Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(custom-resources): Default logging configuration hits Cloudwatch Logs Resource Policy size limit #28577

Closed
munch9 opened this issue Jan 4, 2024 · 9 comments · Fixed by #28706
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources bug This issue is a bug. effort/medium Medium work item – several days of effort management/tracking Issues that track a subject or multiple issues p0

Comments

@munch9
Copy link

munch9 commented Jan 4, 2024

Please add your +1 👍 to let us know you have encountered this

Status: RESOLVED

Overview:

A previous PR enabled the ability to configure logging for a state-machine that was managed via a custom resource. This introduced a bug where the logging resource policy became too large because of the name of the log group. This could break the deploys of existing applications that contained this custom resource.

Complete Error Message:

@aws-cdk--aws-dynamodb.ReplicaProvider/Provider/waiter-state-machine (Providerwaiterstatemachine5D4A9DF0) Resource handler returned message: "Invalid Logging Configuration: The CloudWatch Logs Resource Policy size was exceeded. We suggest prefixing your CloudWatch log group name with /aws/vendedlogs/states/. (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidLoggingConfiguration; Request ID: 4ba96f98-4be5-450c-a069-3d4cbf93271a; Proxy: null)"

Workaround:

Lock your cdk version to v1.115.0 or below.

Solution:

Revert in progress: #28699

Related Issues:

Original Issue:

Title: (custom-resources): Default logging configuration hits Cloudwatch Logs Resource Policy size limit

Describe the bug

Upgrading aws-cdk > 2.115 adds a default logging configuration to custom resources.

When using aws_dynamodb.Table with replication_regions specified this automatically generates a @aws-cdk--aws-dynamodb.ReplicaProvider.NestedStackResource which contains Providerwaiterstatemachine and post upgrade also a new log group

When deploying the following error is returned
@aws-cdk--aws-dynamodb.ReplicaProvider/Provider/waiter-state-machine (Providerwaiterstatemachine5D4A9DF0) Resource handler returned message: "Invalid Logging Configuration: The CloudWatch Logs Resource Policy size was exceeded. We suggest prefixing your CloudWatch log group name with /aws/vendedlogs/states/. (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidLoggingConfiguration; Request ID: 4ba96f98-4be5-450c-a069-3d4cbf93271a; Proxy: null)"

Expected Behavior

Default logging configuration should be configured in a way to prevent the above error

Current Behavior

Upgrading to aws-cdk >=2.116 generates a logging configuration with what I believe is no name/prefix specified to the log group

"ProviderwaiterstatemachineLogGroupDD693A98": {
   "Type": "AWS::Logs::LogGroup",
   "Properties": {
    "RetentionInDays": 731,
   },
   "UpdateReplacePolicy": "Retain",
   "DeletionPolicy": "Retain",
   "Metadata": {
    "aws:cdk:path": "my-stack/@aws-cdk--aws-dynamodb.ReplicaProvider/Provider/waiter-state-machine/LogGroup/Resource"
   }
  }

Given the nested stack is auto generated I see no way to override the properties here.

Reproduction Steps

Using the below construct with aws-cdk <=2.115 deploys successfully

table = aws_dynamodb.Table(
            self,
            "my-table",
            table_name="my-table",
            partition_key={"name": "pk", "type": aws_dynamodb.AttributeType.STRING},
            removal_policy=RemovalPolicy.RETAIN,
            replication_regions=["eu-central-1"],
            billing_mode=aws_dynamodb.BillingMode.PAY_PER_REQUEST,
            encryption=aws_dynamodb.TableEncryption.AWS_MANAGED,
            point_in_time_recovery=True,
        )

Upgrading aws-cdk > 2.115 causes the above error due to the newly added log group

Possible Solution

Applying the prefix recommended in the above error message /aws/vendedlogs/states/ similar to the recommendation [here] (https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html) to the log group name?

Additional Information/Context

No response

CDK CLI Version

2.116.0

Framework Version

No response

Node.js Version

18

OS

Linux

Language

Python

Language Version

No response

Other information

No response

@munch9 munch9 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 4, 2024
@github-actions github-actions bot added the @aws-cdk/custom-resources Related to AWS CDK Custom Resources label Jan 4, 2024
@pahud
Copy link
Contributor

pahud commented Jan 4, 2024

I think it's related to #27310

@go-to-k do you have any ideas about that?

