-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow importing of egress_lambda_log_group if getting an "already exists" error #191
Conversation
Have you all seen this problem? |
I've never seen this, but it looks like we don't use the |
cumulus/thin-egress.tf
Outdated
data "aws_cloudwatch_log_group" "egress_lambda_log_group" { | ||
name = "/aws/lambda/${module.thin_egress_app.egress_lambda_name}" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it's possible to use an import
block from terraform 1.5 here? https://developer.hashicorp.com/terraform/language/import
I've never used these before so I have no idea if they are meant to be used for this sort of situation or would work well, but perhaps it's a way to avoid having both a data
and a resource
object for the same cloudwatch group.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be able to avoid having to define 2 filter resources that way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just created my own kinesis stream and log-put-destination in my sandbox account per these instructions so I could emulate the cloud metrics subscription filter.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateDestination.html
I then deleted the my-deployment-thin-egress-app-EgressLambda
cloudwatch group and ran the code.
got this error:
Error: reading CloudWatch Logs Log Group (/aws/lambda/cxl-cumulus-cxl-thin-egress-app-EgressLambda): empty result
with data.aws_cloudwatch_log_group.egress_lambda_log_group,
on thin-egress.tf line 68, in data "aws_cloudwatch_log_group" "egress_lambda_log_group":
68: data "aws_cloudwatch_log_group" "egress_lambda_log_group" {
So the code as-written doesn't work if the cloudwatch group doesn't exist.
@mikedorfman do you all use the |
@lindsleycj - we do not use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One comment on the retention. I'm not sure of a way around this - perhaps using the import block that @reweeden mentioned. Or perhaps you could make the TEA stack dependent on the log group resource (although you'd have to hard-code the log group name since that would end up being a circular reference otherwise).
cumulus/thin-egress.tf
Outdated
resource "aws_cloudwatch_log_group" "egress_lambda_log_group" { | ||
count = (var.log_destination_arn != null) ? 1 : 0 | ||
count = (var.log_destination_arn != null && data.aws_cloudwatch_log_group.egress_lambda_log_group == null) ? 1 : 0 | ||
name = "/aws/lambda/${module.thin_egress_app.egress_lambda_name}" | ||
retention_in_days = var.egress_lambda_log_retention_days |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is something that NSIDC has run into recently and we don't have a solid solution for it yet. If the lambda writes to this log group before it's defined in the TF, then (with these changes), I don't think the retention_in_days would get set, right?
@reweeden @mikedorfman I have reverted my previous changes and have instead added an example import file. I can't just include it as a |
Probably the better way to handle all of this would be to do it in the TEA Cloudformation stack, but I assume that's not trivial either. |
I have tried another approach, adding an |
@reweeden @mikedorfman I renamed this PR to better represent the solution I settled on. It has been working for me for a few deployments. Is it ok to merge it? |
I'm sorry for the very long delay! I didn't realize there were outstanding questions. @lindsleycj one other thought I had as I work through issues related to this - could you rename the log group to something other than the default lambda log group (eg here, instead of Update you can disregard my comment above. We wouldn't be able to specify a different log group for the lambda to use unless we updated the TEA CloudFormation. Even if we could, we'd be in the same chicken-egg problem as before with the new name. Hmmm. |
This looks reasonable to me. To make this more automated, we could potentially put this in the cumulus target similar to how we have it set up in the tf target. But this looks good to me. |
When I run
make cumulus
for an environment that sends logs to Cloud Metrics, UAT and Prod for me, I often get this error:These lines:
https://github.com/asfadmin/CIRRUS-core/blob/master/cumulus/thin-egress.tf#L67-L72
This PR attempts to only create the log group if it doesn't already exist. It also creates the Cloud Metrics subscription based on the whether the log watch group was just created or already exists.