Access logs can't be disabled

Question

Access logs can't be disabled

Closed this issue a month ago · 10 comments

The issue #115 has been closed too soon, the problem is still present.
As mentioned in #115 (comment), setting stage_access_log_settings = null results in lots of errors:

Logs

╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 413, in resource "aws_cloudwatch_log_group" "this":
│  413:   name              = coalesce(each.value.log_group_name, "/aws/apigateway/${var.name}/${replace(var.stage_name, "$", "")}")
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.
╵
╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 414, in resource "aws_cloudwatch_log_group" "this":
│  414:   retention_in_days = each.value.log_group_retention_in_days
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.
╵
╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 415, in resource "aws_cloudwatch_log_group" "this":
│  415:   kms_key_id        = each.value.log_group_kms_key_id
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.
╵
╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 416, in resource "aws_cloudwatch_log_group" "this":
│  416:   skip_destroy      = each.value.log_group_skip_destroy
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.
╵
╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 417, in resource "aws_cloudwatch_log_group" "this":
│  417:   log_group_class   = each.value.log_group_class
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.
╵
╷
│ Error: Attempt to get attribute from null value
│ 
│   on .terraform/modules/api_gateway/main.tf line 419, in resource "aws_cloudwatch_log_group" "this":
│  419:   tags = merge(var.tags, each.value.log_group_tags)
│     ├────────────────
│     │ each.value is null
│ 
│ This value is null, so it does not have any attributes.

This line needs to be changed so it doesn't allow creating the resource if the var is null.

In my case, changing the for_each line to add && v != null was enough to fix the problem.

A PR fixes the problem: #122

Answer 1 · 2024-09-30T14:02:50.000Z

this doesn't make sense - why are you trying to set it to null instead of using create_log_group = false?

Answer 2 · 2024-09-30T14:07:34.000Z

this doesn't make sense - why are you trying to set it to null instead of using create_log_group = false?

@bryantbiggs Hello and thanks for replying!

Both result in a config error here. Setting it to null results in the errors I mentioned in my OP.

And setting it to exactly

  stage_access_log_settings = {
    create_log_group = false
  }

generates errors elsewhere:

│ Error: Missing required argument
│ 
│   with module.api_gateway.aws_apigatewayv2_stage.this[0],
│   on .terraform/modules/api_gateway/main.tf line 321, in resource "aws_apigatewayv2_stage" "this":
│  321: resource "aws_apigatewayv2_stage" "this" {
│ 
│ The argument "access_log_settings.0.destination_arn" is required, but no definition was found.

which is expected because create_XXX = false usually means "I'll manage it myself, use mine" which is not the goal right now.
The goal is to entirely bypass and disable everything related to access logs. In the previous issue (#115), that's also what the OP wanted to achieve.

Answer 3 · 2024-10-09T08:52:14.000Z

@bryantbiggs Any feedback on this?

Answer 4 · 2024-10-11T13:53:51.000Z

I have the same problem.
I have to disable cloudwatch logs but it is not possible.

Answer 5 · 2024-10-15T18:23:32.000Z

I'm having the same problem when access logging is enabled it's causing this error:

Error: creating API Gateway v2 Stage ($default): operation error ApiGatewayV2: CreateStage, https response error StatusCode: 400, RequestID: 018dbece-577d-45b7-ba85-8cdc708a159b, BadRequestException: Cannot enable logging. Policy document length breaking Cloudwatch Logs Constraints, either < 1 or > 5120

EDIT: I fixed the above by using vended logs.

create_log_group = false causes this error:

│ Error: Missing required argument
│ 
│   with module.kyruus.module.kyruus_api_gateway_http_api.aws_apigatewayv2_stage.this[0],
│   on .terraform/modules/kyruus.kyruus_api_gateway_http_api/main.tf line 321, in resource "aws_apigatewayv2_stage" "this":
│  321: resource "aws_apigatewayv2_stage" "this" {
│ 
│ The argument "access_log_settings.0.destination_arn" is required, but no
│ definition was found.

Answer 6 · 2024-11-15T00:28:55.000Z

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

Answer 7 · 2024-11-18T09:04:54.000Z

Not stale.

Answer 8 · 2024-11-28T10:20:36.000Z

We're still waiting for feedback on the PR: #122

Answer 9 · 2024-11-28T12:23:31.000Z

This issue has been resolved in version 5.2.1 🎉

Answer 10 · 2024-12-31T02:15:04.000Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.