From 756fea3921741b4c73fc8400e762d1dce8c4adbc Mon Sep 17 00:00:00 2001 From: Lance Allen Date: Fri, 8 Nov 2019 12:37:23 -0800 Subject: [PATCH] Create AWS Cloudwatch log group and give explicit access to it (#40) * creating a cloudwatch logs group and giving explicit access to only it * remove extra permission that is no longer needed since terraform is creating the log group * Fixed creation of aws_cloudwatch_log_group, added import command to README --- README.md | 14 ++++++++++++++ examples/notify-slack-simple/README.md | 1 + examples/notify-slack-simple/outputs.tf | 5 +++++ iam.tf | 4 +--- main.tf | 15 +++++++++++++-- outputs.tf | 4 ++++ variables.tf | 18 ++++++++++++++++++ 7 files changed, 56 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 1a8c4ba6..c596281b 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,16 @@ module "notify_slack" { If you want to subscribe AWS Lambda Function created by this module to an existing SNS topic you should specify `create_sns_topic = false` as argument and specify name of existing SNS topic name in `sns_topic_name`. +## Import existing Cloudwatch Log Group + +Since `v2.3.0` of this module AWS Cloudwatch Log group is created also by this module. + +If you are updating from previous version of this module and you don't want to recreate log group, you need to import it like this (change `MODULE_NAME` as necessary): + +``` +$ terraform import module.MODULE_NAME.aws_cloudwatch_log_group.lambda /aws/lambda/notify_slack +``` + ## Examples * [notify-slack-simple](https://github.com/terraform-aws-modules/terraform-aws-notify-slack/tree/master/examples/notify-slack-simple) - Creates SNS topic which sends messages to Slack channel. @@ -49,6 +59,9 @@ If you want to subscribe AWS Lambda Function created by this module to an existi | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| cloudwatch\_log\_group\_kms\_key\_id | The ARN of the KMS Key to use when encrypting log data for Lambda | string | `"null"` | no | +| cloudwatch\_log\_group\_retention\_in\_days | Specifies the number of days you want to retain log events in log group for Lambda. | number | `"0"` | no | +| cloudwatch\_log\_group\_tags | Additional tags for the Cloudwatch log group | map(string) | `{}` | no | | create | Whether to create all resources | bool | `"true"` | no | | create\_sns\_topic | Whether to create new SNS topic | bool | `"true"` | no | | iam\_role\_tags | Additional tags for the IAM role | map(string) | `{}` | no | @@ -68,6 +81,7 @@ If you want to subscribe AWS Lambda Function created by this module to an existi | Name | Description | |------|-------------| +| lambda\_cloudwatch\_log\_group\_arn | The Amazon Resource Name (ARN) specifying the log group | | lambda\_iam\_role\_arn | The ARN of the IAM role used by Lambda function | | lambda\_iam\_role\_name | The name of the IAM role used by Lambda function | | notify\_slack\_lambda\_function\_arn | The ARN of the Lambda function | diff --git a/examples/notify-slack-simple/README.md b/examples/notify-slack-simple/README.md index da241823..cb76ec1d 100644 --- a/examples/notify-slack-simple/README.md +++ b/examples/notify-slack-simple/README.md @@ -23,6 +23,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Description | |------|-------------| +| lambda\_cloudwatch\_log\_group\_arn | The Amazon Resource Name (ARN) specifying the log group | | lambda\_iam\_role\_arn | The ARN of the IAM role used by Lambda function | | lambda\_iam\_role\_name | The name of the IAM role used by Lambda function | | notify\_slack\_lambda\_function\_arn | The ARN of the Lambda function | diff --git a/examples/notify-slack-simple/outputs.tf b/examples/notify-slack-simple/outputs.tf index 2137b5a6..e75e57ff 100644 --- a/examples/notify-slack-simple/outputs.tf +++ b/examples/notify-slack-simple/outputs.tf @@ -37,3 +37,8 @@ output "notify_slack_lambda_function_version" { description = "Latest published version of your Lambda function" value = module.notify_slack.notify_slack_lambda_function_version } + +output "lambda_cloudwatch_log_group_arn" { + description = "The Amazon Resource Name (ARN) specifying the log group" + value = module.notify_slack.lambda_cloudwatch_log_group_arn +} diff --git a/iam.tf b/iam.tf index 70011678..91dc3f6a 100644 --- a/iam.tf +++ b/iam.tf @@ -22,12 +22,11 @@ data "aws_iam_policy_document" "lambda_basic" { effect = "Allow" actions = [ - "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", ] - resources = ["arn:aws:logs:*:*:*"] + resources = [aws_cloudwatch_log_group.lambda[0].arn] } } @@ -70,4 +69,3 @@ resource "aws_iam_role_policy" "lambda" { 0, ) } - diff --git a/main.tf b/main.tf index 66fade91..96c2b5e1 100644 --- a/main.tf +++ b/main.tf @@ -23,6 +23,16 @@ locals { ) } +resource "aws_cloudwatch_log_group" "lambda" { + count = var.create ? 1 : 0 + + name = "/aws/lambda/${var.lambda_function_name}" + retention_in_days = var.cloudwatch_log_group_retention_in_days + kms_key_id = var.cloudwatch_log_group_kms_key_id + + tags = merge(var.tags, var.cloudwatch_log_group_tags) +} + resource "aws_sns_topic_subscription" "sns_notify_slack" { count = var.create ? 1 : 0 @@ -85,6 +95,8 @@ resource "aws_lambda_function" "notify_slack" { } } + tags = merge(var.tags, var.lambda_function_tags) + lifecycle { ignore_changes = [ filename, @@ -92,6 +104,5 @@ resource "aws_lambda_function" "notify_slack" { ] } - tags = merge(var.tags, var.lambda_function_tags) + depends_on = ["aws_cloudwatch_log_group.lambda"] } - diff --git a/outputs.tf b/outputs.tf index cf71f757..a3d2834a 100644 --- a/outputs.tf +++ b/outputs.tf @@ -38,3 +38,7 @@ output "notify_slack_lambda_function_version" { value = element(concat(aws_lambda_function.notify_slack.*.version, [""]), 0) } +output "lambda_cloudwatch_log_group_arn" { + description = "The Amazon Resource Name (ARN) specifying the log group" + value = element(concat(aws_cloudwatch_log_group.lambda.*.arn, [""]), 0) +} diff --git a/variables.tf b/variables.tf index 6b155ebb..c5cbcbb4 100644 --- a/variables.tf +++ b/variables.tf @@ -54,6 +54,18 @@ variable "reserved_concurrent_executions" { default = -1 } +variable "cloudwatch_log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in log group for Lambda." + type = number + default = 0 +} + +variable "cloudwatch_log_group_kms_key_id" { + description = "The ARN of the KMS Key to use when encrypting log data for Lambda" + type = string + default = null +} + variable "tags" { description = "A map of tags to add to all resources" type = map(string) @@ -77,3 +89,9 @@ variable "sns_topic_tags" { type = map(string) default = {} } + +variable "cloudwatch_log_group_tags" { + description = "Additional tags for the Cloudwatch log group" + type = map(string) + default = {} +}