Can I maybe put the log group in depends on in the creation of the API with cloudwatch and expect the same result?

It’s interesting that it’s using dependsOn, and not a property.

So the log role ARN is at the apigateway account level.  That wasn’t clear to me, but made it easier to find the property:

const appLogRole = new aws.iam.Role(`${appName}-log-role`, {
  assumeRolePolicy: `{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": "<http://apigateway.amazonaws.com|apigateway.amazonaws.com>"
        },
        "Effect": "Allow",
        "Sid": ""
      }
    ]
  }`,
});

const appLogPolicyAttachment = new aws.iam.RolePolicyAttachment(
  `${appName}-log-ra`,
  {
    role: appLogRole,
    policyArn: aws.iam.ManagedPolicies.AmazonAPIGatewayPushToCloudWatchLogs,
  },
  { parent: appLogRole }
);

const appApiSettings = new aws.apigateway.Account(`${appName}-api-settings`, {
  cloudwatchRoleArn: appLogRole.arn
});