feat: enable API Gateway access logs

[carvantes]

Description of changes:

Enable ApiGW access logs. The values that are logged were handpicked from the ApiGW List of Log Variables

example log entry:

{
    "authorizer.principalId": "u-PvFZgnw5fl5nwqIia4F0P",
    "error.message": "-",
    "extendedRequestId": "ZuT4rGDNoAMFxXw=",
    "httpMethod": "GET",
    "identity.sourceIp": "22.22.196.22",
    "integration.error": "-",
    "integration.integrationStatus": "200",
    "integration.latency": "79",
    "integration.requestId": "67394741-90ae-4c6c-94fb-df8bf7be33ec",
    "integration.status": "200",
    "path": "/nesdev/api/user-roles",
    "requestId": "468a1b4d-3015-4901-b749-37e4e0551029",
    "responseLatency": "83",
    "responseLength": "819",
    "stage": "nesdev",
    "status": "200"
}

Execution logging is explicitly disabled since its features are not-so-great for the average customer:

• It is very verbose, thus expensive.
• There's no way to mask sensitive data from the logs
• Large payloads/responses may be truncated so it's not a surefire way to log all relevant request data

Checklist:

• Have you successfully deployed to an AWS account with your changes?
• Have you linted your code locally prior to submission?
• [n/a] Have you written new tests for your core changes, as applicable?
• Have you successfully ran unit tests and manual tests with your changes locally?
• [n/a] If you had to run manual tests, have you considered automating those tests by adding them to end-to-end tests?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[jn1119]

Is there some ballpark estimate on the costs here that we can derive? Like 'x' number of API calls amount to a certain cost. Also, do these logs have a retention policy and costs are additive?

[carvantes]

Is there some ballpark estimate on the costs here that we can derive? Like 'x' number of API calls amount to a certain cost. Also, do these logs have a retention policy and costs are additive?

In general the cost is low. Access logs are a single line per request(~500bytes).
See Example 3 - Monitoring with logs at https://aws.amazon.com/cloudwatch/pricing/. SWB would need 60M monthly requests(considering access logs only) to match the "1GB per day of ingested log data" from the example, and that costs $12.53.

Logs do not have a retention policy, they are kept forever. This is in line with the retention policy for all the other SWB cloudwatch logs. We may want to do something to shorten the retention time to reduce costs, but that's out of the scope of this PR.

[jn1119]

Is there some ballpark estimate on the costs here that we can derive? Like 'x' number of API calls amount to a certain cost. Also, do these logs have a retention policy and costs are additive?

In general the cost is low. Access logs are a single line per request(~500bytes).
See Example 3 - Monitoring with logs at https://aws.amazon.com/cloudwatch/pricing/. SWB would need 60M monthly, considering access logs only, to match the "1GB per day of ingested log data" from the example and that costs $12.53.

Logs do not have a retention policy, they are kept forever. This is in line with the retention policy for all the other SWB cloudwatch logs. We may want to do something to shorten the retention time to reduce costs, but that's out of the scope of this PR.

Sounds good to me, I will create a backlog item for adding retention. But I think that is something customers can do on their own too. LGTM overall.