terraform-aws-control_tower_account_factory icon indicating copy to clipboard operation
terraform-aws-control_tower_account_factory copied to clipboard

Published 20 hours ago verified publisher icon aws-ia

No expiration set on any CloudWatch LogGroup

Open drAlberT opened this issue 2 years ago • 6 comments

Terraform Version & Prov:

AFT Version: 1.7.0

Terraform Version & Provider Versions

terraform version

Terraform v1.3.7

terraform providers

+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v4.44.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/time v0.9.1

Bug Description All CloudWatch Logs LogGroups created by the AFT system have no expiration set (lambda, codebuild, etc. I know that those log groups are automatically created by the resources, but this could be avoided creating them before (as usual for lambdas for example).

To Reproduce Just look at the CloudWatch Logs console. Screenshot from 2023-01-08 17-56-36

Expected behavior A reasonable expiration period should be set.

drAlberT avatar Jan 08 '23 17:01 drAlberT

Hey Emiliano, thanks for reaching out. I'll create a backlog item for the team to have a look at this.

adam-daily avatar Jan 12 '23 19:01 adam-daily

Hi @drAlberT,

The CloudWatch log retention period can be defined by configuring the cloudwatch_log_group_retention parameter when deploying AFT.

Please let us know if the existing parameter doesn't meet your use case.

stumins avatar Jan 20 '23 19:01 stumins

I have to admit that I have missed this, sorry.

Anyway, the description states it controls only the lambda related groups and, if I'm not wrong again, there should be a few other log groups in use.

I will check asap and let you know. Thanks for your help!

On Fri, Jan 20, 2023, 20:43 Stu @.***> wrote:

Hi @drAlberT https://github.com/drAlberT,

The CloudWatch log retention period can be defined by configuring the cloudwatch_log_group_retention parameter https://github.com/aws-ia/terraform-aws-control_tower_account_factory#input_cloudwatch_log_group_retention when deploying AFT.

Please let us know if the existing parameter doesn't meet your use case.

— Reply to this email directly, view it on GitHub https://github.com/aws-ia/terraform-aws-control_tower_account_factory/issues/290#issuecomment-1398850838, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALAHDCLFFW2H2DCLOESYJTWTLTFRANCNFSM6AAAAAATUV3OWA . You are receiving this because you were mentioned.Message ID: <aws-ia/terraform-aws-control_tower_account_factory/issues/290/1398850838@ github.com>

drAlberT avatar Jan 23 '23 08:01 drAlberT

Hi @stumins, I can confirm that the parameter fixes my issue (I also already upgraded to 1.8.0) and acts both on lambda and codecommit log groups.

Anyway, it looks like there are still 2 log groups not being affected. See the screenshot.

Thanks

Screenshot from 2023-01-25 09-44-07

drAlberT avatar Jan 25 '23 08:01 drAlberT

Thanks for letting us know @drAlberT - I've created a backlog item to control the retention period of those log groups with the same parameter.

stumins avatar Feb 02 '23 00:02 stumins

Perfect, thank you!

drAlberT avatar Feb 02 '23 08:02 drAlberT

We've addressed this in the latest AFT release!

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/releases/tag/1.12.0

Sanjan611 avatar Feb 12 '24 18:02 Sanjan611

Hi Today i upgrade our sandbox env to AFT release 1.12.0 from 1.11.1 variable "aft_cloudwatch_log_group_retention" { type = string description = "Amount of days to keep CloudWatch Log Groups for Lambda functions created by AFT" default = "90" } cloudwatch_log_group_retention = var.aft_cloudwatch_log_group_retention

Before the upgrade we had 2 weeks retension for CW loggroup except /aws/lambda and python-layer-b* See the picture that still has never expire and one aws lambda with the old 2 weeks retension screencloudwatch

roynesholen avatar Mar 01 '24 09:03 roynesholen

About my comments above. We have checked and all this log groups never expire is not used anymore, and one of this was our internal log group also. So the AFT release 1.12.0 with retension works nice :)

roynesholen avatar Mar 04 '24 09:03 roynesholen

More details about the last comment: python-layer-builder-aft-common-xxx and python-layer-builder-aft-common-yyyy are log groups assigned to AWS CodeBuild project calledpython-layer-builder-aft-common-xxxwhich come from AFT project. Based on the changes in the new release 1.12.0, Terraform creates new Log group called: /aws/codebuild/python-layer-builder-aft-common-xxx with the correct retention policy: Release: 1.12.0 · aws-ia/terraform-aws-control_tower_account_factory@ac0facd. So, these two log groups are old one and no new log will be stored there.

/aws/lambda/aft-lambda-layer-codebuild-invoker: This CW log group belonged to Lambda function called aft-lambda-layer-codebuild-invoker, ref to code: https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/main/modules/aft-lambda-layer/lambda.tf#L6 . In the new AFT release 1.12.0, to support CW log creation for the Lambda function, the Lambda function was renamed to aft-lambda-layer-codebuild-trigger to avoid the Terraform resource creation problem. So, the old /aws/lambda/aft-lambda-layer-codebuild-invoker log group is not used anymore and can be deleted.

meraj-kashi avatar Mar 04 '24 10:03 meraj-kashi