From 142352f1eee18d98400588b4ea7b7fa7d1e6bd79 Mon Sep 17 00:00:00 2001
From: skyuecx0630 <48788794+skyuecx0630@users.noreply.github.com>
Date: Thu, 8 Aug 2024 11:27:06 +0900
Subject: [PATCH] Check whether `retentionInDays` is set or not

---
 services/cloudwatch.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/services/cloudwatch.py b/services/cloudwatch.py
index 7e3962e..1496015 100644
--- a/services/cloudwatch.py
+++ b/services/cloudwatch.py
@@ -11,11 +11,13 @@ def cw_loggroup_retention_period_check():
     non_compliant_resources = []
     log_groups = logs_client.describe_log_groups()["logGroups"]
 
+    # This rule should check if `retentionInDays` is less than n days.
+    # But, instead of that, this will check if the retention setting is set to "Never expire" or not
     for log_group in log_groups:
-        if "retentionInDays" in log_group and log_group["retentionInDays"] < 365:
-            non_compliant_resources.append(log_group["logGroupArn"])
-        else:
+        if "retentionInDays" in log_group:
             compliant_resources.append(log_group["logGroupArn"])
+        else:
+            non_compliant_resources.append(log_group["logGroupArn"])
 
     return RuleCheckResult(
         passed=not non_compliant_resources,