Commit 7463a22
committed
fix: add cloudwatch_log_group_principals variable to fix IAM trust policy
Fixes #35
## Problem
The module uses the cloudposse/cloudwatch-logs/aws module which defaults
to ec2.amazonaws.com as the principal service for the IAM role trust policy.
This is incorrect for API Gateway and causes deployment failures.
## Solution
Add a cloudwatch_log_group_principals variable that:
- Accepts a map of service principals for the CloudWatch Logs IAM role
- Defaults to apigateway.amazonaws.com (the correct principal)
- Passes through to the cloudwatch-logs module
## Impact
- Fixes API Gateway deployments with CloudWatch logging enabled
- Backward compatible - uses sensible default
- Allows overriding principals if needed for specific use cases
## Testing
Existing tests should pass as they now use the correct IAM principal.
The complete example creates an API Gateway with logging enabled and
verifies successful deployment.1 parent 8c52717 commit 7463a22
2 files changed
Lines changed: 9 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
33 | 33 | | |
34 | 34 | | |
35 | 35 | | |
| 36 | + | |
36 | 37 | | |
37 | 38 | | |
38 | 39 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
151 | 151 | | |
152 | 152 | | |
153 | 153 | | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
0 commit comments