fix(aws-apigateway): CloudWatch logging should be disabled by default (under feature flag) #21546
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… (under feature flag) Currently when you create a RestApi cloudwatch logging is enabled by default. This will create an IAM role and a `AWS::ApiGateway::Account` resource, which is what is used to allow API Gateway to write API logs to CloudWatch logs. There can only be a single API Gateway account per AWS environment (account/region), but CloudFormation will not throw an error if you try to create additional accounts. Instead it will update the existing account with the new configuration. This can cause issues if customers create more than 1 RestApi. The following scenario is an example. 1. Create a single `RestApi` A new `AWS::ApiGateway::Account` and IAM role is created. 2. Create a second `RestApi` Another `AWS::ApiGateway::Account`/IAM role is created which _overwrites_ the first one. The first RestApi now uses the account/role created by this `RestApi`. 3. Delete the second `RestApi` The `AWS::ApiGateway::Account`/IAM role is deleted along with the second `RestApi`. The first `RestApi` no longer has access to write to CloudWatch logs. Because of this behavior, the correct thing to do is to disable CloudWatch logs by default so that the user has to create the global resource separately. This new behavior is behind a feature flag `@aws-cdk/aws-apigateway:disableCloudWatchLogs`. In addition, the default retention policy for both the API Gateway account and IAM role has been set to `RETAIN` so that existing implementations that do not use the feature flag can avoid the above scenario. The resources will be unmanaged, but existing RestApis will not break. closes #10878
|
|
github-actions
bot
added
bug
mrgrain
reviewed
Aug 11, 2022
Comment on lines
847
to
848
| set to `false`. To change this default behavior you can enable the feature flag | ||
| `@aws-cdk/aws-apigateway:disableCloudWatchRole` |
There was a problem hiding this comment.
Double checking - is this how we want to phrase feature flagged defaults? All new apps will have the flag enabled and it might confuse people. Maybe it'd be better to directly call out that the FF in the first sentence?!
There was a problem hiding this comment.
Good point. Just pushed an update, let me know what you think or feel free to suggest different wording.
mrgrain
reviewed
Aug 11, 2022
Comment on lines
+5
to
+20
| export class Test extends cdk.Stack { | ||
| constructor(scope: cdk.App, id: string) { | ||
| super(scope, id); | ||
| const api = new apigateway.RestApi(this, 'my-api', { | ||
| retainDeployments: true, | ||
| }); | ||
| api.root.addMethod('GET'); // must have at least one method or an API definition | ||
| } | ||
| } | ||
|
|
||
| const app = new cdk.App(); | ||
| new IntegTest(app, 'cloudwatch-logs-disabled', { | ||
| testCases: [ | ||
| new Test(app, 'default-api'), | ||
| ], | ||
| }); |
There was a problem hiding this comment.
Is this not missing the FF in the context?
There was a problem hiding this comment.
All features flags are enabled by default for integration tests.
|
Might this be a good opportunity to update the integration tests to the new style? |
TheRealAmazonKendra
added
the
pr/do-not-merge
TheRealAmazonKendra
approved these changes
Aug 11, 2022
I should have been the one to suggest this 🤣 |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
josephedward
pushed a commit
to josephedward/aws-cdk
that referenced
this pull request
Aug 30, 2022
… (under feature flag) (aws#21546) Currently when you create a RestApi cloudwatch logging is enabled by default. This will create an IAM role and a `AWS::ApiGateway::Account` resource, which is what is used to allow API Gateway to write API logs to CloudWatch logs. There can only be a single API Gateway account per AWS environment (account/region), but CloudFormation will not throw an error if you try to create additional accounts. Instead it will update the existing account with the new configuration. This can cause issues if customers create more than 1 RestApi. The following scenario is an example. 1. Create a single `RestApi` A new `AWS::ApiGateway::Account` and IAM role is created. 2. Create a second `RestApi` Another `AWS::ApiGateway::Account`/IAM role is created which _overwrites_ the first one. The first RestApi now uses the account/role created by this `RestApi`. 3. Delete the second `RestApi` The `AWS::ApiGateway::Account`/IAM role is deleted along with the second `RestApi`. The first `RestApi` no longer has access to write to CloudWatch logs. Because of this behavior, the correct thing to do is to disable CloudWatch logs by default so that the user has to create the global resource separately. This new behavior is behind a feature flag `@aws-cdk/aws-apigateway:disableCloudWatchLogs`. In addition, the default retention policy for both the API Gateway account and IAM role has been set to `RETAIN` so that existing implementations that do not use the feature flag can avoid the above scenario. The resources will be unmanaged, but existing RestApis will not break. I've updated all the existing integration tests to use the old behavior by explicitly setting `cloudWatchLogs: true`. I then added a new integration test for the new behavior. closes aws#10878 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently when you create a RestApi cloudwatch logging is enabled by
default. This will create an IAM role and a
AWS::ApiGateway::Accountresource, which is what is used to allow API Gateway to write API logs
to CloudWatch logs. There can only be a single API Gateway account per
AWS environment (account/region), but CloudFormation will not throw an
error if you try to create additional accounts. Instead it will update
the existing account with the new configuration.
This can cause issues if customers create more than 1 RestApi.
The following scenario is an example.
RestApiA new
AWS::ApiGateway::Accountand IAM role is created.RestApiAnother
AWS::ApiGateway::Account/IAM role is created whichoverwrites the first one. The first RestApi now uses the account/role
created by this
RestApi.RestApiThe
AWS::ApiGateway::Account/IAM role is deleted along with the secondRestApi. The firstRestApino longer has access to write toCloudWatch logs.
Because of this behavior, the correct thing to do is to disable
CloudWatch logs by default so that the user has to create the global
resource separately. This new behavior is behind a feature flag
@aws-cdk/aws-apigateway:disableCloudWatchLogs.In addition, the default retention policy for both the API Gateway
account and IAM role has been set to
RETAINso that existingimplementations that do not use the feature flag can avoid the above
scenario. The resources will be unmanaged, but existing RestApis will
not break.
I've updated all the existing integration tests to use the old behavior by explicitly setting
cloudWatchLogs: true. I then added a new integration test for the new behavior.closes #10878
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license