xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: moved apigw-cloudwatch role outside of this module

Browse Source
This commit is contained in:
xpk 2024-03-04 12:26:25 +08:00
parent 7383f66749
commit cd170c0f78
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
2 changed files with 33 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
modules/ApplicationIntegration/apigw-lambda/examples/main.tf
View File

@ -26,3 +26,30 @@ data "archive_file" "lambda" {
type = "zip" type = "zip"
} }
# apigateway account settings, needed for first apigateway deployment only
resource "aws_api_gateway_account" "settings" {
cloudwatch_role_arn = aws_iam_role.apigw-logging-role.arn
}
resource "aws_iam_role" "apigw-logging-role" {
name = "ApiGatewayLoggingRole"
assume_role_policy = data.aws_iam_policy_document.apigw-logging-role.json
}
data "aws_iam_policy_document" "apigw-logging-role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["apigateway.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role_policy_attachment" "apigw-cloudwatch" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
role = aws_iam_role.apigw-logging-role.id
}

61
modules/ApplicationIntegration/apigw-lambda/main.tf
View File

@ -82,61 +82,6 @@ resource "aws_api_gateway_method_settings" "apigw-method-settings" {
} }
} }
# apigateway account setting
data "aws_iam_roles" "check-if-cwl-role-exists" {
name_regex = "^ApiGatewayLoggingRole$"
}
resource "aws_api_gateway_account" "settings" {
count = length(data.aws_iam_roles.check-if-cwl-role-exists.arns) >= 1 ? 0 : 1
cloudwatch_role_arn = aws_iam_role.apigw-logging-role[0].arn
}
resource "aws_iam_role" "apigw-logging-role" {
count = length(data.aws_iam_roles.check-if-cwl-role-exists.arns) >= 1 ? 0 : 1
name = "ApiGatewayLoggingRole"
assume_role_policy = data.aws_iam_policy_document.apigw-logging-role.json
}
data "aws_iam_policy_document" "apigw-logging-role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["apigateway.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
data "aws_iam_policy_document" "cloudwatch" {
statement {
effect = "Allow"
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents",
]
resources = ["*"]
}
}
resource "aws_iam_role_policy" "cloudwatch" {
count = length(data.aws_iam_roles.check-if-cwl-role-exists.arns) >= 1 ? 0 : 1
name = "AllowLoggingFromApiGateway"
role = aws_iam_role.apigw-logging-role[0].id
policy = data.aws_iam_policy_document.cloudwatch.json
}
# Cloudwatch log group path: API-Gateway-Execution-Logs_{rest-api-id}/{stage_name} # Cloudwatch log group path: API-Gateway-Execution-Logs_{rest-api-id}/{stage_name}
resource "aws_cloudwatch_log_group" "this" { resource "aws_cloudwatch_log_group" "this" {
name = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.api.id}/${var.stage-name}" name = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.api.id}/${var.stage-name}"
@ -145,6 +90,12 @@ resource "aws_cloudwatch_log_group" "this" {
} }
# lambda function # lambda function
resource "aws_cloudwatch_log_group" "lambda-logs" {
name = "/aws/lambda/${var.name}-lambda-function"
retention_in_days = var.cloudwatchlog-retention
kms_key_id = var.cwl-cmk-key-id
}
resource "aws_lambda_function" "function" { resource "aws_lambda_function" "function" {
filename = var.lambda-archive-file filename = var.lambda-archive-file
function_name = "${var.name}-lambda-function" function_name = "${var.name}-lambda-function"