[SOLVED] I am getting issue in policy document length breaking Cloudwatch Logs Constraints in terraform. Is there any solution for this specific problem?

Issue

This Content is from Stack Overflow. Question asked by Abhishek Jha

resource "aws_apigatewayv2_stage" "main" {
  api_id      = aws_apigatewayv2_api.main.id
  name        = contains(["dev", "qa", "prod"], var.environment) ? "$default" : "${var.environment}"
  auto_deploy = true
  access_log_settings {
    destination_arn = resource.aws_cloudwatch_log_group.api_gateway.arn
    format          = "{ "requestId":"$context.requestId", "ip": "$context.identity.sourceIp", "requestTime":"$context.requestTime", "httpMethod":"$context.httpMethod","routeKey":"$context.routeKey", "status":"$context.status","protocol":"$context.protocol", "responseLength:"$context.responseLength" }"
  }
}

Error: error creating API Gateway v2 stage: BadRequestException: Cannot enable logging. Policy document length breaking Cloudwatch Logs Constraints, either < 1 or > 5120

resource "aws_apigatewayv2_stage" "main" {



Solution

When you add "access_log_settings" to an api gateway stage a resource policy will be generated for you, which will include the log group name as a resource in the policy. The size of this policy will grow as you add more and more resources within a single AWS account. Eventually it will exceed the size limit for a resource policy which is only 5120 characters, and you will see the error message you have indicated.

This limit and how to work around it is documented here:

Log group resource policy size limit considerations

These services must list each log group that they’re sending logs to in the resource policy, and CloudWatch Logs resource policies are limited to 5120 characters. A service that sends logs to a large number of log groups may run into this limit.

To mitigate this, CloudWatch Logs monitors the size of resource policies used by the service that is sending logs, and when it detects that a policy approaches the size limit of 5120 characters, CloudWatch Logs automatically enables /aws/vendedlogs/* in the resource policy for that service. You can then start using log groups with names that start with /aws/vendedlogs/ as the destinations for logs from these services.

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-CWL

Assuming this is the reason you are encountering the problem, you can fix it by making sure all the log group names you create start with /aws/vendedlogs/ so you can take advantage of the feature mentioned in the documentation.

Alternatively, you may also be able to manual create your own resource policy to replace the automatically generated one as long as it falls below the 5120 character limit.

You can verify that this is the problem by checking the existing resource policies and seeing if they are indeed close to the 5120 character limit:

  • Via the AWS API
  • aws logs describe-resource-policies
    • Make sure to run this against the region that has the policy size error
    • Edit the policy document, removing old rules (if any) and replacing some of the rules with wildcards
    • Replace the policy with aws logs put-resource-policy --policy-name [name] --policy-document "{\"some\": \"json\"}"


This Question was asked in StackOverflow by Abhishek Jha and Answered by F3CP It is licensed under the terms of CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.

people found this article helpful. What about you?