Last active
June 25, 2025 11:02
-
-
Save youyo/1e81e127525c43ffb20bcb1fcf8d5aad to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # AWS API Gateway CloudWatch Logs Setup Script | |
| # This script configures account-level settings for API Gateway to write logs to CloudWatch | |
| # Required for API Gateway to have permissions to write logs | |
| # Safe to run multiple times (idempotent) | |
| set -e | |
| # Color codes for output | |
| RED='\033[0;31m' | |
| GREEN='\033[0;32m' | |
| YELLOW='\033[1;33m' | |
| NC='\033[0m' # No Color | |
| # Function to print colored output | |
| print_status() { | |
| local status=$1 | |
| local message=$2 | |
| case $status in | |
| "error") | |
| echo -e "${RED}✗ ${message}${NC}" | |
| ;; | |
| "success") | |
| echo -e "${GREEN}✓ ${message}${NC}" | |
| ;; | |
| "warning") | |
| echo -e "${YELLOW}⚠ ${message}${NC}" | |
| ;; | |
| "info") | |
| echo -e "ℹ ${message}" | |
| ;; | |
| esac | |
| } | |
| print_status "info" "Starting API Gateway CloudWatch Logs setup..." | |
| # Check if AWS CLI is installed | |
| if ! command -v aws &> /dev/null; then | |
| print_status "error" "AWS CLI is not installed. Please install AWS CLI first." | |
| exit 1 | |
| fi | |
| # Check if AWS credentials are configured | |
| if ! aws sts get-caller-identity &> /dev/null; then | |
| print_status "error" "AWS credentials are not configured. Please run 'aws configure' first." | |
| exit 1 | |
| fi | |
| # Get current AWS account ID and region | |
| ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) | |
| REGION=$(aws configure get region || echo "ap-northeast-1") | |
| print_status "info" "Working with AWS Account: $ACCOUNT_ID in region: $REGION" | |
| # IAM role configuration | |
| ROLE_NAME="APIGatewayCloudWatchLogs" | |
| ASSUME_ROLE_POLICY='{ | |
| "Version": "2012-10-17", | |
| "Statement": [{ | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "apigateway.amazonaws.com" | |
| }, | |
| "Action": "sts:AssumeRole" | |
| }] | |
| }' | |
| # Step 1: Create or verify IAM role | |
| print_status "info" "Checking for existing IAM role: $ROLE_NAME" | |
| if aws iam get-role --role-name $ROLE_NAME &> /dev/null; then | |
| print_status "warning" "IAM role '$ROLE_NAME' already exists" | |
| ROLE_ARN=$(aws iam get-role --role-name $ROLE_NAME --query 'Role.Arn' --output text) | |
| else | |
| print_status "info" "Creating IAM role: $ROLE_NAME" | |
| # Create the role | |
| aws iam create-role \ | |
| --role-name $ROLE_NAME \ | |
| --assume-role-policy-document "$ASSUME_ROLE_POLICY" \ | |
| --description "Allows API Gateway to push logs to CloudWatch Logs" \ | |
| > /dev/null | |
| # Attach the managed policy for CloudWatch Logs | |
| print_status "info" "Attaching CloudWatch Logs policy to role" | |
| aws iam attach-role-policy \ | |
| --role-name $ROLE_NAME \ | |
| --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" \ | |
| > /dev/null | |
| # Get the role ARN | |
| ROLE_ARN=$(aws iam get-role --role-name $ROLE_NAME --query 'Role.Arn' --output text) | |
| print_status "success" "IAM role created successfully: $ROLE_ARN" | |
| # Wait for IAM role propagation | |
| print_status "info" "Waiting for IAM role to propagate..." | |
| sleep 10 | |
| fi | |
| # Step 2: Update API Gateway account settings | |
| print_status "info" "Updating API Gateway account settings" | |
| # Check current CloudWatch role ARN | |
| CURRENT_ROLE_ARN=$(aws apigateway get-account --query 'cloudwatchRoleArn' --output text 2>/dev/null || echo "None") | |
| if [ "$CURRENT_ROLE_ARN" = "$ROLE_ARN" ]; then | |
| print_status "success" "API Gateway is already configured with the correct CloudWatch role" | |
| else | |
| if [ "$CURRENT_ROLE_ARN" = "None" ] || [ -z "$CURRENT_ROLE_ARN" ]; then | |
| print_status "info" "No CloudWatch role currently configured for API Gateway" | |
| else | |
| print_status "warning" "Current CloudWatch role: $CURRENT_ROLE_ARN" | |
| print_status "info" "Updating to: $ROLE_ARN" | |
| fi | |
| # Update the account settings | |
| aws apigateway update-account \ | |
| --patch-operations "op=replace,path=/cloudwatchRoleArn,value=$ROLE_ARN" \ | |
| > /dev/null | |
| print_status "success" "API Gateway account settings updated successfully" | |
| fi | |
| # Step 3: Verify the configuration | |
| print_status "info" "Verifying configuration..." | |
| echo "" | |
| echo "Current API Gateway Account Settings:" | |
| echo "=====================================" | |
| aws apigateway get-account \ | |
| --query '{CloudWatchRoleArn: cloudwatchRoleArn, ThrottleSettings: throttleSettings}' \ | |
| --output table | |
| echo "" | |
| print_status "success" "API Gateway CloudWatch Logs setup completed!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment