resource "aws_lambda_function" "apigw_logs" {
  filename                       = data.archive_file.lambda_logs.output_path
  function_name                  = "${local.prefix}-analyse-logs-apigw"
  role                           = aws_iam_role.iam_for_lambda_logs.arn
  handler                        = "apigw_metrics.handler"
  timeout                        = 10
  source_code_hash               = data.archive_file.lambda_logs.output_base64sha256
  runtime                        = "nodejs12.x"
  reserved_concurrent_executions = 5
  layers = [
    "arn:aws:lambda:eu-west-1:580247275435:layer:LambdaInsightsExtension:14"
  ]
  environment {
    variables = {
      API_GATEWAY_LOG_GROUP = aws_cloudwatch_log_group.apigw_logs.name
    }
  }

  tags = local.common_tags
}

resource "aws_cloudwatch_log_subscription_filter" "lambdafunction_logfilter" {
  name            = "${local.prefix}-lambdafunction-subscription"
  log_group_name  = aws_cloudwatch_log_group.apigw_logs.name
  filter_pattern  = " "
  destination_arn = aws_lambda_function.apigw_logs.arn
  lifecycle {
    ignore_changes = [
      filter_pattern
    ]
  }
}

resource "aws_lambda_permission" "log_subscription" {
  statement_id  = "AllowClouWatchInvoke"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.apigw_logs.function_name
  principal     = "logs.${var.aws_region}.amazonaws.com"
  source_arn    = "${aws_cloudwatch_log_group.apigw_logs.arn}:*"
}

data "archive_file" "lambda_logs" {
  type        = "zip"
  output_path = "${local.lambda_loc}/zip/apigw_metrics.zip"
  source_file = "${local.lambda_loc}/apigw_metrics/apigw_metrics.js"
}

resource "aws_iam_role" "iam_for_lambda_logs" {
  name               = "${local.prefix}-lambda-admin-cloudwatch-logs"
  assume_role_policy = file("./templates/lambda/assume-role-policy.json")
}

resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_FA" {
  role       = aws_iam_role.iam_for_lambda_logs.name
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
}

resource "aws_iam_role_policy_attachment" "lambda_apigw" {
  role       = aws_iam_role.iam_for_lambda_logs.name
  policy_arn = aws_iam_policy.apigw_read_only.arn
}

resource "aws_iam_policy" "apigw_read_only" {
  name        = "${local.prefix}-ApiGatewayReadOnly"
  path        = "/"
  description = "Read only for describing APIGateway services"
  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "apigateway:GET",
        ]
        Effect   = "Allow"
        Resource = "*"
      }
    ]
  })
}