#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    API_GW_EXECUTION_LOGGING_ENABLED
#
# Description:
#    Checks that all methods in Amazon API Gateway stage has logging enabled. The rule is NON_COMPLIANT if logging is not enabled.
#
# Reports on:
#    AWS::ApiGateway::Stage
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no API GW Stage present
# b) PASS: when all API GW Stage Methods have logginglevel set to "ERROR" OR "INFO"
# c) FAIL: when API GW Domain Names doesn't have logginglevel set to "ERROR" OR "INFO"
# d) SKIP: when metadata includes the suppression for rule API_GW_EXECUTION_LOGGING_ENABLED

let api_gw_execution_logging_enabled = Resources.*[ Type == 'AWS::ApiGateway::Stage'
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "API_GW_EXECUTION_LOGGING_ENABLED"
]

rule API_GW_EXECUTION_LOGGING_ENABLED when %api_gw_execution_logging_enabled !empty {
  when %api_gw_execution_logging_enabled.Properties.MethodSettings !empty {
    %api_gw_execution_logging_enabled.Properties.MethodSettings.*.LoggingLevel == "ERROR" OR
    %api_gw_execution_logging_enabled.Properties.MethodSettings.*.LoggingLevel == "INFO"
    <<
      Violation: Logging Level for API GW Method Setting not set
      Fix: API GW Stage Method Setting logging level must be set to "ERROR" or "INFO"
    >>
  }
}