-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(logs): Policy Limit Reached for LogGroup ResourcePolicies #20313
Comments
Hi Any update on this? |
Any update on this? |
Hi, |
Same problem please take a look at this @comcalvi |
im facing the same issue, any update on this? I've tried using L1 constructs and it still creates a resource policy whenever a log group is attached to a pipeline project, is there a workaround for this? |
Same issue! |
LogGroups do not support ResourcePolicies being attached directly. The only use case for ResourcePolicies today is to enable vended data (see this). I don't think CDK should be creating these policies at all unless the customer is trying to enable vended data, which is not the case for ECS because ECS uses a role in the customer's account to write data. |
I believe this issue is causing problems for our attempts to deploy Fargate ECS tasks. I have not seen a resolution yet and am wondering if anyone has advice. We are simply defining our Fargate tasks like this...
We have several (probably more than 10 or 15) tasks spread across different Fargate instances. We are now getting the following CDK error when attempting to deploy...
If I remove the "logging" property from the config object, we are able to deploy. But, I was under the impression that adding the logging is necessary to get logs to be delivered to CloudWatch. I appreciate any help with this. |
try this
|
@xmatusmic Thanks for the suggestion. I tried what I think you suggested, but received the same error. Here is my full code example for the stack...
This seems like a fairly significant limitation, but I may be misunderstanding things. We have plans to stand up many Fargate ECS tasks and services, but it seems that this problem will not allow us to do this IF we want logging to CloudWatch. IF I remove the "logging" option on the addContainer, the service and tasks deploy fine, but we do not get any logging at all in CloudWatch. |
|
Thanks @xmatusmic That seems to work. I think the reason this works (but I am guessing a little here) is that the "addContainer" call with the logging property is adding the policy, so you have to place the "tryRemoveChild" call after the "addContainer" call. Would be great for someone from the CDK team to provide even more insight into this. But, I at least can now deploy multiple Fargate tasks / services. |
good :) yeah, its exactly what you said, it has to be done after you add log to the container. |
|
1 similar comment
|
This PR modified to avoid creating unnecessary `ResourcePolicy` in CloudWatch Logs. The related issue reports an error when using the awslogs driver on ECS. This error is caused by the creation of a ResourcePolicy in CloudWatch Logs that reaches the maximum number of ResourcePolicies. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch_limits_cwl.html In some cases, this ResourcePolicy will be created and in other cases it will not be created. Currently, `Grant.addToPrincipalOrResource` is used to grant permissions to ExecutionRole and Log Group in the ECS taskDef. https://github.com/aws/aws-cdk/blob/607dccb0fd920d25f0fe2613b83c9830322c439e/packages/aws-cdk-lib/aws-ecs/lib/log-drivers/aws-log-driver.ts#L138 https://github.com/aws/aws-cdk/blob/607dccb0fd920d25f0fe2613b83c9830322c439e/packages/aws-cdk-lib/aws-logs/lib/log-group.ts#L194 https://github.com/aws/aws-cdk/blob/607dccb0fd920d25f0fe2613b83c9830322c439e/packages/aws-cdk-lib/aws-iam/lib/grant.ts#L122 `Grant.addToPrincipalOrResource` first grants permissions to the Grantee (ExecutionRole) and creates a resource base policy for cross account access in cases where certain conditions are not met. This condition is determined by the contents of the `principalAccount` of the ExecutionRole and the accountID in the `env.account` and whether or not these are Tokens, but in this scenario, cross account access is not necessary. https://github.com/aws/aws-cdk/blob/607dccb0fd920d25f0fe2613b83c9830322c439e/packages/aws-cdk-lib/aws-iam/lib/grant.ts#L141 Also, when the `LogGroup.grantWrite` call was added to `aws-log-driver.ts`, the ResourcePolicy for logs could not be created from CFn and only granted to the ExecutionRole. #1291 ![スクリーンショット 2023-12-27 1 08 20](https://github.com/aws/aws-cdk/assets/58683719/5a17a041-d560-45fa-bac6-cdc3894b18bc) https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html Therefore, the resource base policy should not be necessary when using the awslogs driver. This PR changed to grant permissions only to ExecutionRole when using the awslogs driver. With this fix, ResourcePolicy will no longer be created when using the awslogs driver. I don't consider this a breaking change, as it changes the content of the generated template, but does not change the behavior of forwarding logs to CloudWatch Logs. However, if this is a breaking change, I think it is necessary to use the feature flag. fixes #22307, fixes #20313 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the bug
After resolution of #17544 A new issue has turned up if you tend to create multiple ECS tasks referring multiple log groups.
Resource handler returned message: "Resource limit exceeded. (Service: CloudWatchLogs, Status Code: 400, Request ID: 25bec134-657e-43c3-ae85-810a0ce56fa0)" (RequestToken: 948dab8b-fac6-2903-695d-f9d825eaea90, HandlerErrorCode: ServiceLimitExceeded)
This is because Default quota for resource policies
Expected Behavior
No error after 10th ECS Task/service
Current Behavior
Each ECS task creates a new log group finally exhausting this limit.
Reproduction Steps
Create 10 log groups for ecs and you will start to face this.
Possible Solution
Let us avoid creating not create Resource Policies for CW Logs until this issue is resolved. I understand this defeats the purpose of lowest privilege, but causes issues.
Additional Information/Context
WorkAround
separate logGroup if created within taskDefinition and add following in the code for now.
logGroup.node.tryRemoveChild('Policy')
CDK CLI Version
2.24.0
Framework Version
No response
Node.js Version
v17.9.0
OS
macOS
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: