Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Route53.PrivateHostedZone: queryLogsLogGroupArn breaks cloudformation deployment with error "You can't create a query logging config for a private hosted zone." #27986

Open
adam-imeson opened this issue Nov 14, 2023 · 2 comments
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@adam-imeson
Copy link

adam-imeson commented Nov 14, 2023

Describe the bug

I created a Route53 private hosted zone using TypeScript CDK. I then added a CloudWatch Logs log group, and tried to use the PrivateHostedZone construct's queryLogsLogGroupArn prop to send Route53 query logs to the log group. The CDK built the stack successfully but then the stack failed to deploy with CloudFormation returning this error:

Resource handler returned message: "You can't create a query logging config for a private hosted zone. (Service: Route53, Status Code: 400, Request ID: 83001f67-1dc7-45d5-a5b0-55dd62a5585f)" (RequestToken: f7446d50-3ec9-715e-5193-1cb6156e07d2, HandlerErrorCode: InvalidRequest)

This leads me to believe that the CDK is trying to deploy the wrong thing. Query logging for private hosted zones originates from the VPC, not the hosted zone itself, as is apparent in the L1 constructs CfnResolverQueryLoggingConfig and CfnResolverQueryLoggingConfigAssociation.

Expected Behavior

I expected the PrivateHostedZone construct's queryLogsLogGroupArn prop to automatically hook up the private hosted zone VPC's query log output to the specified query log group ARN.

Current Behavior

Stack deployment failed with this error:

5:47:37 PM | UPDATE_FAILED        | AWS::Route53::HostedZone               | HostedZoneDB99F866
Resource handler returned message: "You can't create a query logging config for a private hosted zone. (Service: Route53, Status Code: 400, Request ID: 83001f67-1dc7-45d5-a5b0-55dd62a5585f)" (RequestToken: f7446d50-3ec9-715e-5193-1cb6156e07d2, HandlerErrorCode: InvalidRequest)


 ❌  r53stack-new52-Beta failed: Error: The stack named r53stack-new52-Beta failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "You can't create a query logging config for a private hosted zone. (Service: Route53, Status Code: 400, Request ID: 83001f67-1dc7-45d5-a5b0-55dd62a5585f)" (RequestToken: f7446d50-3ec9-715e-5193-1cb6156e07d2, HandlerErrorCode: InvalidRequest)
    at FullCloudFormationDeployment.monitorDeployment (/Users/imesona/brazil-pkg-cache/packages/CDKBuild/CDKBuild-4.x.222392.0/AL2_x86_64/DEV.STD.PTHREAD/build/staging-cdk/node_modules/aws-cdk/lib/index.js:467:10232)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/Users/imesona/brazil-pkg-cache/packages/CDKBuild/CDKBuild-4.x.222392.0/AL2_x86_64/DEV.STD.PTHREAD/build/staging-cdk/node_modules/aws-cdk/lib/index.js:470:180228)
    at async /Users/imesona/brazil-pkg-cache/packages/CDKBuild/CDKBuild-4.x.222392.0/AL2_x86_64/DEV.STD.PTHREAD/build/staging-cdk/node_modules/aws-cdk/lib/index.js:470:163476

 ❌ Deployment failed: Error: The stack named r53stack-new52-Beta failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "You can't create a query logging config for a private hosted zone. (Service: Route53, Status Code: 400, Request ID: 83001f67-1dc7-45d5-a5b0-55dd62a5585f)" (RequestToken: f7446d50-3ec9-715e-5193-1cb6156e07d2, HandlerErrorCode: InvalidRequest)
    at FullCloudFormationDeployment.monitorDeployment (/Users/imesona/brazil-pkg-cache/packages/CDKBuild/CDKBuild-4.x.222392.0/AL2_x86_64/DEV.STD.PTHREAD/build/staging-cdk/node_modules/aws-cdk/lib/index.js:467:10232)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (/Users/imesona/brazil-pkg-cache/packages/CDKBuild/CDKBuild-4.x.222392.0/AL2_x86_64/DEV.STD.PTHREAD/build/staging-cdk/node_modules/aws-cdk/lib/index.js:470:180228)
    at async /Users/imesona/brazil-pkg-cache/packages/CDKBuild/CDKBuild-4.x.222392.0/AL2_x86_64/DEV.STD.PTHREAD/build/staging-cdk/node_modules/aws-cdk/lib/index.js:470:163476

The stack named r53stack-new52-Beta failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "You can't create a query logging config for a private hosted zone. (Service: Route53, Status Code: 400, Request ID: 83001f67-1dc7-45d5-a5b0-55dd62a5585f)" (RequestToken: f7446d50-3ec9-715e-5193-1cb6156e07d2, HandlerErrorCode: InvalidRequest)
 ›   Error: Failed to run CDK CLI

                        BUILD FAILED                        


  *** command 'cdk-build' with arguments 'cdk deploy r53stack-new52-Beta' exited with return code '1'

Reproduction Steps

Relevant chunks to produce the failure:

       const vpc = new ec2.Vpc(this, 'DnsVpc', { 
            ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
            enableDnsHostnames: true,
            enableDnsSupport: true,
            subnetConfiguration: [
                {
                    cidrMask: 26,
                    name: 'resolver_endpoint_subnet',
                    subnetType: ec2.SubnetType.PRIVATE_ISOLATED
                }
            ]
        });

        const queryLogGroup = new logs.LogGroup(this, 'QueryLogGroup');
                  
        const privateHostedZone = new route53.PrivateHostedZone(this, 'HostedZone', {
            zoneName: 'myPrivateHostedZone',
            vpc,
            queryLogsLogGroupArn: queryLogGroup.logGroupArn
        });

Possible Solution

I'm guessing that the PrivateHostedZone construct is reusing code from the (public) HostedZone construct, which also has a queryLogsLogGroupArn prop. However for private hosted zones, the query logging happens at the VPC, not the Hosted Zone. So maybe the PrivateHostedZone construct needs to be updated so it's smart enough to figure out its primary VPC (see footnote) and in the background sets up the cfnResolverQueryLoggingConfigAssociation between that VPC and the log group.

footnote: Is it possible to determine a "primary" VPC for a private hosted zone? Private hosted zones can be associated with many VPCs, including cross-account. Maybe this would require an explicit VPC argument to go along with the queryLogsLogGroupArn argument, or maybe this would be better-suited as a VPC construct update.

Additional Information/Context

You can work around this issue using the L1 constructs, as I did here:

        const queryLogGroup = new logs.LogGroup(this, 'QueryLogGroup');
        const cfnResolverQueryLoggingConfig = new route53resolver.CfnResolverQueryLoggingConfig(this, 'MyCfnResolverQueryLoggingConfig', {
            destinationArn: queryLogGroup.logGroupArn,
            name: 'r53VpcQueryLoggingConfig',
        });
        const cfnResolverQueryLoggingConfigAssociation = new route53resolver.CfnResolverQueryLoggingConfigAssociation(this, 'MyCfnResolverQueryLoggingConfigAssociation', /* all optional props */ {
            resolverQueryLogConfigId: cfnResolverQueryLoggingConfig.attrId,
            resourceId: vpc.vpcId,
        });
          
        const privateHostedZone = new route53.PrivateHostedZone(this, 'HostedZone', {
            zoneName: props.zoneName,
            vpc
        });

CDK CLI Version

2.103.1 (build 3bb19ac)

Framework Version

No response

Node.js Version

18

OS

Mac

Language

TypeScript

Language Version

No response

Other information

No response

@adam-imeson adam-imeson added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 14, 2023
@github-actions github-actions bot added the @aws-cdk/aws-route53 Related to Amazon Route 53 label Nov 14, 2023
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 15, 2023
@khushail khushail self-assigned this Nov 30, 2023
@khushail
Copy link
Contributor

thanks @adam-imeson , for reporting this.

@pahud
Copy link
Contributor

pahud commented Nov 30, 2023

@pahud pahud added p2 effort/medium Medium work item – several days of effort labels Nov 30, 2023
@khushail khushail removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Nov 30, 2023
@khushail khushail removed their assignment Nov 30, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Development

No branches or pull requests

3 participants