Describe the feature
Currently BaseLoadBalancer.logAccessLogs requires that the Stack has a specific region specified on the Environment.
This seems a pretty arbitrary limitation - why should this be necessary? Looking at the code, it seems to be in order to set a principal, but other logging constructs like flowLog allow specifying roles, and indeed if the region doesn't resolve to an account in BaseLoadBalancer.resourcePolicyPrincipal it just returns iam.ServicePrincipal('logdelivery.elasticloadbalancing.amazonaws.com'), so why shouldn't it do that if the region is unresolved too, as it's only using the region to find an account?
Use Case
I want to enable access logging on an ALB created in an environment agnostic stack, which seems a reasonable thing to do.
Proposed Solution
Change https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts#L306-L309
as so:
const region = Stack.of(this).region;
if (Token.isUnresolved(region)) {
return new iam.ServicePrincipal('logdelivery.elasticloadbalancing.amazonaws.com');
}
Other Information
Context - we can't set a region. In our case we have a CDK setup that has been running fine for over a year. A PEN test has flagged that we should have access logs for our ALBs. We have a Product Stack as part of our Stack, and setting a region on the Environment for the Stack completely breaks it; if I set just a region I get this:
Error: Stack "my-stack/my-product" cannot reference {my-stack/my-stack-vpc/publicSubnet1/Subnet[Ref]} in stack "my-stack". Cross stack references are only supported for stacks deployed to the same environment or between nested stacks and their parent stack. Set crossRegionReferences=true to enable cross region references
(I am setting crossRegionReferences(true))
If I set a region and an account I get this:
Resolution error: Cannot generate a physical name for my-stack/my-product/my-stack-my-product-ecs-service-task-def/ExecutionRole, because the region is un-resolved or missing.
There seems no way to specify an environment on a product stack.
So currently I'm completely stymied. I guess I'll just have to set up the access logging manually as a handcrafted little snowflake.
Acknowledgements
CDK version used
2.99.1
Environment details (OS name and version, etc.)
macOs & linux
Describe the feature
Currently
BaseLoadBalancer.logAccessLogsrequires that the Stack has a specific region specified on the Environment.This seems a pretty arbitrary limitation - why should this be necessary? Looking at the code, it seems to be in order to set a principal, but other logging constructs like flowLog allow specifying roles, and indeed if the region doesn't resolve to an account in
BaseLoadBalancer.resourcePolicyPrincipalit just returnsiam.ServicePrincipal('logdelivery.elasticloadbalancing.amazonaws.com'), so why shouldn't it do that if the region is unresolved too, as it's only using the region to find an account?Use Case
I want to enable access logging on an ALB created in an environment agnostic stack, which seems a reasonable thing to do.
Proposed Solution
Change https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts#L306-L309
as so:
Other Information
Context - we can't set a region. In our case we have a CDK setup that has been running fine for over a year. A PEN test has flagged that we should have access logs for our ALBs. We have a Product Stack as part of our Stack, and setting a region on the Environment for the Stack completely breaks it; if I set just a region I get this:
(I am setting
crossRegionReferences(true))If I set a region and an account I get this:
There seems no way to specify an environment on a product stack.
So currently I'm completely stymied. I guess I'll just have to set up the access logging manually as a handcrafted little snowflake.
Acknowledgements
CDK version used
2.99.1
Environment details (OS name and version, etc.)
macOs & linux