Pattern: API Gateway stages for V1 and V2 should have access logging enabled
Issue: -
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.
Resolution: Enable logging for API Gateway stages.
Example of incorrect code:
resource "aws_apigatewayv2_stage" "bad_example" {
api_id = aws_apigatewayv2_api.example.id
name = "example-stage"
}
resource "aws_api_gateway_stage" "bad_example" {
deployment_id = aws_api_gateway_deployment.example.id
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "example"
}Example of correct code:
resource "aws_apigatewayv2_stage" "good_example" {
api_id = aws_apigatewayv2_api.example.id
name = "example-stage"
access_log_settings {
destination_arn = ""
format = ""
}
}
resource "aws_api_gateway_stage" "good_example" {
deployment_id = aws_api_gateway_deployment.example.id
rest_api_id = aws_api_gateway_rest_api.example.id
stage_name = "example"
access_log_settings {
destination_arn = ""
format = ""
}
}