Enable APIG logging across accounts

ServerlessOpsIO · Oct 21, 2024 · a64ccd8 · a64ccd8
1 parent 60c13b0
commit a64ccd8
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 0 deletions.
diff --git a/stacksets-template.yaml b/stacksets-template.yaml
@@ -9,6 +9,14 @@ Parameters:
     Default: r-c834
 
 Resources:
+  ApigLoggingStackSet:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: "./stacksets/apig-logging/stackset.yaml"
+      Parameters:
+        TargetOuIds: !Ref TargetOuIds
+        TargetRegions: us-east-1
+
   BillingStackSet:
     Type: AWS::Serverless::Application
     Properties:

diff --git a/stacksets/apig-logging/stackset.yaml b/stacksets/apig-logging/stackset.yaml
@@ -0,0 +1,37 @@
+Metadata:
+  localTemplateFile: &template_body ./template.yaml
+
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Description: AWS account infrastructure stackset (APIG Logging)
+
+Parameters:
+  TargetOuIds:
+    Type: CommaDelimitedList
+    Description: List of OUs
+  TargetRegions:
+    Type: CommaDelimitedList
+    Description: Regions to deploy to
+
+Resources:
+  OrgBilling:
+    Type: AWS::CloudFormation::StackSet
+    Properties:
+      StackSetName: ApigLogging
+      Description: API Gateway Logging
+      CallAs: DELEGATED_ADMIN
+      StackInstancesGroup:
+        - DeploymentTargets:
+            OrganizationalUnitIds: !Ref TargetOuIds
+          Regions: !Ref TargetRegions
+      AutoDeployment:
+        Enabled: true
+        RetainStacksOnAccountRemoval: false
+      ManagedExecution:
+        Active: true
+      OperationPreferences:
+        RegionConcurrencyType: PARALLEL
+        FailureToleranceCount: 1
+        MaxConcurrentCount: 5
+      PermissionModel: SERVICE_MANAGED
+      TemplateBody: *template_body
diff --git a/stacksets/apig-logging/template.yaml b/stacksets/apig-logging/template.yaml
@@ -0,0 +1,22 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'AWS APIG Logging'
+
+Resources:
+  CloudWatchRole:
+      Type: AWS::IAM::Role
+      Properties:
+        AssumeRolePolicyDocument:
+          Version: '2012-10-17'
+          Statement:
+            Action: 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service: apigateway.amazonaws.com
+        Path: /
+        ManagedPolicyArns:
+          - 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
+
+  ApigAccount:
+    Type: AWS::ApiGateway::Account
+    Properties:
+      CloudWatchRoleArn: !GetAtt CloudWatchRole.Arn
diff --git a/template.yaml b/template.yaml
@@ -9,6 +9,11 @@ Parameters:
 
 
 Resources:
+  ApigLoggingStack:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: "./stacksets/apig-logging/template.yaml"
+
   BillingStackManagement:
     Type: AWS::Serverless::Application
     Properties: