Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(apigateway): retention policy for RestApi CloudWatchRole and Account changed in 2.38.0 #22020

Closed
rittneje opened this issue Sep 13, 2022 · 3 comments
Closed

(apigateway): retention policy for RestApi CloudWatchRole and Account changed in 2.38.0 #22020

rittneje opened this issue Sep 13, 2022 · 3 comments
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while.

Comments

@rittneje
Copy link

Describe the bug

When upgrading from v2.28.0 to v2.39.1, we noticed that our API Gateway (created via RestApi) changed the retention policy for the CloudWatchRole and Account sub-resources to RETAIN, which is extremely undesirable as it means these resources will be leaked when the stack is deleted.

It seems that this behavior was introduced in v2.38.0 via #10878, but the release notes don't mention it. They only say "CloudWatch logging should be disabled by default (under feature flag)", which has nothing to do with the retention policy, nor does it mention the feature flag itself, which seems to be @aws-cdk/aws-apigateway:disableCloudWatchRole.

Expected Behavior

Either the retention policy should not have been changed, or this change should have been explicitly included in the release notes.

Current Behavior

The retention policy changes, as reported by cdk diff.

Reproduction Steps

import textwrap

import aws_cdk
from aws_cdk import (
    aws_apigateway,
    aws_lambda,
    aws_logs,
)

def main():
    app = aws_cdk.App()

    env = aws_cdk.Environment(region="us-east-1", account='XXXXX')

    stack = aws_cdk.Stack(app, "sample-stack", env=env)

    lambda_function = aws_lambda.Function(
        stack,
        'sample-lambda-function',
        runtime=aws_lambda.Runtime.PYTHON_3_7,
        handler='index.handler',
        timeout=aws_cdk.Duration.seconds(5),
        code=aws_lambda.Code.from_inline(textwrap.dedent('''
            def handler(event, context):
                pass
        ''')),
        log_retention=aws_logs.RetentionDays.ONE_YEAR,
    )

    aws_apigateway.LambdaRestApi(stack, "sample-api-gateway", handler=lambda_function)

    app.synth()    

if __name__ == "__main__":
    main()

Then run cdk synth and cdk diff.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.39.1 (build f188fac)

Framework Version

No response

Node.js Version

v16.17.0

OS

Alpine 3.16

Language

Python

Language Version

3.10.6

Other information

No response
@rittneje rittneje added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 13, 2022
@github-actions github-actions bot added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Sep 13, 2022
@peterwoodworth
Copy link
Contributor

This was changed with the new functionality to ensure that users with existing RestApis don't have their RestApis broken and lose write access to CloudWatch logs. I agree that a change in existing functionality like this should be better documented so that existing users are expecting it, thanks for your feedback here 🙂 However I'm not sure there's anything actionable for us to do now that it's been done.

@corymhall pinging so you can see this feedback as well

@peterwoodworth peterwoodworth added closing-soon This issue will automatically close in 4 days unless further comments are made. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 13, 2022
@github-actions github-actions bot added closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Sep 19, 2022
@hutchy2570
Copy link

@peterwoodworth Could this please be re-opened as not being able to control this retention policy for the Role/Account means that resources are constantly being leaked.

For instance, on every PR we deploy a new instance of the stack in order to run tests, which creates a new Role/Account. Over time this means we need to manually clean up the leftover Roles/Account otherwise we'll hit limits in IAM.

@hutchy2570 hutchy2570 mentioned this issue Nov 18, 2022
Closed
@rubenfonseca rubenfonseca mentioned this issue Jun 26, 2023
Closed
2 tasks
@nguyen102
Copy link

Is there any setting that we can configure to delete the API GW account and Cloudwatch role?

@nguyen102 nguyen102 mentioned this issue Aug 21, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@otaviomacedo @hutchy2570 @nguyen102 @rittneje @peterwoodworth