Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

aws-eks: CloudWatch Logs Resource Policy Size Exceeded for Cluster Resource Provider #28744

Closed
peteraws opened this issue Jan 17, 2024 · 5 comments
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@peteraws
Copy link

Describe the bug

When deploying an EKS cluster, running into error for the Cluster Resource Provider, stating "the CloudWatch Logs Resource Policy size was exceeded. We suggest prefixing your CloudWatch log group name with /aws/vendedlogs/states/"

Expected Behavior

Successful deployment of EKS cluster resource provider

Current Behavior

EKS Cluster is failing

Logical ID - Providerwaiterstatemachine
Status Reason - Resource handler returned message: "Invalid Logging Configuration: The CloudWatch Logs Resource Policy size was exceeded. We suggest prefixing your CloudWatch log group name with /aws/vendedlogs/states/. (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidLoggingConfiguration;

Reproduction Steps

const cluster = new eks.Cluster(this, "TestCluster", {
version: eks.KubernetesVersion.V1_27,
mastersRole: clusterAdmin,
clusterName: props.clusterName,
defaultCapacity: 0,
vpc: this.vpc,
vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_NAT }],
securityGroup: TestSecurityGroup,
});

Possible Solution

append CloudWatch log group with /aws/vendedlogs/states/

Additional Information/Context

I have tried multiple deployments int he account and the deployment was previously successful, until the deployment started failing. I've tried several more time int he same account and I run into the same error every time. However, deploying the same code in a different account works.

CDK CLI Version

2.114.0

Framework Version

No response

Node.js Version

20.10.0

OS

macos

Language

TypeScript

Language Version

No response

Other information

No response

@peteraws peteraws added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 17, 2024
@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Jan 17, 2024
@pahud
Copy link
Contributor

pahud commented Jan 19, 2024

related to #19353

@pahud pahud added p1 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 19, 2024
@peteraws
Copy link
Author

@pahud - The ask is similar, but the difference between this issue and #19353 is there is no workaround for the Cluster Resource Provider by updating the log group name. Since the Cluster Resource Provider is the default provider for a EKS cluster, the user does not have access to modify the CloudWatch log group name for the Cluster Resource Provider.

@go-to-k
Copy link
Contributor

go-to-k commented Jan 21, 2024

Related to #28577

Are you using CDK with 2.114.0 Version? Perhaps that behavior will happen starting with v2.116.0.

https://github.com/aws/aws-cdk/releases/tag/v2.116.0
#27310

But, if you use v2.121.1 or later versions, I believe it has been resolved by revert.

https://github.com/aws/aws-cdk/releases/tag/v2.121.1
#28699

Because of the background that logging must be given by default to StepFunctions in the Custom resource provider for security reasons, this fundamental solution is being initiated by the PR here, so there may be some movement in the future.

@peteraws
Copy link
Author

@go-to-k I saw the same issue with 2.118. However, confirming the issue does not exist in 2.121.1

Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

mergify bot pushed a commit that referenced this issue Apr 19, 2024
… in CompleteHandler (#28706)

This PR fixes the case that `StateMachine` generated for `CompleteHandler` in `Provider` cannot set logging.

The default log group name of the state machine automatically created by the `Provider` with `isCompleteHandler` should start with `/aws/vendedlogs/states`. Otherwise, each time the state machine is created, the log resource policy size increases. 

https://docs.aws.amazon.com/step-functions/latest/dg/bp-cwl.html

Closes #27283
Fixes #28577 #28744

Related PR #27310(reverted by #28699), #28587

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Development

No branches or pull requests

3 participants