@pahud pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 4, 2024
@go-to-k
Copy link
Contributor

go-to-k commented Jan 5, 2024

Thanks for this report.

That is certainly true. I will work on this issue. It's to create a default log group to start with /aws/vendedlogs/states/.

@MrArnoldPalmer
Copy link
Contributor

MrArnoldPalmer commented Jan 13, 2024

Because this issue is a regression, I am reverting the PR that caused this initially. We can roll the new fix into the original change and make sure the tests cover the failure correctly to avoid this in the future.

Revert Pr: #28699

@go-to-k
Copy link
Contributor

go-to-k commented Jan 13, 2024

@MrArnoldPalmer

Okey, I'm going to add the correct changes in the PR for the one I'm working on now.

@MrArnoldPalmer
Copy link
Contributor

thank you @go-to-k appreciate you taking this up again.

@MrArnoldPalmer
Copy link
Contributor

MrArnoldPalmer commented Jan 13, 2024

v2.121.1 is out and should have this solved.

Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

mergify bot pushed a commit to cdklabs/aws-cdk-notices that referenced this issue Jan 15, 2024
Adds a notice for high-impact issue aws/aws-cdk#28577.
@TheRealAmazonKendra TheRealAmazonKendra unpinned this issue Feb 12, 2024
mergify bot pushed a commit that referenced this issue Apr 19, 2024
… in CompleteHandler (#28706)

This PR fixes the case that `StateMachine` generated for `CompleteHandler` in `Provider` cannot set logging.

The default log group name of the state machine automatically created by the `Provider` with `isCompleteHandler` should start with `/aws/vendedlogs/states`. Otherwise, each time the state machine is created, the log resource policy size increases. 

https://docs.aws.amazon.com/step-functions/latest/dg/bp-cwl.html

Closes #27283
Fixes #28577 #28744

Related PR #27310(reverted by #28699), #28587

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@digitalkaoz
Copy link

digitalkaoz commented Jan 8, 2025

@go-to-k @MrArnoldPalmer we have the same issue with rolling out AWS WAFs the default log resource policy grows bigger with every waf (without configuring anything special beside the logging to CW) until the policy is to big and then every deployment fails. its fixable with the AWS CLI, but so far not with CDK (when tearing down a WAF Stack again we like to remove the entry inside the log resource policy:

aws logs describe-resource-policies | jq
{
  "resourcePolicies": [
    {
      "policyName": "AWSLogDeliveryWrite20150319",
      "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AWSLogDeliveryWrite\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":[\"arn:aws:logs:us-east-1:xx:log-group:aws-waf-logs-stage:log-stream:*\",\"arn:aws:logs:us-east-1:xx:log-group:/aws/vendedlogs/*\",\"arn:aws:logs:us-east-1:xx:log-group:aws-waf-logs-dev-pr-659:log-stream:*\",\"arn:aws:logs:us-east-1:xx:log-group:aws-waf-logs-dev-pr-652:log-stream:*\",\"arn:aws:logs:us-east-1:xx:log-group:aws-waf-logs-dev-pr-658:log-stream:*\",\"arn:aws:logs:us-east-1:xx:log-group:aws-waf-logs-dev-pr-656:log-stream:*\",\"arn:aws:logs:us-east-1:xx:log-group:aws-waf-logs-dev-pr-654:log-stream:*\",\"arn:aws:logs:us-east-1:xx:log-group:aws-waf-logs-dev-pr-655:log-stream:*\"],\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"xx\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:logs:us-east-1:xx:*\"}}}]}",
      "lastUpdatedTime": 1736329308830
    }
  ]
}

(see all the aws-waf-logs-dev-pr-xyz:log-stream:*entries)

actually this is the workaround https://dasang.github.io/blog/waf_resource_policy/ but i consider it a bug in AWS

@go-to-k
Copy link
Contributor

go-to-k commented Jan 8, 2025

@digitalkaoz I see, but the WAF L2 construct doesn't exist yet, so I think we have to handle it in our own CDK code.

(This issue is about using custom resources with SFn state machines.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources bug This issue is a bug. effort/medium Medium work item – several days of effort management/tracking Issues that track a subject or multiple issues p0
Projects
None yet
6 participants