(@aws-cdk/aws-apigateway): CloudWatch log role ARN references non-existent IAM Role after API deletion

[ghost]

Hi there! We observed a strange behaviour when deleting APIs via cdk: The API Gateway service itself is unable to push logs to Cloudwatch because it references a IAM role that is already deleted.

Reproduction Steps

Let's start with a simple project:

import { App, Stack } from "@aws-cdk/core";
import { RestApi } from "@aws-cdk/aws-apigateway";
import * as cdk from "@aws-cdk/core";

export class HelloCdkStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const app = new App();
    const stack = new Stack(app, "MyStack");

    const api = new RestApi(stack, "MyRestApi");
    api.root.addMethod("ANY");

    const api2 = new RestApi(stack, "MyRestApi2");
    api2.root.addMethod("ANY");
  }
}

When deploying this stack, cdk will create two IAM roles (one for each API) to allow pushing logs to Cloudwatch:

After the deployment the latest deployed IAM role is configured in the API Gateway's global settings:

Please note, that the configured ARN is the ARN of the IAM role which was created by "MyRestApi2":

Now I remove the API "MyRestApi2" in the code and redeploy the stack. The API and the IAM role are deleted:

What actually happened?

But the API Gateway is still configured with the role ARN of the deleted IAM Role from "MyRestApi2":

Now API Gateway is globally unable to push logs to Cloudwatch, because it references a non-existent IAM role.

What did you expect to happen?

When deleting APIs cdk should take care of the IAM role ARN configured in the API Gateway. Since I do not expect cdk to "remember" what ARN was configured before the latest deployment, it would be better to remove this behaviour altogether(?). It does not make sense to me that each deployment of a new API reconfigures the API Gateway itself. Every time we deploy a new API the IAM role ARN will change.

It should be the account owner's responsibility to define a IAM role and configure it in the API Gateway. This is a one-time action.

Furthermore each single API in the stack creates its own IAM role with the same policy (AmazonAPIGatewayPushToCloudWatchLogs) over and over again. In this example only two roles were created. In our dev environment there are ~50 APIs deployed and therefore ~50 IAM roles are created. But API Gateway can reference just one IAM role ARN and therefore only one IAM role would be sufficient. It does not seem that much, but these unnecessary IAM roles count towards the account limit. This is one more argument to think about when judging this bug.

Environment

• CDK CLI Version : 1.87.0
• Framework Version: 1.87.0
• Node.js Version: v12.19.0
• OS : Windows 10
• Language (Version): TypeScript (4.0.5) | Python (3.9.0)

---

This is 🐛 Bug Report

[nija-at]

We're already tracking this issue here - #10878.

Please add your upvotes.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.