API 网关日志未随 terraform 显示
Mat*_*t W 5 terraform aws-api-gateway terraform-provider-aws
我正在尝试将 CloudWatch 日志记录添加到我的 API 网关,并遵循类似这样的帖子来创建以下 terraform:
resource "aws_iam_role" "iam_for_api_gateway" {
name = "${var.name}-api-gateway-role"
description = "custom IAM Limited Role created with \"APIGateway\" as the trusted entity"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
tags = var.resourceTags
}
resource "aws_cloudwatch_log_group" "api_gateway_log_group" {
name = "/aws/lambda/${var.name}-api-gateway"
retention_in_days = 14
}
resource "aws_iam_policy" "api_gateway_logging" {
name = "${var.name}-api-gateway-logging"
path = "/"
description = "IAM policy for logging from the api gateway"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "gateway_logs" {
role = aws_iam_role.iam_for_api_gateway.id
policy_arn = aws_iam_policy.api_gateway_logging.arn
}
resource "aws_api_gateway_rest_api" "root_api" {
name = "${var.name}-rest-api-service"
tags = var.resourceTags
}
# at this point there are various resource "aws_api_gateway_resource" "api" blocks, etc
resource "aws_api_gateway_account" "demo" {
cloudwatch_role_arn = aws_iam_role.iam_for_api_gateway.arn
}
resource "aws_api_gateway_deployment" "deployment" {
rest_api_id = aws_api_gateway_rest_api.root_api.id
stage_name = var.envName
depends_on = [
aws_cloudwatch_log_group.api_gateway_log_group,
aws_api_gateway_integration.lang_integration,
aws_api_gateway_account.demo
]
lifecycle {
create_before_destroy = true
}
}
resource "aws_api_gateway_method_settings" "example" {
rest_api_id = aws_api_gateway_rest_api.root_api.id
stage_name = var.envName
method_path = "*/*"
settings {
metrics_enabled = true
logging_level = "ERROR"
}
}
但是,尽管创建了日志组,但我没有看到为 API 网关生成任何日志条目。
我之前收到此错误:
Error: updating API Gateway Stage failed: BadRequestException: CloudWatch Logs role ARN must be set in account settings to enable logging
on ..\2-sub-modules\e-api-gateway\main.tf line 627, in resource "aws_api_gateway_method_settings" "example":
627: resource "aws_api_gateway_method_settings" "example" {
但后来我更新了该resource "aws_api_gateway_method_settings" "example"块(如上所示)。
现在,我没有收到上述错误,但我也没有收到任何 API Gateway 日志。
我缺少什么?
小智 9
要解决“必须在账户设置中设置 CloudWatch Logs 角色 ARN 才能启用日志记录”的问题,您应该在 API Gateway 账户设置中指定此角色:
resource "aws_api_gateway_account" "demo" {
cloudwatch_role_arn = aws_iam_role.cloudwatch.arn
}
resource "aws_iam_role" "cloudwatch" {
name = "api_gateway_cloudwatch_global"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
详细信息:https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_account
除了我在评论中提供的信息之外,我还想对为什么不显示日志以及如何显示日志的问题给出更准确的答案,以防将来有人遇到同样的问题。
将logging_level属性设置为ERROR仅错误将显示在 cloudwatch 中。
如果我们想记录通过网关的所有请求,我们必须使用logging_level = "INFO". 为了显示与请求相关的所有信息,例如请求 URI、请求标头、请求正文...我们必须激活该data_trace_enabled属性:
resource "aws_api_gateway_method_settings" "example" {
rest_api_id = aws_api_gateway_rest_api.root_api.id
stage_name = var.envName
method_path = "*/*"
settings {
data_trace_enabled = true
metrics_enabled = true
logging_level = "ERROR"
}
}
Terraformdata_trace_enabled属性与Enable Detailed CloudWatch MetricsAWS API Gateway 控制台中的属性匹配:
目前,API 网关存在一个已知的限制,所有大于 1024 字节的日志事件都会被截断,因此如果需要使用许多标头或大型正文进行调用,请记住这一点。
API Gateway 目前将日志事件限制为 1024 字节。大于 1024 字节的日志事件(例如请求和响应正文)将在提交到 CloudWatch Logs 之前被 API Gateway 截断。
| 归档时间: |
|
| 查看次数: |
5125 次 |
| 最近记录: |