[ApiGateway] RestApi updates account level role used for ApiGateway CloudWatch logging

[lanefelker]

This code in RestApi

aws-cdk/packages/@aws-cdk/aws-apigateway/lib/restapi.ts

Line 485 in 71aa4b6

const resource = new CfnAccount(this, 'Account', {

will update the account level role for cloudwatch logging used for all ApiGateways.

The problem we are seeing is that each new API we create will replace the role used for the account with the new role created.

If the stack that last updated the account level role gets deleted for some reason then the account level role will no longer exist and all apigateway cloudwatch logging is broken for the account 😱

Reproduction Steps

1. create a new RestApi without passing a cloudWatchRole prop
2. Deploy the new API - see the account level role change to the role associated with this new API
3. Delete the stack
4. All account level API logging no longer works because the role is deleted.

What did you expect to happen?

I would expect each apigateway logging role to be only used for a given API Gateway

or I would want the apigateway account level role to be rolled back to the previous role on deletion

What actually happened?

Described above

Environment

• CLI Version :
• Framework Version:
• Node.js Version:
• OS :
• Language (Version):

Other

Is passing a role into each API the best option to resolve this?

---

This is 🐛 Bug Report

[nija-at]

Indeed this is a broken experience.

I would expect each apigateway logging role to be only used for a given API Gateway

or I would want the apigateway account level role to be rolled back to the previous role on deletion

Unfortunately, neither of these options will work. The APIGateway service does not provide a way to specify individual roles per API endpoint. The CDK is a stateless system and does not know what the previously value here is.

I recommend setting cloudWatchRole to false in all your APIs, and explicitly using CfnAccount to set one role per AWS account.

Apologies for the poor experience. We'll need to see how to re-adjust the RestApi construct to make this experience better.

[gsdwait]

We keep running into this issue. Why should the default action be to create the role? Why not set the default for cloudWatchRole to false in RestApi and LambdaRestApi? That would mean in unusual case where you are only deploying a single rest api in an account you would simply set the cloudWatchRole to true.

[amirmohsen]

I agree with @gsdwait. The current default behaviour of having this option set to true is rather problematic as it overrides the global setting which applies to all APIs. This has caused a lot of headache for us in our company. Our team shares an AWS account with many other teams and suddenly our stack (which is the only CDK one currently) started overriding this role and having an impact on other teams. Please consider changing the default to false.