fix(lambda-function): add policies for logging

lambda-function/cloudwatch.tf

@@ -1,6 +1,10 @@
+locals {
+  log_group_name = "/aws/lambda/${var.name}"
+}
+
 resource "aws_cloudwatch_log_group" "logs" {
-  name              = "${var.name}-logs"
+  name              = local.log_group_name
   log_group_class   = "STANDARD"
-  retention_in_days = var.cloudwatch.retention_in_days
+  retention_in_days = var.logs.retention_in_days
   tags              = var.tags
-}
+}

lambda-function/data.tf

@@ -13,5 +13,5 @@ data "archive_file" "func" {
   type        = "zip"
   source_dir  = var.src
   output_path = local.output_path
-  depends_on = [null_resource.create_build_dir]
-}
+  depends_on  = [null_resource.create_build_dir]
+}

lambda-function/iam.tf

@@ -0,0 +1,18 @@
+resource "aws_iam_role_policy" "logging" {
+  name = "allow-cloudwatch-logs-access"
+  role = split("/", var.role_arn)[1]
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        Resource = "${aws_cloudwatch_log_group.logs.arn}:*"
+      }
+    ]
+  })
+}

lambda-function/lambda.tf

@@ -1,4 +1,4 @@
-resource "aws_lambda_function" "lambda" {
+resource "aws_lambda_function" "fn" {
   function_name                  = var.name
   description                    = var.description
   role                           = var.role_arn
@@ -20,8 +20,8 @@ resource "aws_lambda_function" "lambda" {
   logging_config {
     log_group             = aws_cloudwatch_log_group.logs.name
     log_format            = "JSON"
-    application_log_level = var.cloudwatch.app_log_level
-    system_log_level      = var.cloudwatch.system_log_level
+    application_log_level = var.logs.app_log_level
+    system_log_level      = var.logs.system_log_level
   }
 
   tags = var.tags
@@ -31,14 +31,14 @@ resource "aws_lambda_permission" "permissions" {
   for_each = var.permissions
 
   action        = each.value.action
-  function_name = aws_lambda_function.lambda.function_name
+  function_name = aws_lambda_function.fn.function_name
   principal     = each.value.principal
   statement_id  = each.key
   source_arn    = each.value.source_arn
 }
 
 resource "aws_lambda_function_event_invoke_config" "invoke_config" {
-  function_name = aws_lambda_function.lambda.function_name
+  function_name = aws_lambda_function.fn.function_name
 
   maximum_retry_attempts       = var.async_invoke_config.max_retries
   maximum_event_age_in_seconds = var.async_invoke_config.max_event_age

lambda-function/outputs.tf

@@ -1,7 +1,7 @@
 output "lambda" {
   value = {
-    arn        = aws_lambda_function.lambda.arn
-    invoke_arn = aws_lambda_function.lambda.invoke_arn
+    arn        = aws_lambda_function.fn.arn
+    invoke_arn = aws_lambda_function.fn.invoke_arn
   }
 }
 

lambda-function/variables.tf

@@ -21,8 +21,8 @@ variable "runtime" {
 }
 
 variable "architectures" {
-  type = list(string)
-  default = ["arm64"]
+  type        = list(string)
+  default     = ["arm64"]
   description = "A list of the supported architectures"
 }
 
@@ -45,8 +45,8 @@ variable "concurrency" {
 }
 
 variable "layer_arns" {
-  type = list(string)
-  default = []
+  type        = list(string)
+  default     = []
   description = "ARN of layers"
 }
 
@@ -56,29 +56,29 @@ variable "handler" {
 }
 
 variable "vars" {
-  type = map(string)
-  default = {}
+  type        = map(string)
+  default     = {}
   description = "Environment variables available to the function"
 }
 
-variable "cloudwatch" {
+variable "src" {
+  type        = string
+  description = "The path to your function code"
+}
+
+variable "logs" {
   type = object({
-    app_log_level = optional(string, "INFO") # TRACE, DEBUG, INFO, WARN, ERROR, FATAL
-    system_log_level = optional(string, "INFO") # DEBUG, INFO, WARN
+    app_log_level     = optional(string, "INFO") # TRACE, DEBUG, INFO, WARN, ERROR, FATAL
+    system_log_level  = optional(string, "INFO") # DEBUG, INFO, WARN
     retention_in_days = optional(number, 30)
   })
   default = {}
 }
 
-variable "src" {
-  type        = string
-  description = "The path to your function code"
-}
-
 variable "async_invoke_config" {
   type = object({
-    max_retries = optional(number, 2)
-    max_event_age = optional(number, 3600) # 1 hour
+    max_retries             = optional(number, 2)
+    max_event_age           = optional(number, 3600) # 1 hour
     failure_destination_arn = optional(string, null)
     success_destination_arn = optional(string, null)
   })
@@ -87,15 +87,15 @@ variable "async_invoke_config" {
 
 variable "permissions" {
   type = map(object({
-    action    = string
-    principal = string
+    action     = string
+    principal  = string
     source_arn = optional(string, null)
   }))
   default = {}
 }
 
 variable "tags" {
-  type = map(string)
+  type        = map(string)
   description = "The tags to apply to all resources created"
-  default = {}
+  default     = {}
 }