Set API Gateway execution log retention (#6070)

DataBiosphere · Feb 19, 2025 · b9e360f · b9e360f
1 parent 5472807
commit b9e360f
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/scripts/import_cloudwatch_log_groups.py b/scripts/import_cloudwatch_log_groups.py
@@ -20,6 +20,7 @@ def resource(name):
 
     log_groups = {}  # Mapping of TF resource name to AWS Cloudwatch log group
     tf_component = config.terraform_component
+    api_gateway_log_groups = []
 
     log_client = boto3.client('logs')
     paginator = log_client.get_paginator('describe_log_groups')
@@ -41,9 +42,28 @@ def resource(name):
                     if stage == config.deployment_stage:
                         name = name + (f'_{suffix[1:]}' if suffix else '') + '_lambda'
                         log_groups[resource(name)] = group_name
+                # Since we can't get the name of an API Gateway from the log groups,
+                # for now we just gather the names of the API Gateway log groups
+                # that we find, and then we can use this list when iterating the API
+                # gateways to make sure the log group names we generate are valid.
+                elif group_name.startswith('API-Gateway-Execution-Logs'):
+                    api_gateway_log_groups.append(group_name)
             else:
                 pass
 
+    if not tf_component:
+        api_client = boto3.client('apigateway')
+        paginator = api_client.get_paginator('get_rest_apis')
+        for api_page in paginator.paginate():
+            for api in api_page['items']:
+                name, stage = config.unqualified_resource_name(api['name'])
+                if stage == config.deployment_stage:
+                    name = f'{name}_api_execution'
+                    log_group = f"API-Gateway-Execution-Logs_{api['id']}/{stage}"
+                    # Confirm the log group exists
+                    assert log_group in api_gateway_log_groups, log_group
+                    log_groups[resource(name)] = log_group
+
     resources = terraform.run('state', 'list').splitlines()
     for resource_name, log_group in log_groups.items():
         if resource_name in resources:

diff --git a/terraform/api_gateway.tf.json.template.py b/terraform/api_gateway.tf.json.template.py
@@ -650,6 +650,12 @@ def for_domain(cls, domain):
                         'name': '/aws/apigateway/' + config.qualified_resource_name(app.name),
                         'retention_in_days': config.audit_log_retention_days,
                     },
+                    f'{app.name}_api_execution': {
+                        'name': 'API-Gateway-Execution-Logs_'
+                                '${aws_api_gateway_rest_api.%s.id}'
+                                '/%s' % (app.name, config.main_deployment_stage),
+                        'retention_in_days': config.audit_log_retention_days,
+                    },
                     **chalice.lambda_log_groups(chalice.tf_config(app.name)['resource'])
                 },
                 'aws_iam_role': {