Add first pass at access logging.

Author: tobyclemson

modules/stage/log_group.tf

@@ -0,0 +1,3 @@
+resource "aws_cloudwatch_log_group" "access_logs" {
+  name = "/${var.component}/${var.deployment_identifier}/api-gateway/${var.name}"
+}

modules/stage/outputs.tf

@@ -21,3 +21,10 @@ output "domain_name_arn" {
 output "domain_name_configuration" {
   value = try(aws_apigatewayv2_domain_name.domain_name[0].domain_name_configuration[0], {})
 }
+
+output "access_logging_log_group_arn" {
+  value = aws_cloudwatch_log_group.access_logs.arn
+}
+output "access_logging_log_group_name" {
+  value = aws_cloudwatch_log_group.access_logs.name
+}

modules/stage/stage.tf

@@ -5,4 +5,9 @@ resource "aws_apigatewayv2_stage" "stage" {
   auto_deploy = local.enable_auto_deploy
 
   tags = local.tags
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.access_logs.arn
+    format          = var.access_logging_log_format
+  }
 }

modules/stage/variables.tf

@@ -33,12 +33,34 @@ variable "domain_name_certificate_arn" {
   default     = ""
 }
 
+variable "access_logging_log_format" {
+  type = string
+  description = "The log format to use for access logging."
+  default = "{\"accountId\": \"$context.accountId\", \"apiId\": \"$context.apiId\", \"authorizer.claims.property\": \"$context.authorizer.claims.property\", \"authorizer.error\": \"$context.authorizer.error\", \"authorizer.principalId\": \"$context.authorizer.principalId\", \"authorizer.property\": \"$context.authorizer.property\", \"awsEndpointRequestId\": \"$context.awsEndpointRequestId\", \"awsEndpointRequestId2\": \"$context.awsEndpointRequestId2\", \"customDomain.basePathMatched\": \"$context.customDomain.basePathMatched\", \"dataProcessed\": $context.dataProcessed, \"domainName\": \"$context.domainName\", \"domainPrefix\": \"$context.domainPrefix\", \"error.message\": \"$context.error.message\", \"error.messageString\": \"$context.error.messageString\", \"error.responseType\": \"$context.error.responseType\", \"extendedRequestId\": \"$context.extendedRequestId\", \"httpMethod\": \"$context.httpMethod\", \"identity.accountId\": \"$context.identity.accountId\", \"identity.caller\": \"$context.identity.caller\", \"identity.cognitoAuthenticationProvider\": \"$context.identity.cognitoAuthenticationProvider\", \"identity.cognitoAuthenticationType\": \"$context.identity.cognitoAuthenticationType\", \"identity.cognitoIdentityId\": \"$context.identity.cognitoIdentityId\", \"identity.cognitoIdentityPoolId\": \"$context.identity.cognitoIdentityPoolId\", \"identity.principalOrgId\": \"$context.identity.principalOrgId\", \"identity.clientCert.clientCertPem\": \"$context.identity.clientCert.clientCertPem\", \"identity.clientCert.subjectDN\": \"$context.identity.clientCert.subjectDN\", \"identity.clientCert.issuerDN\": \"$context.identity.clientCert.issuerDN\", \"identity.clientCert.serialNumber\": \"$context.identity.clientCert.serialNumber\", \"identity.clientCert.validity.notBefore\": \"$context.identity.clientCert.validity.notBefore\", \"identity.clientCert.validity.notAfter\": \"$context.identity.clientCert.validity.notAfter\", \"identity.sourceIp\": \"$context.identity.sourceIp\", \"identity.user\": \"$context.identity.user\", \"identity.userAgent\": \"$context.identity.userAgent\", \"identity.userArn\": \"$context.identity.userArn\", \"integration.error\": \"$context.integration.error\", \"integration.integrationStatus\": $context.integration.integrationStatus, \"integration.latency\": $context.integration.latency, \"integration.requestId\": \"$context.integration.requestId\", \"integration.status\": $context.integration.status, \"integrationErrorMessage\": \"$context.integrationErrorMessage\", \"integrationLatency\": $context.integrationLatency, \"integrationStatus\": $context.integrationStatus, \"path\": \"$context.path\", \"protocol\": \"$context.protocol\", \"requestId\": \"$context.requestId\", \"requestTime\": \"$context.requestTime\", \"requestTimeEpoch\": \"$context.requestTimeEpoch\", \"responseLatency\": $context.responseLatency, \"responseLength\": $context.responseLength, \"routeKey\": \"$context.routeKey\", \"stage\": \"$context.stage\", \"status\": $context.status}"
+}
+variable "access_logging_log_group_arn" {
+  type = string
+  description = "The ARN of the CloudWatch log group to use for access logging. Required when `include_access_log_log_group` is `false`."
+  default = ""
+}
+
 variable "tags" {
   type        = map(string)
   description = "Additional tags to set on created resources."
   default     = {}
 }
 
