Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
1 result
Blame Permalink
cloudwatch_api_logs.tf 3.04 KiB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89 






resource "aws_lambda_function" "apigw_logs" {
  filename                       = data.archive_file.lambda_logs.output_path
  function_name                  = "${local.prefix}-analyse-logs-apigw"
  role                           = aws_iam_role.iam_for_lambda_logs.arn
  handler                        = "apigw_metrics.handler"
  timeout                        = 10
  source_code_hash               = data.archive_file.lambda_logs.output_base64sha256
  runtime                        = "nodejs12.x"
  reserved_concurrent_executions = 5
  layers = [
    "arn:aws:lambda:eu-west-1:580247275435:layer:LambdaInsightsExtension:14"
  ]
  environment {
    variables = {
      API_GATEWAY_LOG_GROUP = aws_cloudwatch_log_group.apigw_logs.name
    }
  }

  tags = local.common_tags
}

resource "aws_cloudwatch_log_subscription_filter" "lambdafunction_logfilter" {
  name            = "${local.prefix}-lambdafunction-subscription"
  log_group_name  = aws_cloudwatch_log_group.apigw_logs.name
  filter_pattern  = "{$.resourcePath = \"${aws_api_gateway_resource.access.path}\"}"
  destination_arn = aws_lambda_function.apigw_logs.arn
}

resource "aws_lambda_permission" "log_subscription" {
  statement_id  = "AllowClouWatchInvoke"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.apigw_logs.function_name
  principal     = "logs.${var.aws_region}.amazonaws.com"
  source_arn    = "${aws_cloudwatch_log_group.apigw_logs.arn}:*"
}

resource "null_resource" "lambda_logs_dependencies" {
  provisioner "local-exec" {
    command = "cd ${local.lambda_loc}/apigw_metrics && npm install"
  }

  triggers = {
    package = base64sha256(file("${local.lambda_loc}/apigw_metrics/package.json"))
    lock    = base64sha256(file("${local.lambda_loc}/apigw_metrics/package-lock.json"))
    node    = base64sha256(join("", fileset(local.lambda_loc, "apigw_metrics/**/*.js")))
  }
}

data "archive_file" "lambda_logs" {
  type        = "zip"
  output_path = "${local.lambda_loc}/zip/apigw_metrics.zip"
  source_file = "${local.lambda_loc}/apigw_metrics/apigw_metrics.js"
}

resource "aws_iam_role" "iam_for_lambda_logs" {
  name               = "${local.prefix}-lambda-admin-cloudwatch-logs"
  assume_role_policy = file("./templates/lambda/assume-role-policy.json")
}

resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_FA" {
  role       = aws_iam_role.iam_for_lambda_logs.name
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
}

resource "aws_iam_role_policy_attachment" "lambda_apigw" {
  role       = aws_iam_role.iam_for_lambda_logs.name
  policy_arn = aws_iam_policy.apigw_read_only.arn
}

resource "aws_iam_policy" "apigw_read_only" {
  name        = "${local.prefix}-ApiGatewayReadOnly"
  path        = "/"
  description = "Read only for describing APIGateway services"
  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "apigateway:GET",
        ]
        Effect   = "Allow"
        Resource = "*"
      }
    ]
  })
}