Retain LogGroup after Lambda Function removal

Is there a configuration setting to allow log groups auto resourced by the Framework to be retained when a Lambda Function is removed?

I’m working in an AWS account where Log Groups are unable to be deleted for compliance reasons. Currently when I remove a function from the Serverless Stack the sls deploy command is unsuccessful due to the Log Group not be able to be deleted by the CloudFormation Role.

An error occurred: SomeLogGroup - User: arn:aws:sts::000000000:assumed-role/deployer-role is not authorized to perform: logs:DeleteLogGroup on resource: arn:aws:logs:eu-west-2:000000000:log-group:/aws/lambda/some-log-group:log-stream: with an explicit deny (Service: CloudWatchLogs, Status Code: 400, Request ID: HJKHUDH-78677-HJKHJK, Extended Request ID: null).

It would be great if there was a retainLogGroups configuration parameter that would mean log groups are removed from the stack but not destroyed when a function is removed.

Hello @toddpla :wave: It should be possible to use resources.extensions to adjust the log group to be retained, please refer to docs: https://www.serverless.com/framework/docs/providers/aws/guide/resources/#override-aws-cloudformation-resource

I know it’s not an ideal solution and probably having a dedicated configuration would make things easier.

Hello @toddpla. Were you able to achieve this? Could you share your solution? Thanks in advance!