From cd170c0f7871fb393c6c94e0eab4c845878772bc Mon Sep 17 00:00:00 2001 From: xpk Date: Mon, 4 Mar 2024 12:26:25 +0800 Subject: [PATCH] UPD: moved apigw-cloudwatch role outside of this module --- .../apigw-lambda/examples/main.tf | 27 ++++++++ .../apigw-lambda/main.tf | 61 ++----------------- 2 files changed, 33 insertions(+), 55 deletions(-) diff --git a/modules/ApplicationIntegration/apigw-lambda/examples/main.tf b/modules/ApplicationIntegration/apigw-lambda/examples/main.tf index e17ca42..a4dc147 100644 --- a/modules/ApplicationIntegration/apigw-lambda/examples/main.tf +++ b/modules/ApplicationIntegration/apigw-lambda/examples/main.tf @@ -26,3 +26,30 @@ data "archive_file" "lambda" { type = "zip" } +# apigateway account settings, needed for first apigateway deployment only +resource "aws_api_gateway_account" "settings" { + cloudwatch_role_arn = aws_iam_role.apigw-logging-role.arn +} + +resource "aws_iam_role" "apigw-logging-role" { + name = "ApiGatewayLoggingRole" + assume_role_policy = data.aws_iam_policy_document.apigw-logging-role.json +} + +data "aws_iam_policy_document" "apigw-logging-role" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["apigateway.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role_policy_attachment" "apigw-cloudwatch" { + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" + role = aws_iam_role.apigw-logging-role.id +} diff --git a/modules/ApplicationIntegration/apigw-lambda/main.tf b/modules/ApplicationIntegration/apigw-lambda/main.tf index df00401..7e1f4b6 100644 --- a/modules/ApplicationIntegration/apigw-lambda/main.tf +++ b/modules/ApplicationIntegration/apigw-lambda/main.tf @@ -82,61 +82,6 @@ resource "aws_api_gateway_method_settings" "apigw-method-settings" { } } -# apigateway account setting -data "aws_iam_roles" "check-if-cwl-role-exists" { - name_regex = "^ApiGatewayLoggingRole$" -} - -resource "aws_api_gateway_account" "settings" { - count = length(data.aws_iam_roles.check-if-cwl-role-exists.arns) >= 1 ? 0 : 1 - cloudwatch_role_arn = aws_iam_role.apigw-logging-role[0].arn -} - -resource "aws_iam_role" "apigw-logging-role" { - count = length(data.aws_iam_roles.check-if-cwl-role-exists.arns) >= 1 ? 0 : 1 - name = "ApiGatewayLoggingRole" - assume_role_policy = data.aws_iam_policy_document.apigw-logging-role.json -} - -data "aws_iam_policy_document" "apigw-logging-role" { - statement { - effect = "Allow" - - principals { - type = "Service" - identifiers = ["apigateway.amazonaws.com"] - } - - actions = ["sts:AssumeRole"] - } -} - -data "aws_iam_policy_document" "cloudwatch" { - statement { - effect = "Allow" - - actions = [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:DescribeLogGroups", - "logs:DescribeLogStreams", - "logs:PutLogEvents", - "logs:GetLogEvents", - "logs:FilterLogEvents", - ] - - resources = ["*"] - } -} - -resource "aws_iam_role_policy" "cloudwatch" { - count = length(data.aws_iam_roles.check-if-cwl-role-exists.arns) >= 1 ? 0 : 1 - name = "AllowLoggingFromApiGateway" - role = aws_iam_role.apigw-logging-role[0].id - policy = data.aws_iam_policy_document.cloudwatch.json -} - - # Cloudwatch log group path: API-Gateway-Execution-Logs_{rest-api-id}/{stage_name} resource "aws_cloudwatch_log_group" "this" { name = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.api.id}/${var.stage-name}" @@ -145,6 +90,12 @@ resource "aws_cloudwatch_log_group" "this" { } # lambda function +resource "aws_cloudwatch_log_group" "lambda-logs" { + name = "/aws/lambda/${var.name}-lambda-function" + retention_in_days = var.cloudwatchlog-retention + kms_key_id = var.cwl-cmk-key-id +} + resource "aws_lambda_function" "function" { filename = var.lambda-archive-file function_name = "${var.name}-lambda-function"