pulumi-cloud icon indicating copy to clipboard operation
pulumi-cloud copied to clipboard

Published 20 hours ago verified publisher icon pulumi

APIGateway logging and details metrics require account-wide configuration

Open lukehoban opened this issue 7 years ago • 4 comments

We want to enable logging and per-route metrics for API Gateway, to get insight into what is happening with the APIGateways backing our HttpEndpoint.

We can do that with the following:

  const settings = new aws.apigateway.MethodSettings(name, {
            restApi: api,
            stageName: stageName,
            methodPath: "*/*",
            settings: [{
                metricsEnabled: true,
                loggingLevel: "INFO",
            }],
        });

However, the above will not work unless a CloudWatch logs ARN is provided for the account-wide (actually just region-wide within an account) Account - for example:

 const apigatewayLogsRole = new aws.iam.Role(`${name}-api-logs`, {
            assumeRolePolicy: JSON.stringify({
                "Version": "2012-10-17",
                "Statement": [
                  {
                    "Sid": "",
                    "Effect": "Allow",
                    "Principal": {
                      "Service": "apigateway.amazonaws.com",
                    },
                    "Action": "sts:AssumeRole",
                  },
                ],
            }),
        });
        const policy = new aws.iam.RolePolicyAttachment(`${name}-api-logs`, {
            role: apigatewayLogsRole,
            policyArn: aws.iam.AmazonAPIGatewayPushToCloudWatchLogs,
        });
        const accountSettings = new aws.apigateway.Account(name, {
            cloudwatchRoleArn: apigatewayLogsRole.arn,
        });

The problem is, each stack will overwrite the account-wide role that is used here.

Technically, this might not be a problem, but it would be "strange" - for one, a given stack would think this was set to the value it set - but in reality it's likely the value drifted due to another stack. But perhaps more concerning, this would overwrite anything the user had explicitly set themselves.

We have three options:

  1. Don't try to get logs of detailed metrics from API Gateway
  2. Require users to manually configure this in their account before being able to succesfully deploy @pulumi/cloud apps.
  3. Have every stack set this and overwrite each other per above.

lukehoban avatar Dec 20 '17 07:12 lukehoban

This is related to #316, as it may limit our ability to get metrics we want to support dashboards/metrics.

lukehoban avatar Dec 20 '17 07:12 lukehoban

Perhaps there is a 4th option?

Could we provide an overlay that provides an interface similar to an atomic update? e.g. "set this policy IFF it was equal to value X, otherwise fail"? Would that allow us to provide a good default for apps to generally work without being modified, or if not provide a clear and detailed error message for what the situation is?

chrsmith avatar Dec 20 '17 17:12 chrsmith

Good point - we could implement our own dynamic provider to try to configure this only when not sufficiently configured already. I feel like this will get awkward - but it is likely doable, and addresses the main concern with (3).

lukehoban avatar Dec 20 '17 17:12 lukehoban

Hi @lukehoban, are there any updates or recommendations on this?

edgarrmondragon avatar Oct 26 '22 06:10 edgarrmondragon