9

Question

How to setup API Gateway stage level execution logging with Terraform? Is it not supported yet?

Background

API Gateway stage editor has the execution logging configurations. However, it seems there is no parameter to set them in aws_api_gateway_stage although it has access loggging configuration parameters.

Wondering if there are another resources to use or simply those parameters have not been implemented.

enter image description here

mon
  • 18,789
  • 22
  • 112
  • 205

3 Answers3

16

You have to use aws_api_gateway_method_settings ...

resource "aws_api_gateway_method_settings" "YOUR_settings" {
  rest_api_id = "${aws_api_gateway_rest_api.YOUR.id}"
  stage_name  = "${aws_api_gateway_stage.YOUR.stage_name}"
  method_path = "*/*"
  settings {
    logging_level = "INFO"
    data_trace_enabled = true
    metrics_enabled = true
  }
}

the CloudWatch LogGroup should look like API-Gateway-Execution-Logs_{YOU_API_ID}/{YOU_STAGENAME}

... maybe you have to setup all the IAM role stuff ...

dasrick
  • 366
  • 3
  • 6
  • Do you perhaps know how to configure that log group name to be something more customised and transparent to it's purpose? I have a problem that in the future I'll have multiple api-gateway projects and I want to name them accordingly – Christopher Thomas Mar 04 '19 at 10:57
  • The key thing to note is that the method_part determines whether the settings are for the whole stage or only for a specific method in that stage. When method_part is set to "*/*" then the aws_api_gateway_method_settings determines the settings for the whole stage. Documentation has this "method_path - (Required) Method path defined as {resource_path}/{http_method} for an individual method override, or */* for overriding all methods in the stage." – Ashutosh Jindal Feb 02 '21 at 09:43
1

You can set these logging levels either at the entire "stage" level or override the stage level and define it at the method level as in this example: (notice the "method_path" value here)

resource "aws_api_gateway_method_settings" "s" {
rest_api_id = aws_api_gateway_rest_api.test.id
stage_name  = aws_api_gateway_stage.test.stage_name
method_path = 
"${aws_api_gateway_resource.test.path_part}/${aws_api_gateway_method.test.http_method}"

settings {
metrics_enabled = true
logging_level   = "INFO"
}
}

Found here:

See also here:

atom88
  • 1,449
  • 3
  • 22
  • 32
0

For future readers, that's how you "setup all the IAM role stuff" mentioned in the accepted answer by @dasrick:

# Allow API Gateway to push logs to CloudWatch
resource "aws_api_gateway_account" "main" {
  cloudwatch_role_arn = aws_iam_role.main.arn
}

resource "aws_iam_role" "main" {
  name = "api-gateway-logs-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

}

resource "aws_iam_role_policy_attachment" "main" {
  role       = aws_iam_role.main.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
}

This policy already exists in AWS as described here.

Francisco Cardoso
  • 1,438
  • 15
  • 20