From 064c560d41262172b02a8a67e27a28a79e907cdd Mon Sep 17 00:00:00 2001 From: Alan Jenkins Date: Thu, 27 Feb 2020 11:22:48 +0000 Subject: [PATCH] Create Cloudwatch log group Creates the Cloudwatch log group and allows setting it's options for tags, retention, and KMS Key ID for encryption. --- README.md | 55 +++++++++++++++++++++++++++++++++++++++++++++------- lambda.tf | 2 +- logging.tf | 7 +++++++ outputs.tf | 10 ++++++++++ variables.tf | 27 ++++++++++++++++++++++++-- 5 files changed, 91 insertions(+), 10 deletions(-) create mode 100644 logging.tf diff --git a/README.md b/README.md index f8795c0..b1bf8fa 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,7 @@ This Terraform module creates and uploads an AWS Lambda function and hides the u | 1.x.x | 0.12.x | | 0.x.x | 0.11.x | + ## Usage ```js @@ -65,20 +66,60 @@ module "lambda" { } } ``` + +## Providers -## Inputs +| Name | Version | +|------|---------| +| aws | n/a | +| external | n/a | +| null | n/a | -Inputs for this module are the same as the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource with the following additional arguments: +## Inputs | Name | Description | Type | Default | Required | -|------|-------------|------|---------|----------| -| **source\_path** | The absolute path to a local file or directory containing your Lambda source code | `string` | | yes | +|------|-------------|------|---------|:-----:| +| dead\_letter\_config | n/a | 
object({
    target_arn = string
  })
| n/a | yes | +| description | n/a | `string` | n/a | yes | +| environment | n/a | 
object({
    variables = map(string)
  })
| n/a | yes | +| function\_name | n/a | `string` | n/a | yes | +| handler | n/a | `string` | n/a | yes | +| kms\_key\_arn | n/a | `string` | n/a | yes | +| layers | n/a | `list(string)` | n/a | yes | +| log\_group\_kms\_key\_id | The ID of a KMS key to use for encrypting the logs for the log group used by the Lambda if create\_log\_group is enabled. | `string` | n/a | yes | +| log\_group\_retention | The retention time of the Cloudwatch Log group that the Lambda logs to if create\_log\_group is enabled. | `string` | n/a | yes | +| log\_group\_tags | The tags to assign to the log group for the Lambda if create\_log\_group is enabled. This needs to be a list of maps of strings. | `list(map(string))` | n/a | yes | +| memory\_size | n/a | `number` | n/a | yes | +| policy | An additional policy to attach to the Lambda function role | 
object({
    json = string
  })
| n/a | yes | +| reserved\_concurrent\_executions | n/a | `number` | n/a | yes | +| runtime | n/a | `string` | n/a | yes | +| source\_path | The absolute path to a local file or directory containing your Lambda source code | `string` | n/a | yes | +| tags | n/a | `map(string)` | n/a | yes | +| tracing\_config | n/a | 
object({
    mode = string
  })
| n/a | yes | +| vpc\_config | n/a | 
object({
    security_group_ids = list(string)
    subnet_ids         = list(string)
  })
| n/a | yes | | build\_command | The command to run to create the Lambda package zip file | `string` | `"python build.py '$filename' '$runtime' '$source'"` | no | -| build\_paths | The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change | `list(string)` | `["build.py"]` | no | +| build\_paths | The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change | `list(string)` | 
[
  "build.py"
]
| no | | cloudwatch\_logs | Set this to false to disable logging your Lambda output to CloudWatch Logs | `bool` | `true` | no | +| create\_log\_group | Whether or not to create the log group for the Lambda function. If the Lambda has been ran with logging enabled prior to this option being enabled Terraform will fail as the log group will already exist. In this case you will have to import the log group using a command like: terraform import module.lambda.aws\_cloudwatch\_log\_group.lambda /aws/lambda/lambda\_function\_name. Also note that if you disable this option or remove the module Terraform will want to remove the log group and it's associated logs. To keep the log group and its logs please ensure that you either remove module.lambda.aws\_cloudwatch\_log\_group.lambda from the state or move it to somewhere else in the state using either terraform state rm or terraform state mv. | `bool` | `false` | no | | lambda\_at\_edge | Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function | `bool` | `false` | no | -| policy | An additional policy to attach to the Lambda function role | `object({json=string})` | | no | -| trusted\_entities | Additional trusted entities for the Lambda function. The lambda.amazonaws.com (and edgelambda.amazonaws.com if lambda\_at\_edge is true) is always set | `list(string)` | | no | +| publish | n/a | `bool` | `false` | no | +| timeout | n/a | `number` | `3` | no | +| trusted\_entities | Lambda function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| cloudwatch\_log\_group\_arn | The ARN of the log group created for this Lambda if logging is enabled. | +| cloudwatch\_log\_group\_name | The name of the log group created for this Lambda if logging is enabled. | +| function\_arn | The ARN of the Lambda function | +| function\_invoke\_arn | The Invoke ARN of the Lambda function | +| function\_name | The name of the Lambda function | +| function\_qualified\_arn | The qualified ARN of the Lambda function | +| role\_arn | The ARN of the IAM role created for the Lambda function | +| role\_name | The name of the IAM role created for the Lambda function | + + The following arguments from the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource are not supported: diff --git a/lambda.tf b/lambda.tf index 2fdd510..be486b3 100644 --- a/lambda.tf +++ b/lambda.tf @@ -15,7 +15,7 @@ resource "aws_lambda_function" "lambda" { # Use a generated filename to determine when the source code has changed. filename = data.external.built.result.filename - depends_on = [null_resource.archive] + depends_on = [null_resource.archive, aws_cloudwatch_log_group.lambda] # Add dynamic blocks based on variables. diff --git a/logging.tf b/logging.tf new file mode 100644 index 0000000..357c1e8 --- /dev/null +++ b/logging.tf @@ -0,0 +1,7 @@ +resource "aws_cloudwatch_log_group" "lambda" { + count = var.create_log_group == true ? 1 : 0 + name = "/aws/lambda/${var.function_name}" + retention_in_days = var.log_group_retention + kms_key_id = var.log_group_kms_key_id + tags = var.log_group_tags +} \ No newline at end of file diff --git a/outputs.tf b/outputs.tf index 8e9e4e6..4b238fa 100644 --- a/outputs.tf +++ b/outputs.tf @@ -27,3 +27,13 @@ output "role_name" { description = "The name of the IAM role created for the Lambda function" value = aws_iam_role.lambda.name } + +output "cloudwatch_log_group_arn" { + description = "The ARN of the log group created for this Lambda if logging is enabled." + value = aws_cloudwatch_log_group.lambda[0].arn +} + +output "cloudwatch_log_group_name" { + description = "The name of the log group created for this Lambda if logging is enabled." + value = aws_cloudwatch_log_group.lambda[0].name +} diff --git a/variables.tf b/variables.tf index 1b17bd5..794fb45 100644 --- a/variables.tf +++ b/variables.tf @@ -37,6 +37,29 @@ variable "cloudwatch_logs" { default = true } +variable "create_log_group" { + description = "Whether or not to create the log group for the Lambda function. If the Lambda has been ran with logging enabled prior to this option being enabled Terraform will fail as the log group will already exist. In this case you will have to import the log group using a command like: terraform import module.lambda.aws_cloudwatch_log_group.lambda /aws/lambda/lambda_function_name. Also note that if you disable this option or remove the module Terraform will want to remove the log group and it's associated logs. To keep the log group and its logs please ensure that you either remove module.lambda.aws_cloudwatch_log_group.lambda from the state or move it to somewhere else in the state using either terraform state rm or terraform state mv." + type = bool + default = false +} +variable "log_group_retention" { + description = "The retention time of the Cloudwatch Log group that the Lambda logs to if create_log_group is enabled." + type = string + default = null +} + +variable "log_group_kms_key_id" { + description = "The ID of a KMS key to use for encrypting the logs for the log group used by the Lambda if create_log_group is enabled." + type = string + default = null +} + +variable "log_group_tags" { + description = "The tags to assign to the log group for the Lambda if create_log_group is enabled. This needs to be a list of maps of strings." + type = list(map(string)) + default = null +} + variable "lambda_at_edge" { description = "Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function" type = bool @@ -53,8 +76,8 @@ variable "policy" { variable "trusted_entities" { description = "Lambda function additional trusted entities for assuming roles (trust relationship)" - type = list(string) - default = [] + type = list(string) + default = [] } locals {