Tag CloudWatch log groups with Project=mcp-server

Add `Project = mcp-server` tags so the mcp-observability project can
discover these log groups via the Resource Groups Tagging API.

- Lambda log group (/aws/lambda/...): add tags block.
- API Gateway access log group (/aws/apigateway/...-access): this group
  did not exist, so create it and wire access_log_settings on the prod
  stage to emit access logs to it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: brendanbabb

terraform/aws/api_gateway.tf

@@ -144,13 +144,37 @@ resource "aws_api_gateway_deployment" "mcp_deployment" {
   ]
 }
 
+# CloudWatch Log Group for API Gateway access logs
+resource "aws_cloudwatch_log_group" "apigw_access_logs" {
+  name              = "/aws/apigateway/${local.lambda_name}-access"
+  retention_in_days = 14
+
+  tags = {
+    Project = "mcp-server"
+  }
+}
+
 # API Gateway Stage
 resource "aws_api_gateway_stage" "prod" {
   deployment_id = aws_api_gateway_deployment.mcp_deployment.id
   rest_api_id   = aws_api_gateway_rest_api.mcp_api.id
   stage_name    = var.stage_name
 
   xray_tracing_enabled = true
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.apigw_access_logs.arn
+    format = jsonencode({
+      requestId      = "$context.requestId"
+      ip             = "$context.identity.sourceIp"
+      requestTime    = "$context.requestTime"
+      httpMethod     = "$context.httpMethod"
+      resourcePath   = "$context.resourcePath"
+      status         = "$context.status"
+      protocol       = "$context.protocol"
+      responseLength = "$context.responseLength"
+    })
+  }
 }
 
 # Method Settings: Throttling for all methods in stage (AWS format: */* not /*/*)

terraform/aws/main.tf

@@ -105,4 +105,8 @@ resource "aws_lambda_function_url" "mcp_server_url" {
 resource "aws_cloudwatch_log_group" "lambda_logs" {
   name              = "/aws/lambda/${local.lambda_name}"
   retention_in_days = 14
+
+  tags = {
+    Project = "mcp-server"
+  }
 }