Add ability to set lamba function log group retention period

[drem-darios]

Currently the RDK lambda function that is created to check for compliance will create a log group, but there is no expiration set on the log group. This makes it so the logs will never expire which can have some cost implications over time. Some industries also have strict data retention policies that cannot be applied to lambda functions deployed through RDK. I am requesting a feature that gives users the ability to configure how long the compliance logs should be retained.

[bmorrissirromb]

This is one of those asks that seems extremely reasonable but is actually somewhat hard in practice.

The log groups from Lambda invocations get created at function run-time. They aren't pre-provisioned by default. Meaning, you can't just slap a property like RetentionDuration directly on the Function resource, sadly. So what you would have to do is create a Log Group separately within the CFT and point the Lambda to it using the Lambda Function's property LoggingConfig. That's not terribly hard, but the issue here would be backwards compatibility.

We have thousands of customers using RDK with CFTs that don't directly create the Log Group. If we update the template, we'd need to have some logic to ensure that we're not having CloudFormation create a Log Group that already exists. There could be a lot of failures on rdk modify if we changed the behavior.

Could we conditionally do this, where we only create the log group resource if a flag is provided to the CFT? Possibly. I think that would be the route to go down if you want to submit a PR here.

(Side note: CDK has a whole process for this using custom resources and it's a bit of a mess to keep the versions in line)