fix: add cloudwatch_log_group_principals variable to fix IAM trust policy (#35) #62
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…licy Fixes cloudposse#35 ## Problem The module uses the cloudposse/cloudwatch-logs/aws module which defaults to ec2.amazonaws.com as the principal service for the IAM role trust policy. This is incorrect for API Gateway and causes deployment failures. ## Solution Add a cloudwatch_log_group_principals variable that: - Accepts a map of service principals for the CloudWatch Logs IAM role - Defaults to apigateway.amazonaws.com (the correct principal) - Passes through to the cloudwatch-logs module ## Impact - Fixes API Gateway deployments with CloudWatch logging enabled - Backward compatible - uses sensible default - Allows overriding principals if needed for specific use cases ## Testing Existing tests should pass as they now use the correct IAM principal. The complete example creates an API Gateway with logging enabled and verifies successful deployment.
Add comprehensive test to validate the fix for issue cloudposse#35: - New example: examples/with-custom-principals - Go test that validates IAM role trust policy contains apigateway.amazonaws.com - Ensures API Gateway deploys successfully with CloudWatch logging enabled - Validates the principals parameter works as expected
Zephirin
force-pushed
the
fix/add-cloudwatch-principals-parameter
branch
from
7463a22 to
cb8ce68
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #35
What
Add `cloudwatch_log_group_principals` variable to allow overriding the CloudWatch Logs IAM role trust policy principals.
Why
The module currently uses the `cloudposse/cloudwatch-logs/aws` module which defaults to `ec2.amazonaws.com` as the principal service for the IAM role trust policy. This is incorrect for API Gateway, which requires `apigateway.amazonaws.com`, and causes deployment failures.
How
Impact
Testing
References