

Resource: 
- !GetAtt 'CFNCustomProviderLogGroup.Arn'

Obviously, this would require dropping the DependsOn to CFNCustomProvider or you'd end up with a circular dependency.