aws_apigateway: cloudWatchRole update in unrelated APIs

[rumesh-athu]

Describe the bug

The last created stack's cloudWatchRole is getting updated across all the API Gateways settings. If the last stack is deleted, it belongs cloudWatchRole also delete. Which impact all other API Gateways logs that are not being pushed to CloudWatch Log Groups.

Expected Behavior

All API Gateways should not be updated with the last stack cloudWatchRole.

Current Behavior

The last created stack's cloudWatchRole is getting updated across all the API Gateways settings.

Reproduction Steps

Create a new API Gateway (cdk deploy).
Check the old API Gateway Settings. The new cloudWatchRole is updated.
Delete the last create API Gateway (cdk destroy).
Other API Gateways are still having deleted cloudWatchRole.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.35.0

Framework Version

No response

Node.js Version

v18.6.0

OS

MacOS

Language

Typescript

Language Version

Typescript (3.9.7)

Other information

No response

[peterwoodworth]

Can you clarify exactly what the behavior is you're experiencing? I think sharing some reproduction code would help.

[rumesh-athu]

interface ApiGwProps extends StackProps {
  environment: string;
  appName: string;
  lambdahandler: any;
  whitelistedIps?: string[];
  stageName: string;
}

export class ApiGwStack extends Stack {

  constructor(scope: Construct, id: string, props?: ApiGwProps) {
    super(scope, id, props);

    const apiResourcePolicy = new iam.PolicyDocument({
      statements: [
        new iam.PolicyStatement({
          actions: ['execute-api:Invoke'],
          principals: [new iam.AnyPrincipal()],
          resources: ['execute-api:/*/*/*'],
        }),
        new iam.PolicyStatement({
          effect: iam.Effect.DENY,
          principals: [new iam.AnyPrincipal()],
          actions: ['execute-api:Invoke'],
          resources: ['execute-api:/*/*/*'],
          conditions: {
            'NotIpAddress': {
              "aws:SourceIp": props?.whitelistedIps
            }
          }
        })
      ]
    })

    const api = new apigateway.RestApi(this, 'api', {
      restApiName: `${props?.appName}-${props?.environment}`,
      endpointTypes: [apigateway.EndpointType.PRIVATE],
      policy: apiResourcePolicy,
      deployOptions: {
        stageName: props?.stageName,
      },
    });

    const lambda = new apigateway.LambdaIntegration(props?.lambdahandler);

    const apiRoot = api.root.addMethod('ANY', lambda);
  }
}

[rumesh-athu]

Although the role is being used by other API Gateways, the role got deleted. APIGW logs are not pushed to CloudWatch LogGroups due to this.

[hutchy2570]

Some details on this are on the docs here: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway-readme.html#deployments. The cloudwatch role should be retained following the release of CDK 2.38.0. See #22020

[peterwoodworth]

Good detail behind what exactly changed is found in the PR description. This should clear everything up and let you know the direction to move to avoid this error

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[rumesh-athu]

The issue no longer exists with CDK version 2.51.1

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.