Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

By default every new RestApi instance replaces the single CloudWatch Role on API Gateway #7140

Closed
gsdwait opened this issue Apr 2, 2020 · 5 comments
Closed

By default every new RestApi instance replaces the single CloudWatch Role on API Gateway #7140

gsdwait opened this issue Apr 2, 2020 · 5 comments
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. effort/medium Medium work item – several days of effort needs-design This feature request needs additional design work. p2

Comments

@gsdwait
Copy link

gsdwait commented Apr 2, 2020

We discovered that our API Gateway cloudwatch role was being overwritten by deployments of RestApi constructs. The CloudWatch Role is associated with the API Gateway's Account resource. The API Gateway only supports 1 role for providing it the permissions required to write to CloudWatch so it seems strange to assume that every RestApi deployed is going to want to create that role and update the API Gateway Account automatically.

The cloudWatchRole property of RestApiProps should default to false.

Reproduction Steps

In an AWS account that has already setup API Gateway's CloudWatch Role (by whatever means) run:

$ aws apigateway get-account
{
    "cloudwatchRoleArn": "arn:aws:iam::NNNNNNNNN:role/apigateway.amazonaws.com",
    "throttleSettings": {
        "burstLimit": 1050,
        "rateLimit": 2100.0
    },
    "features": [
        "UsagePlans",
        "ArbitraryUsageIdentifierKeys"
    ],
    "apiKeyVersion": "4"
}

Note the cloudwatchRoleArn and deploy a new stack that uses the RestApi construct without providing a value for the cloudWatchRole property. When you run aws apigateway get-account again you will see that the RestApi construct creates a new role and overwrites the role association that was previously established with API Gateway's Account resource.

Error Log

In our case we found that when the role was replaced our existing api gateway deployments were no longer able to write to cloudwatch logs. Our workaround is to do our best to ensure that nobody creates a RestApi construct without setting the cloudWatchRole property to false.

Environment

  • **CLI Version :cdk version 1.31.0, aws-cli/1.16.260
  • **Framework Version:1.31.0
  • **OS :Mac OS
  • **Language :Typescript

Other

This is 🐛 Bug Report
@gsdwait gsdwait added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 2, 2020
@RomainMuller RomainMuller added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Apr 2, 2020
@nija-at
Copy link
Contributor

nija-at commented Apr 8, 2020

You are correct, in that this is confusing behaviour. The problem is exacerbated by the fact that this property is configured on an instance of RestApi.

Since the API has been out there for a long time and our API Gateway module is stable, we cannot change this default. It will change the behaviour on all new CDK deployments, and customers will not know that this has changed.

A better approach may be to deprecate this property, and add a new property (either in RestApi or as a separate construct) with the correct default and behaviour.

@nija-at nija-at added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Apr 8, 2020
@nija-at nija-at added needs-design This feature request needs additional design work. effort/medium Medium work item – several days of effort labels Aug 6, 2020
@nija-at nija-at mentioned this issue Oct 21, 2020
Closed
@adrian-skybaker adrian-skybaker mentioned this issue Dec 22, 2021
Closed
@github-actions
Copy link

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jun 17, 2022
@tstibbs
Copy link

tstibbs commented Jun 21, 2022

I think this could be closed as a dup of #10878?

@github-actions github-actions bot removed the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jun 21, 2022
@gsdwait
Copy link
Author

gsdwait commented Jun 21, 2022

I think this could be closed as a dup of #10878?

I agree. Still needs to be fixed but #10878 does refer to the same issue.

@gsdwait gsdwait closed this as completed Jun 21, 2022
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. effort/medium Medium work item – several days of effort needs-design This feature request needs additional design work. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@RomainMuller @tstibbs @nija-at @gsdwait