Access logs can't be disabled

Question

Access logs can't be disabled

Closed this issue 5 months ago · 10 comments

benkeil commented 5 months ago

Description

We want to deactivate the access logging.

✋ I have searched the open/closed issues and my issue is not listed.

Versions

Module version [Required]: 5.1.1
Terraform version:
Terraform v1.9.4
on darwin_arm64

Reproduction Code [Required]

dynamic "access_log_settings" {
  for_each = length(var.stage_access_log_settings) > 0 ? [var.stage_access_log_settings] : []

  content {
    destination_arn = access_log_settings.value.create_log_group ? aws_cloudwatch_log_group.this["this"].arn : access_log_settings.value.destination_arn
    format          = coalesce(access_log_settings.value.format, local.default_log_format)
  }
}

The Statement length(var.stage_access_log_settings) will always return 9, since the object has properties with default values and so gets instantiated.

Expected behavior

Add a variable to turn access logging off.

Actual behavior

Terminal Output Screenshot(s)

Additional context

Answer 1 · 2024-08-08T14:42:24.000Z

stage_access_log_settings = {}

Answer 2 · 2024-08-08T15:01:11.000Z

This does not work, as mentioned in my post. Further {} is the default value.

Answer 3 · 2024-08-08T15:20:01.000Z

well, without a reproduction its going to be hard to help 🤷🏽

Answer 4 · 2024-08-08T18:56:26.000Z

The code is simply wrong. You can't use length(var.stage_access_log_settings) to check if the object is empty {}. It is never empty.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "eu-central-1"
}

variable "stage_access_log_settings" {
  description = "Settings for logging access in this stage. Use the aws_api_gateway_account resource to configure [permissions for CloudWatch Logging](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#set-up-access-logging-permissions)"
  type = object({
    create_log_group = optional(bool, true)
    destination_arn = optional(string)
    format = optional(string)
    log_group_name = optional(string)
    log_group_retention_in_days = optional(number, 30)
    log_group_kms_key_id = optional(string)
    log_group_skip_destroy = optional(bool)
    log_group_class = optional(string)
    log_group_tags = optional(map(string), {})
  })
  default = {}
}

output "default_value" {
  value = var.stage_access_log_settings
}

output "length_default_value" {
  value = length(var.stage_access_log_settings)
}

resource "aws_apigatewayv2_stage" "works_not" {
  name   = "example"
  api_id = "api_id"
  dynamic "access_log_settings" {
    for_each = length(var.stage_access_log_settings) > 0 ? [var.stage_access_log_settings] : []

    content {
      destination_arn = "arn:aws:iam::123456789012:bla"
      format          = ""
    }
  }
}

resource "aws_apigatewayv2_stage" "works" {
  name   = "example"
  api_id = "api_id"
  dynamic "access_log_settings" {
    for_each = length({}) > 0 ? [var.stage_access_log_settings] : []

    content {
      destination_arn = "arn:aws:iam::123456789012:bla"
      format          = ""
    }
  }
}

terraform plan
terraform plan -var stage_access_log_settings={}

Answer 5 · 2024-08-08T19:36:07.000Z

hey! a reproduction! thank you

Answer 6 · 2024-08-08T19:51:20.000Z

This issue has been resolved in version 5.1.2 🎉

Answer 7 · 2024-08-08T19:51:40.000Z

ok it should be resolved now by setting stage_access_log_settings = null

Answer 8 · 2024-08-20T13:56:02.000Z

Hi I found out this issue. But it seems to not be resolved correctly.

because when I set stage_access_log_settings = null I got lots of errors.

Error: Attempt to get attribute from null value

  on .terraform/modules/apigw/main.tf line 413, in resource "aws_cloudwatch_log_group" "this":
 413:   name              = coalesce(each.value.log_group_name, "/aws/apigateway/${var.name}/${replace(var.stage_name, "$", "")}")
    ├────────────────
    │ each.value is null

This value is null, so it does not have any attributes.

This part needs to be updated to somethink like:

local {
  stage_access_log_settings_map = var.stage_access_log_settings == null ? {} : { "this" = var.stage_access_log_settings }
}

resource "aws_cloudwatch_log_group" "this" {
  for_each = { for k, v in local.stage_access_log_settings_map : k => v if local.create_stage && try(v.create_log_group, true) }

  name              = coalesce(each.value.log_group_name, "/aws/apigateway/${var.name}/${replace(var.stage_name, "$", "")}")
  retention_in_days = each.value.log_group_retention_in_days
  kms_key_id        = each.value.log_group_kms_key_id
  skip_destroy      = each.value.log_group_skip_destroy
  log_group_class   = each.value.log_group_class

  tags = merge(var.tags, each.value.log_group_tags)
}

Answer 9 · 2024-09-20T02:14:31.000Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

Answer 10 · 2024-11-28T12:23:28.000Z

This issue has been resolved in version 5.2.1 🎉