(aws-apigateway): CDK Api Gateway Construct missing dependency between Stage and internally created CloudWatch Role

[zrieq]

I am using CDK to create our API GW component using JAVA implementation.

I found when deploying our stack to a new AWS account, API gateway is trying to deploy the Stage before the Cloudwatch role is being completed, causing "cdk deploy" to fail and rollback. Please check the 1st attached image to see the sequence of events happening in the stack.

I came up with a workaround as you see in the 2nd screenshot, and it seems to work as shown in the 3rd screenshot. I don't think it is an ideal workaround.

As per the documentation for SpecRestApi construct -see 4th screenshot, the CloudWatch Role will be created automatically (the default is true for this boolean)

Can you please help with this, I think it is a defect in CDK .. maybe I am mistaken.

Thanks

Reproduction Steps

SpecRestApi pubSubSpecRestApi = SpecRestApi.Builder.create(this, "pub-sub")
                    .apiDefinition(ApiDefinition.fromAsset(pubSubApiSpecsFIle.getAbsolutePath()))
                    .endpointTypes(List.of(EndpointType.REGIONAL))
                    .deployOptions(StageOptions.builder()
                            .stageName(env.toLowerCase())
                            .loggingLevel(MethodLoggingLevel.INFO)
                            .dataTraceEnabled(true)
                            .build())
                    .build();

What did you expect to happen?

Create Api Gateway.

What actually happened?

Failed to create Api gateway due to missing CloudWatch role.

Environment

• CDK CLI Version : 1.85
• Node.js Version: v12.14.1
• Language (Version): java

This is 🐛 Bug Report

[zrieq]

Also I think there is another defect in ApiGateway where:

Basically, if ARN string was set ONCE for an AWS Account, it will stay there for every created Rest API, even if is pointing to a NON existing CloudWatch role. The ARN could be populated by a stack similar to mine and then destroyed, but it will not clean up the Cloudwatch ARN in API gateway settings.

This means even when rolling back the internally created role (due to some failure) OR destroying the Stack, the cloudwatch ARN value is still saved on the account level with an invalid value -the role was deleted but only the ARN string value is left.

Having the ARN value string prepopulated, will make all cdk deployments in this account to bypass the cloud watch role issue, as the validation for the deploy stage step is just validating the cloudwatch ARN is not empty!

That's why the same stack is working for me in another account over and over with no issues.
I can prove this with some recording if needed.

[nija-at]

We're tracking this already in two different issues already -

#10722
#10878

Please upvote them.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[zrieq]

@nija-at thanks for looking into this issue.

But I think the referred issues are not related to the main issue here.

The issue here is talking about setting dependency for internal created role. Which is not happening.

The issues are related to another defect that I mentioned in my comment, which speaks about cfnaccount.

[nija-at]

But I think the referred issues are not related to the main issue here.

The race condition issue - #10722 - I believe is the same.