Account
Provides a settings of an API Gateway Account. Settings is applied region-wide per provider block.
Note: By default, destroying this resource will keep your account settings intact. Set
reset_on_deletetotrueto reset the account setttings to default. In a future major version of the provider, destroying the resource will reset account settings.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const assumeRole = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["apigateway.amazonaws.com"],
}],
actions: ["sts:AssumeRole"],
}],
});
const cloudwatchRole = new aws.iam.Role("cloudwatch", {
name: "api_gateway_cloudwatch_global",
assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
});
const demo = new aws.apigateway.Account("demo", {cloudwatchRoleArn: cloudwatchRole.arn});
const cloudwatch = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
actions: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents",
],
resources: ["*"],
}],
});
const cloudwatchRolePolicy = new aws.iam.RolePolicy("cloudwatch", {
name: "default",
role: cloudwatchRole.id,
policy: cloudwatch.then(cloudwatch => cloudwatch.json),
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
assume_role = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": ["apigateway.amazonaws.com"],
}],
"actions": ["sts:AssumeRole"],
}])
cloudwatch_role = aws.iam.Role("cloudwatch",
name="api_gateway_cloudwatch_global",
assume_role_policy=assume_role.json)
demo = aws.apigateway.Account("demo", cloudwatch_role_arn=cloudwatch_role.arn)
cloudwatch = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"actions": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents",
],
"resources": ["*"],
}])
cloudwatch_role_policy = aws.iam.RolePolicy("cloudwatch",
name="default",
role=cloudwatch_role.id,
policy=cloudwatch.json)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"apigateway.amazonaws.com",
},
},
},
Actions = new[]
{
"sts:AssumeRole",
},
},
},
});
var cloudwatchRole = new Aws.Iam.Role("cloudwatch", new()
{
Name = "api_gateway_cloudwatch_global",
AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var demo = new Aws.ApiGateway.Account("demo", new()
{
CloudwatchRoleArn = cloudwatchRole.Arn,
});
var cloudwatch = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents",
},
Resources = new[]
{
"*",
},
},
},
});
var cloudwatchRolePolicy = new Aws.Iam.RolePolicy("cloudwatch", new()
{
Name = "default",
Role = cloudwatchRole.Id,
Policy = cloudwatch.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/apigateway"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
"apigateway.amazonaws.com",
},
},
},
Actions: []string{
"sts:AssumeRole",
},
},
},
}, nil)
if err != nil {
return err
}
cloudwatchRole, err := iam.NewRole(ctx, "cloudwatch", &iam.RoleArgs{
Name: pulumi.String("api_gateway_cloudwatch_global"),
AssumeRolePolicy: pulumi.String(assumeRole.Json),
})
if err != nil {
return err
}
_, err = apigateway.NewAccount(ctx, "demo", &apigateway.AccountArgs{
CloudwatchRoleArn: cloudwatchRole.Arn,
})
if err != nil {
return err
}
cloudwatch, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents",
},
Resources: []string{
"*",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iam.NewRolePolicy(ctx, "cloudwatch", &iam.RolePolicyArgs{
Name: pulumi.String("default"),
Role: cloudwatchRole.ID(),
Policy: pulumi.String(cloudwatch.Json),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.apigateway.Account;
import com.pulumi.aws.apigateway.AccountArgs;
import com.pulumi.aws.iam.RolePolicy;
import com.pulumi.aws.iam.RolePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("apigateway.amazonaws.com")
.build())
.actions("sts:AssumeRole")
.build())
.build());
var cloudwatchRole = new Role("cloudwatchRole", RoleArgs.builder()
.name("api_gateway_cloudwatch_global")
.assumeRolePolicy(assumeRole.json())
.build());
var demo = new Account("demo", AccountArgs.builder()
.cloudwatchRoleArn(cloudwatchRole.arn())
.build());
final var cloudwatch = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions(
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents")
.resources("*")
.build())
.build());
var cloudwatchRolePolicy = new RolePolicy("cloudwatchRolePolicy", RolePolicyArgs.builder()
.name("default")
.role(cloudwatchRole.id())
.policy(cloudwatch.json())
.build());
}
}Content copied to clipboard
resources:
demo:
type: aws:apigateway:Account
properties:
cloudwatchRoleArn: ${cloudwatchRole.arn}
cloudwatchRole:
type: aws:iam:Role
name: cloudwatch
properties:
name: api_gateway_cloudwatch_global
assumeRolePolicy: ${assumeRole.json}
cloudwatchRolePolicy:
type: aws:iam:RolePolicy
name: cloudwatch
properties:
name: default
role: ${cloudwatchRole.id}
policy: ${cloudwatch.json}
variables:
assumeRole:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- apigateway.amazonaws.com
actions:
- sts:AssumeRole
cloudwatch:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
- logs:GetLogEvents
- logs:FilterLogEvents
resources:
- '*'Content copied to clipboard
Import
Using pulumi import, import API Gateway Accounts using the word api-gateway-account. For example:
$ pulumi import aws:apigateway/account:Account demo api-gateway-accountContent copied to clipboard
Properties
Link copied to clipboard
The version of the API keys used for the account.
Link copied to clipboard
ARN of an IAM role for CloudWatch (to allow logging & monitoring). See more in AWS Docs. Logging & monitoring can be enabled/disabled and otherwise tuned on the API Gateway Stage level.
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
If true, destroying the resource will reset account settings to default, otherwise account settings are not modified. Defaults to false. Will be removed in a future major version of the provider.
Link copied to clipboard
Account-Level throttle settings. See exported fields below.