aws-secure-environment-accelerator
aws-secure-environment-accelerator copied to clipboard
aws-samples
[BUG][Functional] Beanstalk deployment with CloudWatch Logs fails because of explicit deny on logs:PutRetentionPolicy
Bug reports which fail to provide the required information will be closed without action.
Required Basic Info
- Accelerator Version: v1.5.0
- Install Type: Clean
- Upgrade from version: N/A
Describe the bug We are not able to deploy a Beanstalk environment with CloudWatch logs enabled. We get an error about an explicit deny on logs:PutRetentionPolicy. We could have the customer create a specific ASEA* Role but we find that being able to specify log retention are an application choice.
Failure Info
- What error messages have you identified, if any: Beanstalk failed to set log retention with an explicit deny: logs:PutRetentionPolicy
- What symptoms have you identified, if any: Beanstalk environment gets terminated.
Required files
- Please provide a copy of your config.json file (sanitize if required)
Steps To Reproduce
- Create a Beanstalk environment with <Instance log streaming to CloudWatch Logs> ENABLED.
Expected behavior We expect to be able to create a Beanstalk environment with log streaming to Cloudwatch logs.
Screenshots If applicable, add screenshots to help explain your problem.
Additional context Add any other context about the problem here.
Root cause: Beanstalk dropped the ability to specify: "No Retention" on its log groups. (No an ASEA role should not be used.)
Note: Beanstalk service team continues to change requirements and is now blocked on additional API's other than noted above - allocateIP, KMS encryption, etc.
