UPD: moved apigw-cloudwatch role outside of this module

2024-03-04 12:26:25 +08:00 · 2024-03-04 12:26:25 +08:00 · cd170c0f78
commit cd170c0f78
parent 7383f66749
2 changed files with 33 additions and 55 deletions
--- a/modules/ApplicationIntegration/apigw-lambda/examples/main.tf
+++ b/modules/ApplicationIntegration/apigw-lambda/examples/main.tf
@ -26,3 +26,30 @@ data "archive_file" "lambda" {
  type        = "zip"
 }

+# apigateway account settings, needed for first apigateway deployment only
+resource "aws_api_gateway_account" "settings" {
+  cloudwatch_role_arn = aws_iam_role.apigw-logging-role.arn
+}
+
+resource "aws_iam_role" "apigw-logging-role" {
+  name               = "ApiGatewayLoggingRole"
+  assume_role_policy = data.aws_iam_policy_document.apigw-logging-role.json
+}
+
+data "aws_iam_policy_document" "apigw-logging-role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["apigateway.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "apigw-cloudwatch" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+  role       = aws_iam_role.apigw-logging-role.id
+}
--- a/modules/ApplicationIntegration/apigw-lambda/main.tf
+++ b/modules/ApplicationIntegration/apigw-lambda/main.tf
@ -82,61 +82,6 @@ resource "aws_api_gateway_method_settings" "apigw-method-settings" {
  }
 }

-# apigateway account setting
-data "aws_iam_roles" "check-if-cwl-role-exists" {
-  name_regex = "^ApiGatewayLoggingRole$"
-}
-
-resource "aws_api_gateway_account" "settings" {
-  count               = length(data.aws_iam_roles.check-if-cwl-role-exists.arns) >= 1 ? 0 : 1
-  cloudwatch_role_arn = aws_iam_role.apigw-logging-role[0].arn
-}
-
-resource "aws_iam_role" "apigw-logging-role" {
-  count              = length(data.aws_iam_roles.check-if-cwl-role-exists.arns) >= 1 ? 0 : 1
-  name               = "ApiGatewayLoggingRole"
-  assume_role_policy = data.aws_iam_policy_document.apigw-logging-role.json
-}
-
-data "aws_iam_policy_document" "apigw-logging-role" {
-  statement {
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["apigateway.amazonaws.com"]
-    }
-
-    actions = ["sts:AssumeRole"]
-  }
-}
-
-data "aws_iam_policy_document" "cloudwatch" {
-  statement {
-    effect = "Allow"
-
-    actions = [
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:DescribeLogGroups",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents",
-      "logs:GetLogEvents",
-      "logs:FilterLogEvents",
-    ]
-
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_role_policy" "cloudwatch" {
-  count  = length(data.aws_iam_roles.check-if-cwl-role-exists.arns) >= 1 ? 0 : 1
-  name   = "AllowLoggingFromApiGateway"
-  role   = aws_iam_role.apigw-logging-role[0].id
-  policy = data.aws_iam_policy_document.cloudwatch.json
-}
-
-
 # Cloudwatch log group path: API-Gateway-Execution-Logs_{rest-api-id}/{stage_name}
 resource "aws_cloudwatch_log_group" "this" {
  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.api.id}/${var.stage-name}"
@ -145,6 +90,12 @@ resource "aws_cloudwatch_log_group" "this" {
 }

 # lambda function
+resource "aws_cloudwatch_log_group" "lambda-logs" {
+  name              = "/aws/lambda/${var.name}-lambda-function"
+  retention_in_days = var.cloudwatchlog-retention
+  kms_key_id        = var.cwl-cmk-key-id
+}
+
 resource "aws_lambda_function" "function" {
  filename      = var.lambda-archive-file
  function_name = "${var.name}-lambda-function"