Amazon API Gateway Access Logging Support

[bflad]

AWS has announced an enhancement to API Gateway to write access logs in CloudWatch: https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-api-gateway-supports-access-logging/

Prerequisite: #2403

Terraform Version

terraform 0.10+
terraform-provider-aws 1.3.1

Affected Resource(s)

• aws_api_gateway_stage

Expected Behavior

resource "aws_api_gateway_stage" "example" {
  # ... other configuration ...  new enhancement:
  access_log {
    destination_arn = "..."
    format          = "..." 
  }
}

References

Still waiting on the aws-sdk-go API documentation to update, but appears to be new AccessLogSettings struct inside Stage.

[roberthutto]

The aws api should already support this with a patch operation on http://docs.aws.amazon.com/cli/latest/reference/apigateway/update-stage.html

In the interim Im using a null resource to accomplish this.

resource "null_resource" "access-logging" {

  depends_on = ["aws_cloudwatch_log_group.cloudwatch_access_log_group"]
  count = "${var.access_logs_enabled == "true" ? 1 : 0}"
  triggers {
    log_format = "${file("log_format.json")}"
    log_group = "${local.cloudwatch_access_log_group_arn}"
  }
  provisioner "local-exec" {
    command = "aws apigateway update-stage --rest-api-id ${aws_api_gateway_deployment.deployment.rest_api_id} --stage-name ${aws_api_gateway_deployment.deployment.stage_name} --patch-operations op=replace,path=/accessLogSettings/destinationArn,value='${local.cloudwatch_access_log_group_arn}'"
  }
  provisioner "local-exec" {
    command = "aws apigateway update-stage --rest-api-id ${aws_api_gateway_deployment.deployment.rest_api_id} --stage-name ${aws_api_gateway_deployment.deployment.stage_name} --patch-operations 'op=replace,path=/accessLogSettings/format,value=${jsonencode(replace(file("log_format.json"), "\n", ""))}'"
  }

  provisioner "local-exec" {
    when = "destroy"
    command = "aws apigateway update-stage --rest-api-id ${aws_api_gateway_deployment.deployment.rest_api_id} --stage-name ${aws_api_gateway_deployment.deployment.stage_name} --patch-operations op=remove,path=/accessLogSettings,value="
  }
}

I have not looked at the code but I assume the https://www.terraform.io/docs/providers/aws/r/api_gateway_method_settings.html uses the same patch operation on metrics and logging level

[volkodava]

Hello @roberthutto

Thanks for the code.

UPD: Information about log_format.json available at http://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html

[smrtslckr]

Is there an ETA on when this functionality will be ready?

[Oupsla]

Any news ? 😃

[bflad]

This has been released in version 1.17.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[phuonghuynh]

How could I set my custom cloud-watch-log-arn in "aws_api_gateway_deployment"?

The "aws_api_gateway_method_settings" has no way to set it.

The "aws_api_gateway_stage" create new stage, no update to the existing one which is already deployed using "aws_api_gateway_deployment".

I would greatly appreciate it if someone kindly give me some advise on this

[tdmalone]

@phuonghuynh The CloudWatch ARN setting applies to your whole account rather than a specific API or endpoint. You’ll find it at https://www.terraform.io/docs/providers/aws/r/api_gateway_account.html

[phuonghuynh]

@tdmalone Thanks for getting back so fast. I really appreciate it.

Do you mean the attribute cloudwatch_role_arn in "aws_api_gateway_account" ?

I am finding a way to set CloudWatchLogGroupARN to GatewayAPI settings, like api_gateway_stage does. But it create new stage rather than update the existing one which was created by using "aws_api_gateway_deployment".

[tdmalone]

Ah, sorry - I misinterpreted what you were asking. Yeah, this is a pain, but the workaround I've come across so far is to leave the stage name blank - see #2918 (comment)

[cmosetick]

For anyone coming here wondering how to enable logging at the global level, but override the logging for a specific endpoint, I found that this was the only way that worked for me is the way below. Note that in my example I tried using authenticate/* but found that it did not work, only using authenticate/POST or GET, etc, etc. seems to work.

# enable logging at the global level
resource "aws_api_gateway_method_settings" "init" {
  rest_api_id = "${local.api_id}"
  stage_name  = "${aws_api_gateway_stage.init.stage_name}"
  method_path = "*/*"

  settings {
    metrics_enabled    = "${local.cloudwatch_metrics_enabled[terraform.workspace]}"
    logging_level      = "${local.cloudwatch_logging_level[terraform.workspace]}"
    data_trace_enabled = "${local.cloudwatch_request_response_logging_enabled[terraform.workspace]}"
  }
}

# disable logging for a specific end point
resource "aws_api_gateway_method_settings" "authenticate" {
  rest_api_id = "${local.api_id}"
  stage_name  = "${aws_api_gateway_stage.init.stage_name}"
  method_path = "authenticate/POST"

  settings {
    metrics_enabled    = false
    logging_level      = "OFF"
    data_trace_enabled = false
  }
}

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!