@aws-cdk/aws-logs: Resource handler returned message: "Invalid request provided: AWS::Logs::ResourcePolicy"

[einstein-deploy]

What is the problem?

I am trying to create a custom log group for my CodeBuild project as follows (sample code):

// Create Log Group
const myLogGroup = new log.LogGroup(this, 'my-log-group-label', {
  logGroupName         : 'my-log-group-name',
  removalPolicy        : cdk.RemovalPolicy.RETAIN,
  retention            : log.RetentionDays.ONE_WEEK,
});

// Create CodeBuild Project
this.project = new codebuild.PipelineProject(this, 'my-build-project-label', {
  projectName          : 'my-build-project-name',
  role                 : myRole,
  buildSpec            : myBuildSpec,
  environmentVariables : myBuildEnv,
  environment          : {
    buildImage         : codebuild.LinuxBuildImage.STANDARD_5_0,
    privileged         : true,
  },
  logging              : {
    cloudWatch         : {
      logGroup         : myLogGroup,
    }
  },
  timeout              : cdk.Duration.minutes(30),
  concurrentBuildLimit : 2,
});

...which produces the following cdk diff output:

Resources
[+] AWS::Logs::LogGroup my-build-project-label/my-log-group-label mybuildprojectlabelnmyloggrouplabelC60E4D49 
[+] AWS::Logs::ResourcePolicy my-build-project-label/my-log-group-label/Policy/ResourcePolicy mybuildprojectlabelnmyloggrouplabelPolicyResourcePolicyBF9984F2 
[~] AWS::CodeBuild::Project my-build-project-label/nginx-base-codebuild mybuildprojectlabelnginxbasecodebuild03689A42 
 └─ [+] LogsConfig
     └─ {"CloudWatchLogs":{"GroupName":{"Ref":"mybuildprojectlabelnmyloggrouplabelC60E4D49"},"Status":"ENABLED"}}

Reproduction Steps

Create Log Group using the code above and associate it with a CodeBuild Project with:

  logging              : {
    cloudWatch         : {
      logGroup         : myLogGroup,
    }
  },

What did you expect to happen?

I expect that Log Group would be created with the parameters I specified.

What actually happened?

When I run cdk deploy my-pipeline --role-arn some-role-arn I am getting:

9:54:58 AM | CREATE_FAILED        | AWS::Logs::ResourcePolicy                    | nginx...urcePolicyBF9984F2
Resource handler returned message: "Invalid request provided: AWS::Logs::ResourcePolicy" (RequestToken: 4d4d5fe5-844a-cc6a-7e8
5-28dcb059b695, HandlerErrorCode: InvalidRequest)

        new ResourcePolicy (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-logs/lib/policy.ts:25:5)
        \_ LogGroup.addToResourcePolicy (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-logs/lib/log-group.tlowing resource(s) failed to create: [nginxbasepipelinecodebuildnginxbasepipelineloggroupPoli
s:121:21)
        \_ Function.addToPrincipalOrResource (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-iam/lib/grant.t
s:76:45)
        \_ LogGroup.grant (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-logs/lib/log-group.ts:103:22)
        \_ LogGroup.grantWrite (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-logs/lib/log-group.ts:98:17)
        \_ PipelineProject.renderLoggingConfiguration (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-codebu
ild/lib/project.ts:1022:32)
        \_ new Project (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-codebuild/lib/project.ts:718:24)
        \_ new PipelineProject (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-codebuild/lib/pipeline-projec
t.ts:12:5)
        \_ new NginxBaseCodeBuildProject (/Users/myuser/Development/nginx-base/lib/nginx-base-codepipeline.ts:244:20)
        \_ new NginxBaseCodePipelineStack (/Users/myuser/Development/nginx-base/lib/nginx-base-codepipeline.ts:112:31)
        \_ Object.<anonymous> (/Users/myuser/Development/nginx-base/bin/nginx-base.ts:35:1)
        \_ Module._compile (internal/modules/cjs/loader.js:1068:30)
        \_ Module.m._compile (/Users/myuser/Development/nginx-base/node_modules/ts-node/src/index.ts:1371:23)
        \_ Module._extensions..js (internal/modules/cjs/loader.js:1097:10)
        \_ Object.require.extensions.<computed> [as .ts] (/Users/myuser/Development/nginx-base/node_modules/ts-node/src/inde
x.ts:1374:12)
        \_ Module.load (internal/modules/cjs/loader.js:933:32)
        \_ Function.Module._load (internal/modules/cjs/loader.js:774:14)
        \_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:72:12)
        \_ main (/Users/myuser/Development/nginx-base/node_modules/ts-node/src/bin.ts:331:12)
        \_ Object.<anonymous> (/Users/myuser/Development/nginx-base/node_modules/ts-node/src/bin.ts:482:3)
        \_ Module._compile (internal/modules/cjs/loader.js:1068:30)
        \_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1097:10)
        \_ Module.load (internal/modules/cjs/loader.js:933:32)
        \_ Function.Module._load (internal/modules/cjs/loader.js:774:14)
        \_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:72:12)
        \_ internal/main/run_main_module.js:17:47


