【发布时间】:2021-06-05 15:40:41
【问题描述】:
我正在尝试将 CloudWatch 日志记录添加到我的 API 网关,并已按照 posts like this one 创建以下 terraform:
resource "aws_iam_role" "iam_for_api_gateway" {
name = "${var.name}-api-gateway-role"
description = "custom IAM Limited Role created with \"APIGateway\" as the trusted entity"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
tags = var.resourceTags
}
resource "aws_cloudwatch_log_group" "api_gateway_log_group" {
name = "/aws/lambda/${var.name}-api-gateway"
retention_in_days = 14
}
resource "aws_iam_policy" "api_gateway_logging" {
name = "${var.name}-api-gateway-logging"
path = "/"
description = "IAM policy for logging from the api gateway"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "gateway_logs" {
role = aws_iam_role.iam_for_api_gateway.id
policy_arn = aws_iam_policy.api_gateway_logging.arn
}
resource "aws_api_gateway_rest_api" "root_api" {
name = "${var.name}-rest-api-service"
tags = var.resourceTags
}
# at this point there are various resource "aws_api_gateway_resource" "api" blocks, etc
resource "aws_api_gateway_account" "demo" {
cloudwatch_role_arn = aws_iam_role.iam_for_api_gateway.arn
}
resource "aws_api_gateway_deployment" "deployment" {
rest_api_id = aws_api_gateway_rest_api.root_api.id
stage_name = var.envName
depends_on = [
aws_cloudwatch_log_group.api_gateway_log_group,
aws_api_gateway_integration.lang_integration,
aws_api_gateway_account.demo
]
lifecycle {
create_before_destroy = true
}
}
resource "aws_api_gateway_method_settings" "example" {
rest_api_id = aws_api_gateway_rest_api.root_api.id
stage_name = var.envName
method_path = "*/*"
settings {
metrics_enabled = true
logging_level = "ERROR"
}
}
但我没有看到为我的 API 网关生成的日志条目,尽管创建了日志组。
我之前遇到过这个错误:
Error: updating API Gateway Stage failed: BadRequestException: CloudWatch Logs role ARN must be set in account settings to enable logging
on ..\2-sub-modules\e-api-gateway\main.tf line 627, in resource "aws_api_gateway_method_settings" "example":
627: resource "aws_api_gateway_method_settings" "example" {
但后来我更新了resource "aws_api_gateway_method_settings" "example" 块(如上所示)。
现在,我没有收到上述错误,但我也没有收到任何 API Gateway 日志。
我错过了什么?
【问题讨论】:
-
嗨!快速提问,当您说您没有获得任何 API 网关日志时,您是否至少看到了在 cloudwatch 中创建的日志组?
-
是的,我得到了云观察日志组。
-
好的,另一个愚蠢的问题(只是为了理解整个场景)您正在设置
logging_level = "ERROR"您是否正在针对该端点测试 KO 场景?否则尝试将日志记录级别设置为 INFO 并重试。 -
我刚刚检查了terraform docs,可能我对
logging_level的理解是错误的。也许,如果我想“记录通过 API 的所有内容”,我应该使用INFO? -
来自 AWS docummentation
If the logging level is INFO, then the logs include both ERROR events and extra informational events.,具体取决于您要提取的信息,该日志级别可能符合您的要求
标签: terraform aws-api-gateway terraform-provider-aws