aws-connected-device-framework icon indicating copy to clipboard operation
aws-connected-device-framework copied to clipboard

Published 20 hours ago verified publisher icon aws

APIGW Snippets Should Enable APIGW to CW Service Role.

Open anish-kunduru opened this issue 2 years ago • 1 comments

Aws Connected Device Framework Affected Module(s):

snippets/cfn-apiGateway*

I'm submitting a ...

  • [x] bug report
  • [ ] feature request

Description:

CDF deploy fails with the error: "CloudWatch Logs role ARN must be set in account settings to enable logging."

Current behavior:

Any account where CDF is configured with EnableApiGatewayAccessLogs = true, and the service-linked role hasn't been defined.

Expected behavior:

The pipeline should deploy the SLR.

Steps to reproduce:

Deploy CDF with an APIGW configured for access logs in a fresh AWS account.

Additional Information:

anish-kunduru avatar Apr 13 '23 00:04 anish-kunduru

The following CloudFormation does what we want. Unfortunately, it is not straightforward to add to the snippets because those are already defined as AWS::Serverless::API.

  ApiCloudWatchRoleArn:
    Condition: EnableApiGatewayAccessLogs
    Type: AWS::ApiGateway::Account
    Properties: 
      CloudWatchRoleArn: !GetAtt CloudWatchRole.Arn
  
  CloudWatchRole:
    Condition: EnableApiGatewayAccessLogs
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          Action: 'sts:AssumeRole'
          Effect: Allow
          Principal:
            Service: apigateway.amazonaws.com
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'

anish-kunduru avatar Apr 13 '23 00:04 anish-kunduru