(logs): Policy Limit Reached for LogGroup ResourcePolicies

[badaldavda8]

Describe the bug

After resolution of #17544 A new issue has turned up if you tend to create multiple ECS tasks referring multiple log groups.

Resource handler returned message: "Resource limit exceeded. (Service: CloudWatchLogs, Status Code: 400, Request ID: 25bec134-657e-43c3-ae85-810a0ce56fa0)" (RequestToken: 948dab8b-fac6-2903-695d-f9d825eaea90, HandlerErrorCode: ServiceLimitExceeded)
This is because Default quota for resource policies

Resource policies	Up to 10 CloudWatch Logs resource policies per Region per account. This quota can't be changed.

Expected Behavior

No error after 10th ECS Task/service

Current Behavior

Each ECS task creates a new log group finally exhausting this limit.

Reproduction Steps

Create 10 log groups for ecs and you will start to face this.

Possible Solution

Let us avoid creating not create Resource Policies for CW Logs until this issue is resolved. I understand this defeats the purpose of lowest privilege, but causes issues.

Additional Information/Context

WorkAround

separate logGroup if created within taskDefinition and add following in the code for now.

logGroup.node.tryRemoveChild('Policy')

CDK CLI Version

2.24.0

Framework Version

No response

Node.js Version

v17.9.0

OS

macOS

Language

Typescript

Language Version

No response

Other information

No response

[badaldavda8]

Hi Any update on this?