amazon-web-services terraform terraform-provider-aws aws-step-functions aws-xray

How to enable CloudWatch logging and X-ray for stepfunction in Terraform?

In AWS console, we can easily enable cloudwatch logging and X-ray for a step function statemachine, but I want my resource fully managed by Terraform, from this page:https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine

It seems like Terraform doesn't support this at the moment (also see: https://github.com/hashicorp/terraform-provider-aws/issues/12192)

Does anyone know if there is any workaround to achieve this? I'd really like to be able to enable both cloudwatch logs & X-ray from Terraform. I can't find much info on this. Might someone be able to help please? Many thanks.

Solution

UPDATE : This is feature is recently released 3.27.0 (February 05, 2021)

Corresponding documentation link : sfn_state_machine#logging

You can wrap the command for enabling the logging inside terraform null_resource as it showin the in the linked issueEnabling Step Function Logging To CloudWatch #12192, something like below:

Prerequisite :

aws-cli/2.1.1

Before:


    {
    "stateMachineArn": "arn:aws:states:us-east-1:1234567890:stateMachine:mystatemachine",
    "name": "my-state-machine",
    "status": "ACTIVE",
    "definition": "{\n  \"Comment\": \"A Hello World example of the Amazon States Language using an AWS Lambda Function\",\n  \"StartAt\": \"HelloWorld\",\n  \"States\": {\n    \"HelloWorld\": {\n      \"Type\": \"Pass\",\n      \"End\": true\n    }\n  }\n}\n",
    "roleArn": "arn:aws:iam::1234567890:role/service-role/StepFunctions-MyStateMachine-role-a6146d54",
    "type": "STANDARD",
    "creationDate": 1611682259.919,
    "loggingConfiguration": {
        "level": "OFF",
        "includeExecutionData": false
    }
}

resource "aws_sfn_state_machine" "sfn_state_machine" {
  name     = "mystatemachine"
  role_arn = "arn:aws:iam::1234567890:role/service-role/StepFunctions-MyStateMachine-role-a6146d54"

  definition = <<EOF
{
  "Comment": "A Hello World example of the Amazon States Language using an AWS Lambda Function",
  "StartAt": "HelloWorld",
  "States": {
    "HelloWorld": {
      "Type": "Pass",
      "End": true
    }
  }
}
EOF
}

resource "aws_cloudwatch_log_group" "yada" {
  name = "/aws/vendedlogs/states/myloggroup"
}

resource "null_resource" "enable_step_function_logging" {
      triggers = {
    state_machine_arn  = aws_sfn_state_machine.sfn_state_machine.arn
    logs_params=<<PARAMS
    {
        "level":"ALL",
        "includeExecutionData":true,
        "destinations":[
            {
                "cloudWatchLogsLogGroup":{
                    "logGroupArn":"${aws_cloudwatch_log_group.yada.arn}:*"
                    }
                }
            ]
            }
    PARAMS
    }
  provisioner "local-exec" {
    command = <<EOT
set -euo pipefail

aws stepfunctions update-state-machine --state-machine-arn ${self.triggers.state_machine_arn}  --tracing-configuration enabled=true --logging-configuration='${self.triggers.logs_params}'

EOT
    # interpreter = ["bash"]
  }
}

After:

{
    "stateMachineArn": "arn:aws:states:us-east-1:1234567890:stateMachine:mystatemachine",
    "name": "mystatemachine",
    "status": "ACTIVE",
    "definition": "{\n  \"Comment\": \"A Hello World example of the Amazon States Language using an AWS Lambda Function\",\n  \"StartAt\": \"HelloWorld\",\n  \"States\": {\n    \"HelloWorld\": {\n      \"Type\": \"Pass\",\n      \"End\": true\n    }\n  }\n}\n",
    "roleArn": "arn:aws:iam::1234567890:role/service-role/StepFunctions-MyStateMachine-role-a6146d54",
    "type": "STANDARD",
    "creationDate": 1611687676.151,
    "loggingConfiguration": {
        "level": "ALL",
        "includeExecutionData": true,
        "destinations": [
            {
                "cloudWatchLogsLogGroup": {
                    "logGroupArn": "arn:aws:logs:us-east-1:1234567890:log-group:/aws/vendedlogs/states/myloggroup:*"
                }
            }
        ]
    }
}