Terraform API Gateway HTTP API - 获取错误 Insufficient permissions to enable logging

Question

我用于部署 HTTP API 的 terraform 脚本如下所示。运行此程序时出现以下错误 -
创建 API Gateway v2 阶段时出错:BadRequestException:权限不足，无法启用日志记录
我需要添加其他东西才能使它工作吗？

resource "aws_cloudwatch_log_group" "api_gateway_log_group" {
  name              = "/aws/apigateway/${var.location}-${var.custom_tags.Layer}-demo-publish-api"
  retention_in_days = 7
  tags = var.custom_tags
}

resource "aws_apigatewayv2_api" "demo_publish_api" {
  name = "${var.location}-${var.custom_tags.Layer}-demo-publish-api"
  description = "API to publish event payloads"
  protocol_type = "HTTP"
  tags = var.custom_tags
}

resource "aws_apigatewayv2_vpc_link" "demo_vpc_link" {
  name = "${var.location}-${var.custom_tags.Layer}-demo-vpc-link"
  security_group_ids = local.security_group_id_list
  subnet_ids = local.subnet_ids_list
  tags = var.custom_tags
}

resource "aws_apigatewayv2_integration" "demo_apigateway_integration" {
  api_id           = aws_apigatewayv2_api.demo_publish_api.id
  integration_type = "HTTP_PROXY"
  connection_type = "VPC_LINK"
  integration_uri = var.alb_listener_arn
  connection_id = aws_apigatewayv2_vpc_link.demo_vpc_link.id
  integration_method = "POST"
  timeout_milliseconds = var.api_timeout_milliseconds
}

resource "aws_apigatewayv2_route" "demo_publish_api_route" {
  api_id    = aws_apigatewayv2_api.demo_publish_api.id
  route_key = "POST /api/event"
  target = "integrations/${aws_apigatewayv2_integration.demo_apigateway_integration.id}"
}

resource "aws_apigatewayv2_stage" "demo_publish_api_default_stage" {
  depends_on = [aws_cloudwatch_log_group.api_gateway_log_group]

  api_id = aws_apigatewayv2_api.demo_publish_api.id
  name   = "$default"
  auto_deploy = true
  tags = var.custom_tags

  route_settings {
    route_key = aws_apigatewayv2_route.demo_publish_api_route.route_key
    throttling_burst_limit = var.throttling_burst_limit
    throttling_rate_limit = var.throttling_rate_limit
  }

  default_route_settings {
    detailed_metrics_enabled = true
    logging_level = "INFO"
  }

  access_log_settings {
    destination_arn = aws_cloudwatch_log_group.api_gateway_log_group.arn
    format = jsonencode({ "requestId":"$context.requestId", "ip": "$context.identity.sourceIp"})
  }
}

Answer 1

在联系 AWS 支持之前，我坚持了几天。如果您已经部署了大量 HTTP API，那么您可能会遇到相同的问题，即 IAM 策略变得非常大。

运行此 AWS CLI 命令以查找关联的 CloudWatch Logs 资源策略:aws logs describe-resource-policies

寻找 AWSLogDeliveryWrite20150319 .您会注意到此策略具有大量关联的 LogGroup 资源。您有三个选项:

通过删除一些可能未使用的条目来调整此策略。

将资源列表更改为 "*"

您可以添加另一个策略。基于此策略，在它们之间拆分资源记录。

通过此 AWS CLI 命令应用更新:aws logs put-resource-policy

这是我用来设置资源的命令。使用 "*"政策:

aws logs put-resource-policy --policy-name AWSLogDeliveryWrite20150319 --policy-document "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AWSLogDeliveryWrite\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":[\"*\"]}]}"