Set API Gateway execution log retention (#6070)

DataBiosphere · Feb 19, 2025 · 0fcfb0d · 0fcfb0d
1 parent 82e4e7e
commit 0fcfb0d
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/scripts/import_cloudwatch_log_groups.py b/scripts/import_cloudwatch_log_groups.py
@@ -17,6 +17,7 @@
 def main():
 
     log_groups = {}  # Mapping of TF resource name to AWS Cloudwatch log group
+    api_gateway_log_groups = []
 
     log_client = boto3.client('logs')
     paginator = log_client.get_paginator('describe_log_groups')
@@ -36,6 +37,24 @@ def main():
                 if stage == config.deployment_stage:
                     name = name + (f'_{suffix[1:]}' if suffix else '')
                     log_groups[name] = group_name
+            # Since we can't get the name of an API Gateway from the log groups,
+            # for now we just gather the names of the API Gateway log groups
+            # that we find, and then we can use this list when iterating the API
+            # gateways to make sure the log group names we generate are valid.
+            elif group_name.startswith('API-Gateway-Execution-Logs'):
+                api_gateway_log_groups.append(group_name)
+
+    api_client = boto3.client('apigateway')
+    paginator = api_client.get_paginator('get_rest_apis')
+    for api_page in paginator.paginate():
+        for api in api_page['items']:
+            name, stage = config.unqualified_resource_name(api['name'])
+            if stage == config.deployment_stage:
+                name = f'{name}_api_gateway'
+                log_group = f"API-Gateway-Execution-Logs_{api['id']}/{stage}"
+                # Confirm the log group exists
+                assert log_group in api_gateway_log_groups, log_group
+                log_groups[name] = log_group
 
     resources = terraform.run('state', 'list').splitlines()
     for name, log_group in log_groups.items():

diff --git a/terraform/api_gateway.tf.json.template.py b/terraform/api_gateway.tf.json.template.py
@@ -650,6 +650,11 @@ def for_domain(cls, domain):
                         'name': '/aws/apigateway/' + config.qualified_resource_name(app.name),
                         'retention_in_days': config.audit_log_retention_days,
                     },
+                    f'{app.name}_api_gateway': {
+                        'name': 'API-Gateway-Execution-Logs_'
+                                '${aws_api_gateway_rest_api.%s.id}'
+                                '/%s' % (app.name, config.main_deployment_stage)
+                    },
                     **chalice.lambda_log_groups(chalice.tf_config(app.name)['resource'])
                 },
                 'aws_iam_role': {