Fix tests after adding access logging.

tobyclemson · tobyclemson · commit 494d1293a9a0 · 2022-06-07T11:13:12.000+01:00
diff --git a/modules/stage/locals.tf b/modules/stage/locals.tf
@@ -6,6 +6,8 @@ locals {
   include_dns_record   = var.include_dns_record == null ? true : var.include_dns_record
   enable_auto_deploy   = var.enable_auto_deploy == null ? true : var.enable_auto_deploy
 
+  sanitised_name = replace(var.name, "$", "")
+
   default_tags = local.include_default_tags == true ? {
     Component            = var.component
     DeploymentIdentifier = var.deployment_identifier
diff --git a/modules/stage/log_group.tf b/modules/stage/log_group.tf
@@ -1,3 +1,51 @@
 resource "aws_cloudwatch_log_group" "access_logs" {
-  name = "/${var.component}/${var.deployment_identifier}/api-gateway/${var.name}"
+  name = "/${var.component}/${var.deployment_identifier}/api-gateway/${local.sanitised_name}"
+}
+
+data "aws_iam_policy_document" "api_gateway_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = [
+        "apigateway.amazonaws.com"
+      ]
+      type = "Service"
+    }
+
+    effect = "Allow"
+  }
+}
+
+data "aws_iam_policy_document" "api_gateway_logging_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+      "logs:PutLogEvents",
+      "logs:GetLogEvents",
+      "logs:FilterLogEvents"
+    ]
+    resources = [
+      "*"
+    ]
+  }
+}
+
+resource "aws_iam_role" "api_gateway_logging_role" {
+  name = "api-gateway-logging-role-${var.component}-${var.deployment_identifier}-${local.sanitised_name}"
+  assume_role_policy = data.aws_iam_policy_document.api_gateway_assume_role_policy.json
+}
+
+resource "aws_iam_role_policy" "api_gateway_logging_role_policy" {
+  name = "api-gateway-logging-policy-${var.component}-${var.deployment_identifier}-${local.sanitised_name}"
+  role = aws_iam_role.api_gateway_logging_role.name
+  policy = data.aws_iam_policy_document.api_gateway_logging_policy.json
+}
+
+resource "aws_api_gateway_account" "api_gateway_account" {
+  cloudwatch_role_arn = aws_iam_role.api_gateway_logging_role.arn
 }
