Terraform - 如何启用 API 网关执行日志记录？

你必须使用

aws_api_gateway_method_settings

resource "aws_api_gateway_method_settings" "YOUR_settings" {
  rest_api_id = "${aws_api_gateway_rest_api.YOUR.id}"
  stage_name  = "${aws_api_gateway_stage.YOUR.stage_name}"
  method_path = "*/*"
  settings {
    logging_level = "INFO"
    data_trace_enabled = true
    metrics_enabled = true
  }
}

CloudWatch LogGroup 应如下所示

API-Gateway-Execution-Logs_{YOU_API_ID}/{YOU_STAGENAME}

...也许您必须设置所有 IAM 角色内容...

您可以在整个“阶段”级别设置这些日志记录级别，也可以覆盖阶段级别并在方法级别定义它，如下例所示：（请注意此处的“method_path”值）

resource "aws_api_gateway_method_settings" "s" {
rest_api_id = aws_api_gateway_rest_api.test.id
stage_name  = aws_api_gateway_stage.test.stage_name
method_path = 
"${aws_api_gateway_resource.test.path_part}/${aws_api_gateway_method.test.http_method}"

settings {
metrics_enabled = true
logging_level   = "INFO"
}
}

在这里找到：

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings

另请参阅此处：

• https://github.com/terraform-providers/terraform-provider-aws/issues/4448

对于未来的读者，这就是 @dasrick 接受的答案中提到的“设置所有 IAM 角色内容”的方法：

# Allow API Gateway to push logs to CloudWatch
resource "aws_api_gateway_account" "main" {
  cloudwatch_role_arn = aws_iam_role.main.arn
}

resource "aws_iam_role" "main" {
  name = "api-gateway-logs-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

}

resource "aws_iam_role_policy_attachment" "main" {
  role       = aws_iam_role.main.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
}

此策略已存在于 AWS 中，如此处所述。