apigateway: StageOptions data_trace_enabled should not be used in production

[rittneje]

link to reference doc page

https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_apigateway/StageOptions.html#aws_cdk.aws_apigateway.StageOptions

Describe your issue?

When creating the StageOptions construct for a RestApi, there is a data_trace_enabled flag. This actually maps to the "Log full requests/responses data" checkbox in the console, which is not at all obvious. Furthermore, the console docs specifically mention this options should not be enabled in production. This warning ought to be added to the CDK documentation.

https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html

This can be useful to troubleshoot APIs, but can result in logging sensitive data. We recommend that you don't enable Log full requests/responses data for production APIs.

Furthermore, while the docs claim that the default value is false, this is not entirely true. If you first deploy with data_trace_enabled=True, and then remove the property entirely, then it is left enabled.

[otaviomacedo]

For the documentation: #17861.

Furthermore, while the docs claim that the default value is false, this is not entirely true. If you first deploy with data_trace_enabled=True, and then remove the property entirely, then it is left enabled.

I can't reproduce this. By removing the property, the CloudWatch logs are disabled entirely. Are you creating your own Deployment construct, maybe? If that's the case, please keep in mind that you have to create a new Deployment resource for the stage to be updated.

[rittneje]

@otaviomacedo Are you able to reproduce if you also provide logging_level=aws_apigateway.MethodLoggingLevel.INFO (in both deployments)?

[otaviomacedo]

Thanks. I can reproduce it that way.