feat(apigatewayv2): HttpStage access logging

[phuhung273]

Issue # (if applicable)

Closes #11100

Description of changes

• apigwv2 HttpStage support access logging to CloudWatch Logs https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging.html
• Same logic as V1 without Firehose as not supported.

Description of how you validated changes

Unit + Integ

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[paulhcsun]

Could we modify this check to check that the accessLofFormat.toString() includes either contextRequestId or contextExtendedRequestId instead of using a regex? Something like this:

if (
  accessLogFormat !== undefined &&
  !Token.isUnresolved(accessLogFormat.toString()) &&
  !accessLogFormat.toString().includes('$context.requestId') &&
  !accessLogFormat.toString().includes('$context.extendedRequestId')
) {

[phuhung273]

Intention is to prevent user from mistakenly using something like $context.requestIdxxx. In such case, .includes('$context.requestId') passes, but later fail on runtime.

I personally think we are fine with this. Let me know your point.

[paulhcsun]

Oh I see, thanks for clarifying. Then maybe we can do a stricter exact match like so:

const allowedValues = new Set([
    '$context.requestId',
    '$context.extendedRequestId'
  ]);

if (
  accessLogFormat !== undefined &&
  !Token.isUnresolved(accessLogFormat.toString()) &&
  !allowedValues.has(accessLogFormat.toString())
) {
  throw new ValidationError(...);
}

I agree the current change would probably be fine but better to satisfy the CodeQL checks where possible. What do you think?

[phuhung273]

Thanks for the recommendation. I updated to use your first solution.

[paulhcsun]

The first solution would accept an input like $context.requestIdxxx like you mentioned but that's not what we want. I think we should use the second option which uses stricter exact string matching.

[phuhung273]

format contains multiple parameters, eg: $context.responseLength $context.requestId. So 2nd solution .has doesn't work as it check for the exact string. Anw, i've updated the regex to pass CodeQL. Please let me know what you think.

[paulhcsun]

Good point, the current solution lgtm!

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.98%. Comparing base (a67c3f5) to head (d67296c).
Report is 69 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #33977      +/-   ##
==========================================
+ Coverage   82.39%   83.98%   +1.58%     
==========================================
  Files         120      120              
  Lines        6960     6976      +16     
  Branches     1175     1178       +3     
==========================================
+ Hits         5735     5859     +124     
+ Misses       1120     1005     -115     
- Partials      105      112       +7     

Flag	Coverage Δ
suite.unit	83.98% <ø> (+1.58%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	∅ <ø> (∅)
packages/aws-cdk-lib/core	83.98% <ø> (+1.58%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[paulhcsun]

Hi @phuhung273, thank you for this contribution for this very highly community-requested feature! I've just left a few comments for some changes.

[paulhcsun]

Could we modify this check to check that the accessLofFormat.toString() includes either contextRequestId or contextExtendedRequestId instead of using a regex? Something like this:

if (
  accessLogFormat !== undefined &&
  !Token.isUnresolved(accessLogFormat.toString()) &&
  !accessLogFormat.toString().includes('$context.requestId') &&
  !accessLogFormat.toString().includes('$context.extendedRequestId')
) {

[paulhcsun]

Since the accessLogDestination property must be conditionally set if accessLogFormat is set, let's combine these two properties into an interface so that they must be specified together. Something like

interface IAccessLogOptions { // or IAccessLogSettings
  readonly accessLogDestnation: IAccessLogDestination;
  readonly accessLogFormat: AccessLogFormat;
}

This way we enforce that they must be set together and then we won't need the validation in the HttpStage constructor.

Note: I see that the old aws-apigateway's implementation for accessLogSettings has these two properties as separate properties, but I think we should still combine the properties even though it would differ from the existing convention. Wherever possible, we would like to enforce conditional properties with the API design rather than runtime validation.

[phuhung273]

Thanks for your advice. Agree that we should combine.

Another point, what do you think about making accessLogFormat optional with default value AccessLogFormat.clf(). IMO, most user just want to put the destination.

[paulhcsun]

Ya I think that's a good idea. Is it a valid use case to specify the destination without a format? If so then I think this change is fine as it is now.

[phuhung273]

format is always required according to CloudFormation. But I like the logic of apigwv1 to make it optional by providing default value if not specified, more user-friendly I think. So I kept it.

[paulhcsun]

I see, I think that is fine then if we have the same behaviour in apigv1. Thanks!

Pull request has been modified.

[phuhung273]

Seeing community demand for the same setting in WebSocketApi, eg: #21935 and comments from original issue. I moved it to StageBase to facilitate adding it to WebSocket later.

I did try to include WebSocket also, but ran into this error CloudWatch Logs role ARN must be set in account settings to enable logging. Found out that we need something like this cloudWatchRole in V1 for convenience

aws-cdk/packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts

Lines 162 to 167 in 74cbe27

	/**
	* Automatically configure an AWS CloudWatch role for API Gateway.
	*
	* @default - false if `@aws-cdk/aws-apigateway:disableCloudWatchRole` is enabled, true otherwise
	*/
	readonly cloudWatchRole?: boolean;

Therefore, decided to only change StageBase and support HttpApi for the scope of this PR. Will create another for WebSocket.

[paulhcsun]

Hi @phuhung273, thanks for your quick response to the requested changes. I've just left two more comments:

1. to remove the check that is no longer needed
2. to update the condition for the accessLogFormat

Happy to approve after those changes are made!

[paulhcsun]

Great work! Thanks for your contribution @phuhung273!

[paulhcsun]

@Mergifyio update

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

update

☑️ Nothing to do

Details

• queue-position = -1 [📌 update requirement]
• #commits-behind > 0 [📌 update requirement]
• -closed [📌 update requirement]
• -conflict [📌 update requirement]

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 00d25a3
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.