retooled for existing log group

Author: JamesW1-NHS

terraform/csoc_sentinel.tf

@@ -21,7 +21,7 @@ resource "aws_apigatewayv2_stage" "default" {
   }
   access_log_settings {
     destination_arn = aws_cloudwatch_log_group.api_access_log.arn
-    format          = "{ \"requestId\":\"$context.requestId\", \"extendedRequestId\":\"$context.extendedRequestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\",  \"responseLength\":\"$context.responseLength\", \"authorizerError\":\"$context.authorizer.error\", \"authorizerStatus\":\"$context.authorizer.status\", \"requestIsValid\":\"$context.authorizer.is_valid\"\"environment\":\"$context.authorizer.environment\" }"
+    format          = "{ \"requestId\":\"$context.requestId\", \"extendedRequestId\":\"$context.extendedRequestId\", \"ip\":\"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"api_key\":\"$context.identity.apiKey\", \"authorizerError\":\"$context.authorizer.error\", \"authorizerStatus\":\"$context.authorizer.status\", \"requestIsValid\":\"$context.authorizer.is_valid\", \"environment\":\"$context.authorizer.environment\" }"
   }
 
   # Bug in terraform-aws-provider with perpetual diff

terraform/modules/api_gateway/api.tf

@@ -53,3 +53,35 @@ resource "aws_iam_role_policy" "cloudwatch" {
 }
 EOF
 }
+
+resource "aws_iam_role_policy_attachment" "cwlogs_apigateway_policy" {
+  role       = aws_iam_role.api_cloudwatch.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+}
+
+# TODO un-hardcode the region
+# e.g.
+#   "logs.${data.aws_region.current.region}.amazonaws.com"
+
+resource "aws_iam_role" "cwlogs_subscription_role" {
+  name = "${local.short_prefix}-cwlogs-subscription-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow",
+      Sid    = "",
+      Principal = {
+        Service = "logs.eu-west-2.amazonaws.com"
+      },
+      Action = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_cloudwatch_log_subscription_filter" "cwlogs_subscription_logfilter" {
+  name            = "${local.short_prefix}-cwlogs-subscription-logfilter"
+  log_group_name  = aws_cloudwatch_log_group.api_access_log.name
+  filter_pattern  = ""
+  destination_arn = "arn:aws:logs:eu-west-2:693466633220:destination:api_gateway_log_destination"
+  role_arn        = aws_iam_role.cwlogs_subscription_role.arn
+}