Question

我正在创建一个CFN模板，在其中启用API网关的日志。它已经创建了这样的角色

  "ApiGatewayCloudWatchLogsRole": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [{
        "Effect": "Allow",
        "Principal": { "Service": ["apigateway.amazonaws.com"] },
        "Action": ["sts:AssumeRole"]
      }]
    },
    "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess"
        ],
    "Policies": [{
      "PolicyName": "ApiGatewayLogsPolicy",
      "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [{
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:DescribeLogGroups",
            "logs:DescribeLogStreams",
            "logs:PutLogEvents",
            "logs:GetLogEvents",
            "logs:FilterLogEvents"
          ],
          "Resource": "*"
        }]
      }
    }]
  }
}

我按照此doc

这样添加到AWS::ApiGateway::Account

"ApiGatewayAccount": {
  "Type" : "AWS::ApiGateway::Account",
  "Properties" : {
    "CloudWatchRoleArn" : {"Fn::GetAtt" : ["ApiGatewayCloudWatchLogsRole", "Arn"] }
  }
},

在AWS::ApiGateway::Account的文档中。他们这样指定：

重要

如果从未在您的AWS账户中创建API网关资源，   您必须添加对另一个API网关资源的依赖关系，例如   AWS :: ApiGateway :: RestApi或AWS :: ApiGateway :: ApiKey资源。

如果您的AWS账户中已创建API Gateway资源，则不会   依赖项是必需的（即使资源已删除）。

这是我对上述注释的理解，如果我的CFN没有AWS::ApiGateway::Resource，则需要以AWS::ApiGateway::Account资源的方式向我的AWS::ApiGateway::Account添加依赖项仅在创建AWS::ApiGateway::RestApi之后创建。

因此，我将CFN代码段更改为这样

"ApiGatewayAccount": {
  "Type" : "AWS::ApiGateway::Account",
  "DependsOn": [
        "CFNTest" -->This is a`AWS::ApiGateway::RestApi`
      ],
  "Properties" : {
    "CloudWatchRoleArn" : {"Fn::GetAtt" : ["ApiGatewayCloudWatchLogsRole", "Arn"] }
  }
},

我的理解正确吗？

谢谢

通过Cloudformation将API网关日志发送到CloudWatch

0 个答案: