(apigateway): retention policy for RestApi CloudWatchRole and Account changed in 2.38.0

[rittneje]

Describe the bug

When upgrading from v2.28.0 to v2.39.1, we noticed that our API Gateway (created via RestApi) changed the retention policy for the CloudWatchRole and Account sub-resources to RETAIN, which is extremely undesirable as it means these resources will be leaked when the stack is deleted.

It seems that this behavior was introduced in v2.38.0 via #10878, but the release notes don't mention it. They only say "CloudWatch logging should be disabled by default (under feature flag)", which has nothing to do with the retention policy, nor does it mention the feature flag itself, which seems to be @aws-cdk/aws-apigateway:disableCloudWatchRole.

Expected Behavior

Either the retention policy should not have been changed, or this change should have been explicitly included in the release notes.

Current Behavior

The retention policy changes, as reported by cdk diff.

Reproduction Steps

import textwrap

import aws_cdk
from aws_cdk import (
    aws_apigateway,
    aws_lambda,
    aws_logs,
)

def main():
    app = aws_cdk.App()

    env = aws_cdk.Environment(region="us-east-1", account='XXXXX')

    stack = aws_cdk.Stack(app, "sample-stack", env=env)

    lambda_function = aws_lambda.Function(
        stack,
        'sample-lambda-function',
        runtime=aws_lambda.Runtime.PYTHON_3_7,
        handler='index.handler',
        timeout=aws_cdk.Duration.seconds(5),
        code=aws_lambda.Code.from_inline(textwrap.dedent('''
            def handler(event, context):
                pass
        ''')),
        log_retention=aws_logs.RetentionDays.ONE_YEAR,
    )

    aws_apigateway.LambdaRestApi(stack, "sample-api-gateway", handler=lambda_function)

    app.synth()    

if __name__ == "__main__":
    main()

Then run cdk synth and cdk diff.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.39.1 (build f188fac)

Framework Version

No response

Node.js Version

v16.17.0

OS

Alpine 3.16

Language

Python

Language Version

3.10.6

Other information

No response

[peterwoodworth]

This was changed with the new functionality to ensure that users with existing RestApis don't have their RestApis broken and lose write access to CloudWatch logs. I agree that a change in existing functionality like this should be better documented so that existing users are expecting it, thanks for your feedback here 🙂 However I'm not sure there's anything actionable for us to do now that it's been done.

@corymhall pinging so you can see this feedback as well

[hutchy2570]

@peterwoodworth Could this please be re-opened as not being able to control this retention policy for the Role/Account means that resources are constantly being leaked.

For instance, on every PR we deploy a new instance of the stack in order to run tests, which creates a new Role/Account. Over time this means we need to manually clean up the leftover Roles/Account otherwise we'll hit limits in IAM.

[nguyen102]

Is there any setting that we can configure to delete the API GW account and Cloudwatch role?