From fcd9fbace1df963a7b86862ecfbbae7b33a867b4 Mon Sep 17 00:00:00 2001
From: Keitaro Watanabe <52523218+ktaroabobon@users.noreply.github.com>
Date: Fri, 16 Sep 2022 16:59:46 +0900
Subject: [PATCH] feat: Add option to enable access log for API gateway (#2387)

Co-authored-by: Yuto Nakamura <maron07222010@gmail.com>
---
 README.md                    |  1 +
 main.tf                      | 19 ++++++++++---------
 modules/webhook/README.md    |  1 +
 modules/webhook/main.tf      |  9 ++++++++-
 modules/webhook/variables.tf |  9 +++++++++
 variables.tf                 |  8 ++++++++
 6 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 2a04e3f1e1..5eed5f0ba2 100644
--- a/README.md
+++ b/README.md
@@ -481,6 +481,7 @@ In case the setup does not work as intended follow the trace of events:
 | <a name="input_userdata_pre_install"></a> [userdata\_pre\_install](#input\_userdata\_pre\_install) | Script to be ran before the GitHub Actions runner is installed on the EC2 instances | `string` | `""` | no |
 | <a name="input_userdata_template"></a> [userdata\_template](#input\_userdata\_template) | Alternative user-data template, replacing the default template. By providing your own user\_data you have to take care of installing all required software, including the action runner. Variables userdata\_pre/post\_install are ignored. | `string` | `null` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC for security groups of the action runners. | `string` | n/a | yes |
+| <a name="input_webhook_lambda_apigateway_access_log_settings"></a> [webhook\_lambda\_apigateway\_access\_log\_settings](#input\_webhook\_lambda\_apigateway\_access\_log\_settings) | n/a | <pre>object({<br>    destination_arn = string<br>    format          = string<br>  })</pre> | `null` | no |
 | <a name="input_webhook_lambda_s3_key"></a> [webhook\_lambda\_s3\_key](#input\_webhook\_lambda\_s3\_key) | S3 key for webhook lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no |
 | <a name="input_webhook_lambda_s3_object_version"></a> [webhook\_lambda\_s3\_object\_version](#input\_webhook\_lambda\_s3\_object\_version) | S3 object version for webhook lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no |
 | <a name="input_webhook_lambda_timeout"></a> [webhook\_lambda\_timeout](#input\_webhook\_lambda\_timeout) | Time out of the webhook lambda in seconds. | `number` | `10` | no |
diff --git a/main.tf b/main.tf
index 3a3525bd3b..e3a5277f0f 100644
--- a/main.tf
+++ b/main.tf
@@ -100,15 +100,16 @@ module "webhook" {
   sqs_build_queue_fifo          = var.fifo_build_queue
   github_app_webhook_secret_arn = module.ssm.parameters.github_app_webhook_secret.arn
 
-  lambda_s3_bucket                 = var.lambda_s3_bucket
-  webhook_lambda_s3_key            = var.webhook_lambda_s3_key
-  webhook_lambda_s3_object_version = var.webhook_lambda_s3_object_version
-  lambda_runtime                   = var.lambda_runtime
-  lambda_architecture              = var.lambda_architecture
-  lambda_zip                       = var.webhook_lambda_zip
-  lambda_timeout                   = var.webhook_lambda_timeout
-  logging_retention_in_days        = var.logging_retention_in_days
-  logging_kms_key_id               = var.logging_kms_key_id
+  lambda_s3_bucket                              = var.lambda_s3_bucket
+  webhook_lambda_s3_key                         = var.webhook_lambda_s3_key
+  webhook_lambda_s3_object_version              = var.webhook_lambda_s3_object_version
+  webhook_lambda_apigateway_access_log_settings = var.webhook_lambda_apigateway_access_log_settings
+  lambda_runtime                                = var.lambda_runtime
+  lambda_architecture                           = var.lambda_architecture
+  lambda_zip                                    = var.webhook_lambda_zip
+  lambda_timeout                                = var.webhook_lambda_timeout
+  logging_retention_in_days                     = var.logging_retention_in_days
+  logging_kms_key_id                            = var.logging_kms_key_id
 
