Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RestApiCloudWatchRole is not cleaned up with aws-cdk >= 2.38.0 #169

Closed
luismeyer opened this issue Nov 25, 2022 · 1 comment
Closed

RestApiCloudWatchRole is not cleaned up with aws-cdk >= 2.38.0 #169

luismeyer opened this issue Nov 25, 2022 · 1 comment

Comments

@luismeyer
Copy link

Since Version 2.38.0 AWS cdk adds the RemovalPolicy "Retain" to the CloudwatchRole which is created automatically for RestApi's. This results in the CloudWatchRole leaking after the Stack was deleted. Therefor more and more IAM Roles are added in our AWS.

The issue was that the RestAPI CloudWatchRole was overwriting the AccountLevel Role for RestAPI's.

Reading from the ApiGateway Doc's, i think aws-simple shouldn't create a new Log Role for every Stack
Note: there can only be a single apigateway.CfnAccount per AWS environment so if you create multiple RestApis with cloudWatchRole=true each new RestApi will overwrite the CfnAccount. It is recommended to set cloudWatchRole=false (the default behavior if @aws-cdk/aws-apigateway:disableCloudWatchRole is enabled) and only create a single CloudWatch role and account per environment.

A solution would be enabling the FeatureFlag @aws-cdk/aws-apigateway:disableCloudWatchRole to prevent the creation of the CloudWatch role by default.

new App({
    context: {
        '@aws-cdk/aws-apigateway:disableCloudWatchRole': true,
    },
})
@luismeyer luismeyer changed the title RestApiCloudWatchRole is not cleaned up with aws-cdk > 2.38.0 RestApiCloudWatchRole is not cleaned up with aws-cdk >= 2.38.0 Nov 29, 2022
clebert added a commit that referenced this issue Dec 14, 2022
@clebert
Introduce a new helper command cleanup to delete unused resources c…
7c43379 
…reated by aws-simple.

Currently, this command is used to find and delete REST-API CloudWatch roles that are no longer associated to a stack (see issue #169). In addition, the CDK is now required in version `^2.38.0`.
@clebert
Copy link
Owner

clebert commented Dec 14, 2022

Hello Luis,

Thank you for your detailed description of the issue. We have decided to keep the current behavior. But to address the issue there is now a new helper command aws-simple cleanup to delete REST-API CloudWatch roles that are no longer associated with a stack.

I hope this works for you.

Please see => 7c43379

@clebert clebert closed this as completed Dec 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@clebert @luismeyer