custom-resources: Provider logs Data from response with NoEcho: true

[cgatt]

Describe the bug

When using a Provider to create a custom resource, the request and response objects are logged by the provider function. There is no apparent way to prevent or redact this logging, resulting in secrets being logged if returned in the custom resource's Data object. By extension, if secret values are passed in the resource's ResourceProperties they will be logged as well.

Expected Behavior

When the custom resource response has NoEcho: true, the log output from the Provider function should redact the values from the Data object.

[provider-framework] onEvent returned: 
{
    "NoEcho": true,
    "PhysicalResourceId": "2262225",
    "Data": {
        "clientId": "***",
        "clientSecret": "***"
    },
    "Status": "SUCCESS"
}

Current Behavior

The provider function logged the full Data payload

[provider-framework] onEvent returned: 
{
    "NoEcho": true,
    "PhysicalResourceId": "2262225",
    "Data": {
        "clientId": "3a415657c61047fe9b790501254",
        "clientSecret": "475343b8<manually redacted>"
    },
    "Status": "SUCCESS"
}

Reproduction Steps

import { App, Stack } from 'aws-cdk-lib';
import { Provider } from 'aws-cdk-lib/custom-resources';
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';

const app = new App();
const stack = new Stack(app, 'cr-demo-stack');

const handler = new Function(stack , 'my-handler', {
  runtime: Runtime.NODEJS_20_X,
  handler: 'index.handler',
  code: Code.fromInline(`
  exports.handler = async (event, context) => {
    return {
      PhysicalResourceId: '1234',
      NoEcho: true,
      Data: {
        mySecret: 'secret-value',
      },
    };
  };`),
});

const provider = new Provider(stack , 'my-provider', {
  onEventHandler: handler,
});

new CustomResource(stack , 'my-cr', {
  serviceToken: provider.serviceToken,
});

Deploy this stack and you can see the following log:

[provider-framework] event: {
  "PhysicalResourceId": "1234",
  "NoEcho": true,
  "Data": {
    "mySecret": "secret-value"
  }
}
[provider-framework] submit response to cloudformation <stack-id> {
  "Status": "SUCCESS",
  "Reason": "SUCCESS",
  "StackId": "<stack-id>",
  "RequestId": "bab8ac9b-c6a7-45d4-9828-71dc260ebef7",
  "PhysicalResourceId": "1234",
  "LogicalResourceId": "clientapplication",
  "NoEcho": true,
  "Data": {
    "mySecret": "secret-value"
  }
}

Possible Solution

Add logic to the provider handler code to redact the Data object if NoEcho = true

Add properties to the Provider construct to redact some/all of the ResourceProperties from the provider logs.

Additional Information/Context

No response

CDK CLI Version

2.133.0 (build dcc1e75)

Framework Version

2.133.0

Node.js Version

20

OS

Ubuntu

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

If you are using CustomResource Provider Framework, at this moment, there's no way to turn off the logging:

aws-cdk/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/framework.ts

Line 38 in 32e9b02

log('event:', onEventResult);

If you use AwsCustomResource, you can disable not logging the Data object with Logging.withDataHidden(). See here for more details.

Looks like you are using custom CustomResource Provider Framework?

[pahud]

Making it a p1 feature request to disable the logging for the CR provider framework.