-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(custom-resources): Default logging configuration hits Cloudwatch Logs Resource Policy size limit #28577
Comments
Thanks for this report. That is certainly true. I will work on this issue. It's to create a default log group to start with |
Adds a notice for high-impact issue aws/aws-cdk#28577.
Because this issue is a regression, I am reverting the PR that caused this initially. We can roll the new fix into the original change and make sure the tests cover the failure correctly to avoid this in the future. Revert Pr: #28699 |
Okey, I'm going to add the correct changes in the PR for the one I'm working on now. |
thank you @go-to-k appreciate you taking this up again. |
v2.121.1 is out and should have this solved. |
|
Adds a notice for high-impact issue aws/aws-cdk#28577.
… in CompleteHandler (#28706) This PR fixes the case that `StateMachine` generated for `CompleteHandler` in `Provider` cannot set logging. The default log group name of the state machine automatically created by the `Provider` with `isCompleteHandler` should start with `/aws/vendedlogs/states`. Otherwise, each time the state machine is created, the log resource policy size increases. https://docs.aws.amazon.com/step-functions/latest/dg/bp-cwl.html Closes #27283 Fixes #28577 #28744 Related PR #27310(reverted by #28699), #28587 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@go-to-k @MrArnoldPalmer we have the same issue with rolling out AWS WAFs the default log resource policy grows bigger with every waf (without configuring anything special beside the logging to CW) until the policy is to big and then every deployment fails. its fixable with the AWS CLI, but so far not with CDK (when tearing down a WAF Stack again we like to remove the entry inside the log resource policy:
(see all the actually this is the workaround https://dasang.github.io/blog/waf_resource_policy/ but i consider it a bug in AWS |
@digitalkaoz I see, but the WAF L2 construct doesn't exist yet, so I think we have to handle it in our own CDK code. (This issue is about using custom resources with SFn state machines.) |
Please add your +1 👍 to let us know you have encountered this
Status: RESOLVED
Overview:
A previous PR enabled the ability to configure logging for a state-machine that was managed via a custom resource. This introduced a bug where the logging resource policy became too large because of the name of the log group. This could break the deploys of existing applications that contained this custom resource.
Complete Error Message:
Workaround:
Lock your cdk version to v1.115.0 or below.
Solution:
Revert in progress: #28699
Related Issues:
Original Issue:
Title: (custom-resources): Default logging configuration hits Cloudwatch Logs Resource Policy size limit
Describe the bug
Upgrading aws-cdk > 2.115 adds a default logging configuration to custom resources.
When using
aws_dynamodb.Table
withreplication_regions
specified this automatically generates a@aws-cdk--aws-dynamodb.ReplicaProvider.NestedStackResource
which containsProviderwaiterstatemachine
and post upgrade also a new log groupWhen deploying the following error is returned
@aws-cdk--aws-dynamodb.ReplicaProvider/Provider/waiter-state-machine (Providerwaiterstatemachine5D4A9DF0) Resource handler returned message: "Invalid Logging Configuration: The CloudWatch Logs Resource Policy size was exceeded. We suggest prefixing your CloudWatch log group name with /aws/vendedlogs/states/. (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidLoggingConfiguration; Request ID: 4ba96f98-4be5-450c-a069-3d4cbf93271a; Proxy: null)"
Expected Behavior
Default logging configuration should be configured in a way to prevent the above error
Current Behavior
Upgrading to aws-cdk >=2.116 generates a logging configuration with what I believe is no name/prefix specified to the log group
Given the nested stack is auto generated I see no way to override the properties here.
Reproduction Steps
Using the below construct with aws-cdk <=2.115 deploys successfully
Upgrading aws-cdk > 2.115 causes the above error due to the newly added log group
Possible Solution
Applying the prefix recommended in the above error message
/aws/vendedlogs/states/
similar to the recommendation [here] (https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html) to the log group name?Additional Information/Context
No response
CDK CLI Version
2.116.0
Framework Version
No response
Node.js Version
18
OS
Linux
Language
Python
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: