fixes issue with CloudWatch Logs custom log KMS permissions (#1293)

rjjaegeraws · web-flow · commit 435f74985a25 · 2025-07-21T10:40:21.000-04:00
* update role permissions

* update

* Update

* pin docker image
diff --git a/src/deployments/cdk/src/deployments/iam/log-group-role.ts b/src/deployments/cdk/src/deployments/iam/log-group-role.ts
@@ -51,5 +51,12 @@ async function createRole(stack: AccountStack) {
       resources: ['*'],
     }),
   );
+
+  role.addToPrincipalPolicy(
+    new iam.PolicyStatement({
+      actions: ['kms:Encrypt', 'kms:Decrypt', 'kms:GenerateDataKey'],
+      resources: ['*'],
+    }),
+  );
   return role;
 }
diff --git a/src/lib/cdk-accelerator/src/codebuild/cdk-deploy-project.ts b/src/lib/cdk-accelerator/src/codebuild/cdk-deploy-project.ts
@@ -146,7 +146,7 @@ export class PrebuiltCdkDeployProject extends CdkDeployProjectBase {
     fs.writeFileSync(
       path.join(this.projectTmpDir, 'Dockerfile'),
       [
-        'FROM public.ecr.aws/bitnami/node:22',
+        'FROM public.ecr.aws/bitnami/node:22.13.0',
         // Install the package manager
         ...installPackageManagerCommands(props.packageManager).map(cmd => `RUN ${cmd}`),
         `WORKDIR ${appDir}`,

Original file line number	Diff line number	Diff line change
`@@ -146,7 +146,7 @@ export class PrebuiltCdkDeployProject extends CdkDeployProjectBase {`
`146`	`146`	`fs.writeFileSync(`
`147`	`147`	`path.join(this.projectTmpDir, 'Dockerfile'),`
`148`	`148`	`[`
`149`		`- 'FROM public.ecr.aws/bitnami/node:22',`
	`149`	`+ 'FROM public.ecr.aws/bitnami/node:22.13.0',`
`150`	`150`	`// Install the package manager`
`151`	`151`	...installPackageManagerCommands(props.packageManager).map(cmd => `RUN ${cmd}`),
`152`	`152`	`WORKDIR ${appDir}`,