Open
Description
This is a Bug Report
Description
For bug reports:
Using a configuration the following configuration:
stepFunctions:
...
loggingConfig:
level: ERROR
includeExecutionData: true
destinations:
- Fn::GetAtt:
- StepFunctionLogGroup
- Arn Once deployed, you can see the a resource policy updated for CloudWatch logs:
➜ aws logs describe-resource-policies
{
"resourcePolicies": [
{
"policyName": "AWSLogDeliveryWrite20150319",
"policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AWSLogDeliveryWrite\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":[\"arn:aws:logs:us-east-1:yyyyyyyy:log-group:xxxxxxxxx-step-function-logs:log-stream:*\"]}]}",
"lastUpdatedTime": 1589885504628
}
]
}But when destroying a stage, we see that the resourcePolicies remains.
And so after deploying/destroying different stage, eventually the resource policy gets too big, we hit a cap and when deploying one would get:
DeploymentStateMachine CREATE_FAILED The state machine IAM Role is not authorized to access the Log Destination (Service: AWSStepFunctions; Status Code: 400; Error Code: AccessDeniedException; Request ID: 50686873-95b9-45fa-a890-068bef2e5a8f)
Which is caused by what's described further here
Additional Data
- Serverless Framework Core Version you're using:
- The Plugin Version you're using: 2.19.0
- Operating System: macOS