Provisioned AppRunner and Lambda services should take control of generated Log Groups

[nathanblair]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

AppRunner provisions service and application log groups (log streams) automatically when creating an AppRunner service. These log groups have indefinite retention policies, and so will carry on past the deletion of the actual AppRunner service.

What would be better would be a way to automatically import the created CloudWatch Log Groups that are provisioned by AppRunner behind the scenes into a aws_cloudwatch_log_group block following a successful apply for an aws_apprunner_service. This would make sure CloudWatch doesn't get bogged down with an illegible and unmaintainable amount of logs.

There may be a better way to do this than importing them, that is just the most straightforward way I could think to hack out a solution.

I believe this feature also affects the behind-the-scenes coupling of log groups being created when provisioning Lambda functions as well.

Obviously this could be done by running terraform import on the resources after the apply on the apprunner_service, but then that sort of defeats the purpose of having Terraform be fully declarative!

New or Affected Resource(s)

• aws_apprunner_service
• aws_cloudwatch_log_group

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

resource "aws_cloudwatch_log_group" "app_logs" {
  name = "/aws/apprunner/${module.api.service_name}/${module.api.service_id}/service"
}

resource "aws_cloudwatch_log_group" "service_logs" {
  name = "/aws/apprunner/${module.api.service_name}/${module.api.service_id}/service"
}

References

*

[bryantbiggs]

Relates to https://github.com/hashicorp/terraform-provider-aws/issues/17839

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!