Merge pull request #275 from NHSDigital/feature/CCM-8433_api-gateway-account-settings

chris-elliott-nhsd · web-flow · commit 399fa1dd5759 · 2025-02-03T09:07:26.000Z
CCM-8433: Add API Gateway account settings
diff --git a/infrastructure/terraform/components/acct/api_gateway_account_global.tf b/infrastructure/terraform/components/acct/api_gateway_account_global.tf
@@ -0,0 +1,3 @@
+resource "aws_api_gateway_account" "global" {
+  cloudwatch_role_arn = aws_iam_role.apigateway_logging.arn
+}
diff --git a/infrastructure/terraform/components/acct/iam_role_apigateway_logging.tf b/infrastructure/terraform/components/acct/iam_role_apigateway_logging.tf
@@ -0,0 +1,29 @@
+resource "aws_iam_role" "apigateway_logging" {
+  name               = "${local.csi}-logging"
+  description        = "Role used by API Gateway to write logs"
+  assume_role_policy = data.aws_iam_policy_document.apigateway_assumerole.json
+}
+
+data "aws_iam_policy_document" "apigateway_assumerole" {
+  statement {
+    sid    = "ApigAssumeRole"
+    effect = "Allow"
+
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "apigateway.amazonaws.com"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "apigateway_logging" {
+  role       = aws_iam_role.apigateway_logging.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+resource "aws_api_gateway_account" "global" {`
	`2`	`+ cloudwatch_role_arn = aws_iam_role.apigateway_logging.arn`
	`3`	`+}`