serverless-step-functions
serverless-step-functions copied to clipboard
serverless-operations
Setting loggingConfig adds resources to cloudwatch resource policy but never removes them
This is a Bug Report
Description
For bug reports: Using a configuration the following configuration:
stepFunctions:
...
loggingConfig:
level: ERROR
includeExecutionData: true
destinations:
- Fn::GetAtt:
- StepFunctionLogGroup
- Arn
Once deployed, you can see the a resource policy updated for CloudWatch logs:
➜ aws logs describe-resource-policies
{
"resourcePolicies": [
{
"policyName": "AWSLogDeliveryWrite20150319",
"policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AWSLogDeliveryWrite\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":[\"arn:aws:logs:us-east-1:yyyyyyyy:log-group:xxxxxxxxx-step-function-logs:log-stream:*\"]}]}",
"lastUpdatedTime": 1589885504628
}
]
}
But when destroying a stage, we see that the resourcePolicies remains.
And so after deploying/destroying different stage, eventually the resource policy gets too big, we hit a cap and when deploying one would get:
DeploymentStateMachine CREATE_FAILED The state machine IAM Role is not authorized to access the Log Destination (Service: AWSStepFunctions; Status Code: 400; Error Code: AccessDeniedException; Request ID: 50686873-95b9-45fa-a890-068bef2e5a8f)
Which is caused by what's described further here
Additional Data
- Serverless Framework Core Version you're using:
- The Plugin Version you're using: 2.19.0
- Operating System: macOS
@roni-frantchi mm.. interesting, Step Functions creates that policy itself, I'm surprised it doesn't delete it. Not sure if this is something we can fix, but one thing you could do, is to go to the Step Functions console, hit the Feedback button, and tell them that resource policies aren't deleted when one deletes the state machine, which eventually leads to deployment error
