[ApiGateway] RestApi updates account level role used for ApiGateway CloudWatch logging
See original GitHub issueThis code in RestApi
will update the account level role for cloudwatch logging used for all ApiGateways.
The problem we are seeing is that each new API we create will replace the role used for the account with the new role created.
If the stack that last updated the account level role gets deleted for some reason then the account level role will no longer exist and all apigateway cloudwatch logging is broken for the account 😱
Reproduction Steps
- create a new RestApi without passing a cloudWatchRole prop
- Deploy the new API - see the account level role change to the role associated with this new API
- Delete the stack
- All account level API logging no longer works because the role is deleted.
What did you expect to happen?
I would expect each apigateway logging role to be only used for a given API Gateway
or I would want the apigateway account level role to be rolled back to the previous role on deletion
What actually happened?
Described above
Environment
- CLI Version :
- Framework Version:
- Node.js Version:
- OS :
- Language (Version):
Other
Is passing a role into each API the best option to resolve this?
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:22
- Comments:10 (1 by maintainers)
Top Results From Across the Web
Setting up CloudWatch logging for a REST API in API Gateway
Set up CloudWatch API logging using the API Gateway console · Choose a logging level from the CloudWatch Logs dropdown menu. Warning. Full...
Read more >APIs CloudWatch Logs - Trend Micro
Ensure that CloudWatch logging is enabled for all your Amazon API Gateway APIs in order to track and analyze execution behavior at the...
Read more >The Missing Guide to AWS API Gateway Access Logs
API Gateway CloudWatch Logs Role ARN settings ... it won't update the value in AWS::ApiGateway::Account because, from CloudFormation's view, ...
Read more >AWS::ApiGateway::Account - Amazon CloudFormation
The AWS::ApiGateway::Account resource specifies the IAM role that Amazon API Gateway uses to write API logs to Amazon CloudWatch Logs. Important.
Read more >Enable API Gateway CloudWatch Logs - CloudNamaste
Execution Logs vs Access Logs · Step 1: Create an IAM role for logging to CloudWatch · Step 2: Add the IAM role...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Any chance this could be made the default behavior for CDK v2? There have been so many times I accidentally and silently broke logs for all my API Gateways this way.
Just to echo this - have we missed the window to fix this for v2?
Really hoping this isn’t going to be a replay of https://github.com/aws/aws-cdk/issues/7140#issuecomment-610979959 ( “Since the API has been out there for a long time and our API Gateway module is stable, we cannot change this default”).