API Gateway 日志未随 terraform 一起显示

Posted 2023-03-24

【中文标题】API Gateway 日志未随 terraform 一起显示

【英文标题】：API Gateway logs not showing up with terraform

【发布时间】：2021-06-05 15:40:41

【问题描述】：

我正在尝试将 CloudWatch 日志记录添加到我的 API 网关，并已按照 posts like this one 创建以下 terraform：

resource "aws_iam_role" "iam_for_api_gateway" 
  name = "$var.name-api-gateway-role"
  description = "custom IAM Limited Role created with \"APIGateway\" as the trusted entity"
  path = "/"

  assume_role_policy = <<EOF

  "Version": "2012-10-17",
  "Statement": [
    
      "Action": "sts:AssumeRole",
      "Principal": 
        "Service": "apigateway.amazonaws.com"
      ,
      "Effect": "Allow",
      "Sid": ""
    
  ]

EOF

  tags = var.resourceTags


resource "aws_cloudwatch_log_group" "api_gateway_log_group" 
  name              = "/aws/lambda/$var.name-api-gateway"
  retention_in_days = 14


resource "aws_iam_policy" "api_gateway_logging" 
  name        = "$var.name-api-gateway-logging"
  path        = "/"
  description = "IAM policy for logging from the api gateway"

  policy = <<EOF

  "Version": "2012-10-17",
  "Statement": [
    
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*",
      "Effect": "Allow"
    
  ]

EOF


resource "aws_iam_role_policy_attachment" "gateway_logs" 
  role       = aws_iam_role.iam_for_api_gateway.id
  policy_arn = aws_iam_policy.api_gateway_logging.arn


resource "aws_api_gateway_rest_api" "root_api" 
  name = "$var.name-rest-api-service"

  tags = var.resourceTags


# at this point there are various resource "aws_api_gateway_resource" "api" blocks, etc

resource "aws_api_gateway_account" "demo" 
  cloudwatch_role_arn = aws_iam_role.iam_for_api_gateway.arn


resource "aws_api_gateway_deployment" "deployment" 
  rest_api_id   = aws_api_gateway_rest_api.root_api.id
  stage_name    = var.envName
  
  depends_on    = [
    aws_cloudwatch_log_group.api_gateway_log_group,
    aws_api_gateway_integration.lang_integration,
    aws_api_gateway_account.demo
  ]

  lifecycle 
    create_before_destroy = true
  



resource "aws_api_gateway_method_settings" "example" 
  rest_api_id = aws_api_gateway_rest_api.root_api.id
  stage_name  = var.envName
  method_path = "*/*"

  settings 
    metrics_enabled = true
    logging_level   = "ERROR"
  

但我没有看到为我的 API 网关生成的日志条目，尽管创建了日志组。

我之前遇到过这个错误：

Error: updating API Gateway Stage failed: BadRequestException: CloudWatch Logs role ARN must be set in account settings to enable logging

  on ..\2-sub-modules\e-api-gateway\main.tf line 627, in resource "aws_api_gateway_method_settings" "example":
 627: resource "aws_api_gateway_method_settings" "example" 

但后来我更新了resource "aws_api_gateway_method_settings" "example" 块（如上所示）。

现在，我没有收到上述错误，但我也没有收到任何 API Gateway 日志。

我错过了什么？

【问题讨论】：

嗨！快速提问，当您说您没有获得任何 API 网关日志时，您是否至少看到了在 cloudwatch 中创建的日志组？

是的，我得到了云观察日志组。

好的，另一个愚蠢的问题（只是为了理解整个场景）您正在设置logging_level = "ERROR" 您是否正在针对该端点测试 KO 场景？否则尝试将日志记录级别设置为 INFO 并重试。

我刚刚检查了terraform docs，可能我对logging_level 的理解是错误的。也许，如果我想“记录通过 API 的所有内容”，我应该使用INFO？

来自 AWS docummentation If the logging level is INFO, then the logs include both ERROR events and extra informational events.，具体取决于您要提取的信息，该日志级别可能符合您的要求

【参考方案1】：

除了我在 cmets 中提供的信息之外，我想更准确地回答关于为什么不显示日志以及如何显示它们以防将来有人遇到同样问题的问题。

将logging_level 属性设置为ERROR 时，cloudwatch 中只会显示错误。

如果我们想记录所有通过网关的请求，我们必须使用logging_level = "INFO"。为了显示与请求相关的所有信息，例如请求 URI、请求标头、请求正文……我们必须激活 data_trace_enabled 属性：

resource "aws_api_gateway_method_settings" "example" 
  rest_api_id = aws_api_gateway_rest_api.root_api.id
  stage_name  = var.envName
  method_path = "*/*"

  settings 
    data_trace_enabled = true
    metrics_enabled    = true
    logging_level      = "ERROR"
  

Terraform data_trace_enabled 属性与 AWS API Gateway 控制台中的 Enable Detailed CloudWatch Metrics 属性匹配：

目前在 API 网关和所有 logs events larger than 1024bytes are truncated 中存在一个已知限制，因此如果预期调用具有许多标头或大型正文，请记住这一点。

API Gateway 当前将日志事件限制为 1024 字节。大于 1024 字节的日志事件（例如请求和响应正文）将在提交到 CloudWatch Logs 之前被 API Gateway 截断。

【参考方案2】：

要解决“必须在帐户设置中设置 CloudWatch Logs 角色 ARN 以启用日志记录”的问题，您应该在 API Gateway Account Settigns 中指定此角色：

resource "aws_api_gateway_account" "demo" 
  cloudwatch_role_arn = aws_iam_role.cloudwatch.arn


resource "aws_iam_role" "cloudwatch" 
  name = "api_gateway_cloudwatch_global"

  assume_role_policy = <<EOF

  "Version": "2012-10-17",
  "Statement": [
    
      "Sid": "",
      "Effect": "Allow",
      "Principal": 
        "Service": "apigateway.amazonaws.com"
      ,
      "Action": "sts:AssumeRole"
    
  ]

EOF

详情：https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_account