New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setup APIGW CloudWatch role via custom resource #6531
Conversation
3cde6dc
to
b332850
Compare
becd7c6
to
ea8633e
Compare
ea8633e
to
1029084
Compare
1029084
to
c3dcb06
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty good with a few small notes
} else { | ||
return BbPromise.reject(`No implementation found for Custom Resource "${resourceName}"`); | ||
} | ||
if (FunctionName.length > 64) { | ||
return BbPromise.reject( | ||
new Error(`Resolved custom resource function name '${FunctionName}' is too long`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this happen if the service + stage name combo is too long? Is there anything we could do to help the user, or are they stuck?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this happen if the service + stage name combo is too long?
I believe so.
This change is purely about exposing that error earlier than it happens now (during CF deployment).
I plan to refactor a custom resources handling, and with that I'll ensure we're more reliable here, but I don't want to focus on that in context of that PR
lib/plugins/aws/customResources/resources/apiGatewayCloudWatchRole/handler.js
Show resolved
Hide resolved
lib/plugins/aws/lib/naming.js
Outdated
@@ -504,4 +498,18 @@ module.exports = { | |||
getCustomResourceEventBridgeResourceLogicalId(functionName, idx) { | |||
return `${this.getNormalizedFunctionName(functionName)}CustomEventBridge${idx}`; | |||
}, | |||
// API Gateway Account Logs Write Role | |||
getCustomResourceApiGatewayAccountCloudWatchRoleHandlerFunctionName() { | |||
return 'custom-resource-apigw-account-cw-role'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we make this shorter to give more room for service + stage name?
Do you know what our current effective limit is for service + stage combo, given other resources we create? We should try to not shorter than any further.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I stripped the account
to make it safer
@@ -468,18 +468,6 @@ describe('#naming()', () => { | |||
}); | |||
}); | |||
|
|||
describe('#getApiGatewayLogsRoleLogicalId()', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want tests for the new naming functions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added
91522dc
to
e042f06
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested and it worked for me!
0d88926
to
cf5e311
Compare
cf5e311
to
f0a8b8c
Compare
Since serverless#6531 improved how we manage API Gateway's CloudWatch log IAM role it's now possible to use a pre-existing role in the YAML config. This addresses [this comment](serverless#6591 (comment)) and unblocks anyone who needs to keep the IAM permissions for an app scoped to just that app. Example usage: provider: name: aws logs: restApi: role: arn:aws:iam::619871182895:role/services/slacknowledge
Since serverless#6531 improved how we manage API Gateway's CloudWatch log IAM role it's now possible to use a pre-existing role in the YAML config. This addresses [this comment](serverless#6591 (comment)) and unblocks anyone who needs to keep the IAM permissions for an app scoped to just that app. Example usage: provider: name: aws logs: restApi: role: arn:aws:iam::619871182895:role/services/slacknowledge
Since serverless#6531 improved how we manage API Gateway's CloudWatch log IAM role it's now simpler to allow hardcoding a role ARN in the YAML config. This addresses [this comment](serverless#6591 (comment)) and unblocks anyone who needs to keep the IAM permissions for an app scoped to just that app. Example usage: provider: name: aws logs: restApi: role: arn:aws:iam::619871182895:role/services/slacknowledge
Since serverless#6531 improved how we manage API Gateway's CloudWatch log IAM role it's now simpler to allow hardcoding a role ARN in the YAML config. This addresses [this comment](serverless#6591 (comment)) and unblocks anyone who needs to keep the IAM permissions for an app scoped to just that app. Example usage: provider: name: aws logs: restApi: role: arn:aws:iam::123456789:role/a-service-with-all-necessary-permissions
Since serverless#6531 improved how we manage API Gateway's CloudWatch log IAM role it's now simpler to allow hardcoding a role ARN in the YAML config. This addresses [this comment](serverless#6591 (comment)) and unblocks anyone who needs to keep the IAM permissions for an app scoped to just that app. Example usage: provider: name: aws logs: restApi: role: arn:aws:iam::123456789:role/a-service-with-all-necessary-permissions
Since serverless#6531 improved how we manage API Gateway's CloudWatch log IAM role it's now simpler to allow hardcoding a role ARN in the YAML config. This addresses [this comment](serverless#6591 (comment)) and unblocks anyone who needs to keep the IAM permissions for an app scoped to just that app. Example usage: provider: name: aws logs: restApi: role: arn:aws:iam::123456789:role/a-service-with-all-necessary-permissions
Since serverless#6531 improved how we manage API Gateway's CloudWatch log IAM role it's now simpler to allow hardcoding a role ARN in the YAML config. This addresses [this comment](serverless#6591 (comment)) and unblocks anyone who needs to keep the IAM permissions for an app scoped to just that app. Example usage: provider: name: aws logs: restApi: role: arn:aws:iam::123456789:role/a-service-with-all-necessary-permissions
Since serverless#6531 improved how we manage API Gateway's CloudWatch log IAM role it's now simpler to allow hardcoding a role ARN in the YAML config. This addresses [this comment](serverless#6591 (comment)) and unblocks anyone who needs to keep the IAM permissions for an app scoped to just that app. Example usage: provider: name: aws logs: restApi: role: arn:aws:iam::123456789:role/a-service-with-all-necessary-permissions
Since serverless#6531 improved how we manage API Gateway's CloudWatch log IAM role it's now simpler to allow hardcoding a role ARN in the YAML config. This addresses [this comment](serverless#6591 (comment)) and unblocks anyone who needs to keep the IAM permissions for an app scoped to just that app. Example usage: provider: name: aws logs: restApi: role: arn:aws:iam::123456789:role/a-service-with-all-necessary-permissions
APIGW CloudWatch role needs to be assigned. so logs for APIGW can succesfully be wrirtten.
Still APIGW Cloudwatch role is global per account & region combination, which makes it error-prone if handled via CloudFormation stacks. Situation is as follows:
Proposed solution derives Cloudwatch role assignment to custom resource, which:
Tested by deploying new services, and by deploying services deployed previously with older version of SLS.
Updated integration tests, so it confirms that logs are written
Is it a breaking change?: NO