   # labels
   enable_workflow_job_labels_check = var.runner_enable_workflow_job_labels_check
diff --git a/modules/webhook/README.md b/modules/webhook/README.md
index 99df67e0af..56896a2744 100644
--- a/modules/webhook/README.md
+++ b/modules/webhook/README.md
@@ -95,6 +95,7 @@ No modules.
 | <a name="input_sqs_build_queue"></a> [sqs\_build\_queue](#input\_sqs\_build\_queue) | SQS queue to publish accepted build events. | <pre>object({<br>    id  = string<br>    arn = string<br>  })</pre> | n/a | yes |
 | <a name="input_sqs_build_queue_fifo"></a> [sqs\_build\_queue\_fifo](#input\_sqs\_build\_queue\_fifo) | Enable a FIFO queue to remain the order of events received by the webhook. Suggest to set to true for repo level runners. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags that will be added to created resources. By default resources will be tagged with name and environment. | `map(string)` | `{}` | no |
+| <a name="input_webhook_lambda_apigateway_access_log_settings"></a> [webhook\_lambda\_apigateway\_access\_log\_settings](#input\_webhook\_lambda\_apigateway\_access\_log\_settings) | Access log settings for webhook API gateway. | <pre>object({<br>    destination_arn = string<br>    format          = string<br>  })</pre> | `null` | no |
 | <a name="input_webhook_lambda_s3_key"></a> [webhook\_lambda\_s3\_key](#input\_webhook\_lambda\_s3\_key) | S3 key for webhook lambda function. Required if using S3 bucket to specify lambdas. | `any` | `null` | no |
 | <a name="input_webhook_lambda_s3_object_version"></a> [webhook\_lambda\_s3\_object\_version](#input\_webhook\_lambda\_s3\_object\_version) | S3 object version for webhook lambda function. Useful if S3 versioning is enabled on source bucket. | `any` | `null` | no |
 | <a name="input_workflow_job_labels_check_all"></a> [workflow\_job\_labels\_check\_all](#input\_workflow\_job\_labels\_check\_all) | If set to true all labels in the workflow job must match the GitHub labels (os, architecture and `self-hosted`). When false if __any__ label matches it will trigger the webhook. `enable_workflow_job_labels_check` must be true for this to take effect. | `bool` | `true` | no |
diff --git a/modules/webhook/main.tf b/modules/webhook/main.tf
index b330913158..01e6387682 100644
--- a/modules/webhook/main.tf
+++ b/modules/webhook/main.tf
@@ -29,7 +29,14 @@ resource "aws_apigatewayv2_stage" "webhook" {
   api_id      = aws_apigatewayv2_api.webhook.id
   name        = "$default"
   auto_deploy = true
-  tags        = var.tags
+  dynamic "access_log_settings" {
+    for_each = var.webhook_lambda_apigateway_access_log_settings[*]
+    content {
+      destination_arn = access_log_settings.value.destination_arn
+      format          = access_log_settings.value.format
+    }
+  }
+  tags = var.tags
 }
 
 resource "aws_apigatewayv2_integration" "webhook" {
diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf
index 977461f5cc..35c1dee7be 100644
--- a/modules/webhook/variables.tf
+++ b/modules/webhook/variables.tf
@@ -89,6 +89,15 @@ variable "webhook_lambda_s3_object_version" {
   default     = null
 }
 
+variable "webhook_lambda_apigateway_access_log_settings" {
+  description = "Access log settings for webhook API gateway."
+  type = object({
+    destination_arn = string
+    format          = string
+  })
+  default = null
+}
+
 variable "repository_white_list" {
   description = "List of repositories allowed to use the github app"
   type        = list(string)
diff --git a/variables.tf b/variables.tf
index 76934cd79f..620beb7af6 100644
--- a/variables.tf
+++ b/variables.tf
@@ -302,6 +302,14 @@ variable "webhook_lambda_s3_object_version" {
   default     = null
 }
 
+variable "webhook_lambda_apigateway_access_log_settings" {
+  type = object({
+    destination_arn = string
+    format          = string
+  })
+  default = null
+}
+
 variable "runners_lambda_s3_key" {
   description = "S3 key for runners lambda function. Required if using S3 bucket to specify lambdas."
   default     = null