+variable "enable_auto_deploy" {
+  type        = bool
+  description = "Whether or not to enable auto-deploy for the created stage. Defaults to `true`."
+  default     = true
+}
+variable "enable_access_logging" {
+  type        = bool
+  description = "Whether or not to enable access logging for the created stage. Defaults to `true`."
+  default     = true
+}
+
 variable "include_default_tags" {
   type        = bool
   description = "Whether or not to include default tags on created resources. Defaults to `true`."
@@ -54,8 +76,8 @@ variable "include_dns_record" {
   description = "Whether or not to create a DNS record in Route 53 for the domain name of the stage. Defaults to `true`."
   default     = true
 }
-variable "enable_auto_deploy" {
+variable "include_access_logging_log_group" {
   type        = bool
-  description = "Whether or not to enable auto-deploy for the created stage. Defaults to `true`."
+  description = "Whether or not to create a log group for access logging for the created stage. Defaults to `true`."
   default     = true
 }

spec/infra/prerequisites/main.tf

@@ -50,3 +50,7 @@ resource "aws_apigatewayv2_vpc_link" "vpc_link" {
   security_group_ids = [aws_security_group.vpc_link.id]
   subnet_ids         = module.base_networking.private_subnet_ids
 }
+
+resource "aws_cloudwatch_log_group" "log_group" {
+  name = "provided-log-group-${var.component}-${var.deployment_identifier}"
+}

spec/infra/prerequisites/outputs.tf

@@ -13,3 +13,6 @@ output "api_id" {
 output "vpc_link_security_group_id" {
   value = aws_security_group.vpc_link.id
 }
+output "log_group_arn" {
+  value = aws_cloudwatch_log_group.log_group.arn
+}

spec/infra/stage/main.tf

@@ -21,12 +21,16 @@ module "stage" {
 
   hosted_zone_id = var.hosted_zone_id
 
+  access_logging_log_group_arn = var.access_logging_log_group_arn
+
   tags = var.tags
 
-  include_default_tags = var.include_default_tags
-  include_domain_name  = var.include_domain_name
-  include_dns_record   = var.include_dns_record
-  enable_auto_deploy   = var.enable_auto_deploy
+  enable_auto_deploy = var.enable_auto_deploy
+
+  include_default_tags             = var.include_default_tags
+  include_domain_name              = var.include_domain_name
+  include_dns_record               = var.include_dns_record
+  include_access_logging_log_group = var.include_access_logging_log_group
 
   providers = {
     aws     = aws

spec/infra/stage/outputs.tf

@@ -21,3 +21,11 @@ output "domain_name_arn" {
 output "domain_name_configuration" {
   value = module.stage.domain_name_configuration
 }
+
+output "access_logging_log_group_arn" {
+  value = module.stage.access_logging_log_group_arn
+}
+
+output "access_logging_log_group_name" {
+  value = module.stage.access_logging_log_group_name
+}

spec/infra/stage/variables.tf

@@ -16,11 +16,20 @@ variable "domain_name_certificate_arn" {
   default = null
 }
 
+variable "access_logging_log_group_arn" {
+  default = null
+}
+
 variable "tags" {
   type    = map(string)
   default = null
 }
 
+variable "enable_auto_deploy" {
+  type    = bool
+  default = null
+}
+
 variable "include_default_tags" {
   type    = bool
   default = null
@@ -33,7 +42,7 @@ variable "include_dns_record" {
   type    = bool
   default = null
 }
-variable "enable_auto_deploy" {
+variable "include_access_logging_log_group" {
   type    = bool
   default = null
 }

spec/stage_access_logging_spec.rb

@@ -0,0 +1,163 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'stage domain name' do
+  let(:component) { vars(:stage).component }
+  let(:deployment_identifier) { vars(:stage).deployment_identifier }
+
+  let(:stage_name) { vars(:stage).name }
+
+  let(:api_id) do
+    output(:prerequisites, 'api_id')
+  end
+
+  let(:output_stage_id) do
+    output(:stage, 'stage_id')
+  end
+
+  let(:output_access_logging_log_group_arn) do
+    output(:stage, 'access_logging_log_group_arn')
+  end
+
+  let(:output_access_logging_log_group_name) do
+    output(:stage, 'access_logging_log_group_name')
+  end
+
+  let(:api_gateway_stages) do
+    api_gateway_v2_client.get_stages(api_id:).items
+  end
+
+  let(:api_gateway_stage) do
+    api_gateway_stages[0]
+  end
+
+  before(:context) do
+    provision(:stage) do |vars|
+      vars.merge(
+        api_id: output(:prerequisites, 'api_id'),
+        include_domain_name: false
+      )
+    end
+  end
+
+  after(:context) do
+    destroy(:stage) do |vars|
+      vars.merge(
+        api_id: output(:prerequisites, 'api_id'),
+        include_domain_name: false
+      )
+    end
+  end
+
+  describe 'by default' do
+    it 'enables access logging' do
+      expect(api_gateway_stage.access_log_settings).not_to(be_nil)
+    end
+
+    it 'creates a log group for the access logs' do
+      expect(cloudwatch_logs(output_access_logging_log_group_name)).to(exist)
+    end
+
+    it 'includes the component in the log group name' do
+      expect(output_access_logging_log_group_name)
+        .to(match(/.*#{component}.*/))
+    end
+
+    it 'includes the deployment identifier in the log group name' do
+      expect(output_access_logging_log_group_name)
+        .to(match(/.*#{deployment_identifier}.*/))
+    end
+
+    it 'includes the stage name in the log group name' do
+      expect(output_access_logging_log_group_name)
+        .to(match(/.*#{stage_name}.*/))
+    end
+
+    it 'uses the created log group to store access logs' do
+      expect(api_gateway_stage.access_log_settings.destination_arn)
+        .to(eq(output_access_logging_log_group_arn))
+    end
+
+    # rubocop:disable RSpec/ExampleLength
+    it 'logs everything' do
+      expect(api_gateway_stage.access_log_settings.format)
+        .to(eq(
+              '{' \
+              '"accountId": "$context.accountId", ' \
+              '"apiId": "$context.apiId", ' \
+              '"authorizer.claims.property": ' \
+              '"$context.authorizer.claims.property", ' \
+              '"authorizer.error": "$context.authorizer.error", ' \
+              '"authorizer.principalId": ' \
+              '"$context.authorizer.principalId", ' \
+              '"authorizer.property": "$context.authorizer.property", ' \
+              '"awsEndpointRequestId": ' \
+              '"$context.awsEndpointRequestId", ' \
+              '"awsEndpointRequestId2": ' \
+              '"$context.awsEndpointRequestId2", ' \
+              '"customDomain.basePathMatched": ' \
+              '"$context.customDomain.basePathMatched", ' \
+              '"dataProcessed": $context.dataProcessed, ' \
+              '"domainName": "$context.domainName", ' \
+              '"domainPrefix": "$context.domainPrefix", ' \
+              '"error.message": "$context.error.message", ' \
+              '"error.messageString": "$context.error.messageString", ' \
+              '"error.responseType": "$context.error.responseType", ' \
+              '"extendedRequestId": "$context.extendedRequestId", ' \
+              '"httpMethod": "$context.httpMethod", ' \
+              '"identity.accountId": "$context.identity.accountId", ' \
+              '"identity.caller": "$context.identity.caller", ' \
+              '"identity.cognitoAuthenticationProvider": ' \
+              '"$context.identity.cognitoAuthenticationProvider", ' \
+              '"identity.cognitoAuthenticationType": ' \
+              '"$context.identity.cognitoAuthenticationType", ' \
+              '"identity.cognitoIdentityId": ' \
+              '"$context.identity.cognitoIdentityId", ' \
+              '"identity.cognitoIdentityPoolId": ' \
+              '"$context.identity.cognitoIdentityPoolId", ' \
+              '"identity.principalOrgId": ' \
+              '"$context.identity.principalOrgId", ' \
+              '"identity.clientCert.clientCertPem": ' \
+              '"$context.identity.clientCert.clientCertPem", ' \
+              '"identity.clientCert.subjectDN": ' \
+              '"$context.identity.clientCert.subjectDN", ' \
+              '"identity.clientCert.issuerDN": ' \
+              '"$context.identity.clientCert.issuerDN", ' \
+              '"identity.clientCert.serialNumber": ' \
+              '"$context.identity.clientCert.serialNumber", ' \
+              '"identity.clientCert.validity.notBefore": ' \
+              '"$context.identity.clientCert.validity.notBefore", ' \
+              '"identity.clientCert.validity.notAfter": ' \
+              '"$context.identity.clientCert.validity.notAfter", ' \
+              '"identity.sourceIp": "$context.identity.sourceIp", ' \
+              '"identity.user": "$context.identity.user", ' \
+              '"identity.userAgent": "$context.identity.userAgent", ' \
+              '"identity.userArn": "$context.identity.userArn", ' \
+              '"integration.error": "$context.integration.error", ' \
+              '"integration.integrationStatus": ' \
+              '$context.integration.integrationStatus, ' \
+              '"integration.latency": $context.integration.latency, ' \
+              '"integration.requestId": ' \
+              '"$context.integration.requestId", ' \
+              '"integration.status": $context.integration.status, ' \
+              '"integrationErrorMessage": ' \
+              '"$context.integrationErrorMessage", ' \
+              '"integrationLatency": $context.integrationLatency, ' \
+              '"integrationStatus": $context.integrationStatus, ' \
+              '"path": "$context.path", ' \
+              '"protocol": "$context.protocol", ' \
+              '"requestId": "$context.requestId", ' \
+              '"requestTime": "$context.requestTime", ' \
+              '"requestTimeEpoch": "$context.requestTimeEpoch", ' \
+              '"responseLatency": $context.responseLatency, ' \
+              '"responseLength": $context.responseLength, ' \
+              '"routeKey": "$context.routeKey", ' \
+              '"stage": "$context.stage", ' \
+              '"status": $context.status' \
+              '}'
+            ))
+    end
+    # rubocop:enable RSpec/ExampleLength
+  end
+end