 ❌  my-pipeline failed: Error: The stack named my-pipeline failed to deploy: UPDATE_ROLLBACK_COMPLETE
    at Object.waitForStackDeploy (/usr/local/lib/node_modules/aws-cdk/lib/api/util/cloudformation.ts:309:11)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at prepareAndExecuteChangeSet (/usr/local/lib/node_modules/aws-cdk/lib/api/deploy-stack.ts:351:26)
    at CdkToolkit.deploy (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:194:24)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:267:9)
The stack named my-pipeline failed to deploy: UPDATE_ROLLBACK_COMPLETE

CDK CLI Version

1.133.0 (build 2dea31a)

Framework Version

No response

Node.js Version

v14.17.0

OS

MacOS Monterey 12.0.1

Language

Typescript

Language Version

TypeScript 4.5.2

Other information

No response

[Kevmo92]

I'm seeing this as well when creating an ecs LogGroup and trying to deploy it.

[mattfirtion]

Cannot reproduce this on v1.130.0

[einstein-deploy]

Upgraded to v1.137.0 (build bfbdf64), same issue.

[einstein-deploy]

Upgraded to v1.139.0, the same issue.

[nomadme]

We just recently getting this same error. It used to run fine, but recently.

[simonscheurer]

We just recently upgraded to 1.141.0 and see the same issue. It happens here:

  const logGroupMachine = new LogGroup(stack, 'LogGroupIotMachine', {
    logGroupName: currentStackConfig.nameByStrategy('machine'),
    retention: currentStackConfig.switchProdDependant(cloudWatchLogRetention),
    removalPolicy: RemovalPolicy.DESTROY,
  })

  // tslint:disable-next-line:no-non-null-assertion
  const iotDeviceRole = Role.fromRoleArn(stack, 'ExistingIotRole', props.userPoolStack.shared!.iotDeviceRoleArn)
  // grant write access ('logs:CreateLogStream', 'logs:PutLogEvents') to the machine log group
  logGroupMachine.grantWrite(iotDeviceRole)
  // grant also required describe log streams
  logGroupMachine.grant(iotDeviceRole, 'logs:DescribeLogStreams')

And the output we see is

af-baikonur-api-iot-xx108: creating CloudFormation changeset...
20:26:12 | CREATE_FAILED        | AWS::Logs::ResourcePolicy | LogGroupIotMachine...urcePolicy604F28F3
Resource handler returned message: "Invalid request provided: AWS::Logs::ResourcePolicy" (RequestToken: b11a0d5e-2045-7d76-b308-c8a497f20cd4, HandlerErrorCode: InvalidRequest)

        new ResourcePolicy (/Users/simonscheurer/Development/Aurum/one-cloud-clean/node_modules/@aws-cdk/aws-logs/lib/policy.js:41:9)
        \_ LogGroup.addToResourcePolicy (/Users/simonscheurer/Development/Aurum/one-cloud-clean/node_modules/@aws-cdk/aws-logs/lib/log-group.js:126:27)
        \_ Function.addToPrincipalOrResource (/Users/simonscheurer/Development/Aurum/one-cloud-clean/node_modules/@aws-cdk/aws-iam/lib/grant.js:72:49)
        \_ LogGroup.grant (/Users/simonscheurer/Development/Aurum/one-cloud-clean/node_modules/@aws-cdk/aws-logs/lib/log-group.js:98:26)
        \_ LogGroup.grantWrite (/Users/simonscheurer/Development/Aurum/one-cloud-clean/node_modules/@aws-cdk/aws-logs/lib/log-group.js:90:21)
        \_ iotStackBuilder (/Users/simonscheurer/Development/Aurum/one-cloud-clean/packages/api/dist/_cjs/iac/iot-stack.js:60:21)
        \_ /Users/simonscheurer/Development/Aurum/one-cloud-clean/packages/api/dist/_cjs/iac/api.iac.js:67:60
        \_ processTicksAndRejections (internal/process/task_queues.js:95:5)

This worked find prior to upgrading. We had to upgrade as we were in a very old version of cdk where log retention was still deployed with Node10 runtime. The upgrade solved this problem, but now we run into the problem above

[rix0rrr]

Duplicate of #17544

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.