Access logs can't be disabled

[cedric-spinergie]

trafficstars

The issue https://github.com/terraform-aws-modules/terraform-aws-apigateway-v2/issues/115 has been closed too soon, the problem is still present.
As mentioned in https://github.com/terraform-aws-modules/terraform-aws-apigateway-v2/issues/115#issuecomment-2298927187, setting stage_access_log_settings = null results in lots of errors:

Logs

╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 413, in resource "aws_cloudwatch_log_group" "this":
│  413:   name              = coalesce(each.value.log_group_name, "/aws/apigateway/${var.name}/${replace(var.stage_name, "$", "")}")
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.
╵
╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 414, in resource "aws_cloudwatch_log_group" "this":
│  414:   retention_in_days = each.value.log_group_retention_in_days
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.
╵
╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 415, in resource "aws_cloudwatch_log_group" "this":
│  415:   kms_key_id        = each.value.log_group_kms_key_id
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.
╵
╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 416, in resource "aws_cloudwatch_log_group" "this":
│  416:   skip_destroy      = each.value.log_group_skip_destroy
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.
╵
╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 417, in resource "aws_cloudwatch_log_group" "this":
│  417:   log_group_class   = each.value.log_group_class
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.
╵
╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 419, in resource "aws_cloudwatch_log_group" "this":
│  419:   tags = merge(var.tags, each.value.log_group_tags)
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.

This line needs to be changed so it doesn't allow creating the resource if the var is null.

In my case, changing the for_each line to add && v != null was enough to fix the problem.

[bryantbiggs]

this doesn't make sense - why are you trying to set it to null instead of using create_log_group = false?

[cedric-spinergie]

this doesn't make sense - why are you trying to set it to null instead of using create_log_group = false?

@bryantbiggs Hello and thanks for replying!

Both result in a config error here. Setting it to null results in the errors I mentioned in my OP.

And setting it to exactly

  stage_access_log_settings = {
    create_log_group = false
  }

generates errors elsewhere:

│ Error: Missing required argument
│ 
│   with module.api_gateway.aws_apigatewayv2_stage.this[0],
│   on .terraform/modules/api_gateway/main.tf line 321, in resource "aws_apigatewayv2_stage" "this":
│  321: resource "aws_apigatewayv2_stage" "this" {
│ 
│ The argument "access_log_settings.0.destination_arn" is required, but no definition was found.

which is expected because create_XXX = false usually means "I'll manage it myself, use mine" which is not the goal right now.
The goal is to entirely bypass and disable everything related to access logs. In the previous issue (#115), that's also what the OP wanted to achieve.

[cedric-spinergie]

@bryantbiggs Any feedback on this?

[slgor]

I have the same problem. I have to disable cloudwatch logs but it is not possible.

[matthewwilson]

I'm having the same problem when access logging is enabled it's causing this error:

Error: creating API Gateway v2 Stage ($default): operation error ApiGatewayV2: CreateStage, https response error StatusCode: 400, RequestID: 018dbece-577d-45b7-ba85-8cdc708a159b, BadRequestException: Cannot enable logging. Policy document length breaking Cloudwatch Logs Constraints, either < 1 or > 5120

EDIT: I fixed the above by using vended logs.

create_log_group = false causes this error:

│ Error: Missing required argument
│ 
│   with module.kyruus.module.kyruus_api_gateway_http_api.aws_apigatewayv2_stage.this[0],
│   on .terraform/modules/kyruus.kyruus_api_gateway_http_api/main.tf line 321, in resource "aws_apigatewayv2_stage" "this":
│  321: resource "aws_apigatewayv2_stage" "this" {
│ 
│ The argument "access_log_settings.0.destination_arn" is required, but no
│ definition was found.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[cedric-spinergie]

Not stale.

[cedric-spinergie]

We're still waiting for feedback on the PR: https://github.com/terraform-aws-modules/terraform-aws-apigateway-v2/pull/122

[antonbabenko]

This issue has been resolved in version 5.2.1 :tada:

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.