enha: added advanced logging configuration

Kilian · Kilian · commit a8260a83dbd4 · 2024-03-08T10:31:39.000+01:00
diff --git a/README.md b/README.md
@@ -21,17 +21,17 @@ This module provides a Lambda function which logs to CloudWatch. If no image URI
 
 ## Inputs
 
-| Name          | Description                                                                 | Type           | Default | Required |
-| ------------- | --------------------------------------------------------------------------- | -------------- | ------- | :------: |
-| identifier    | Unique identifier to differentiate global resources.                        | `string`       | n/a     |   yes    |
-| policies      | List of IAM policy ARNs for the Lambda's IAM role.                          | `list(string)` | []      |    no    |
-| vpc_config    | Object to define the subnets and security groups for the Lambda function.   | `object`       | null    |    no    |
-| log           | A flag for make the Lambda function submit logs to CloudWatch.              | `bool`         | false   |    no    |
-| image         | Object of the image which will be pulled by the Lambda function to execute. | `object`       | null    |    no    |
-| memory_size   | Amount of memory in MB the Lambda function can use at runtime.              | `number`       | 128     |    no    |
-| timeout       | Amount of time the Lambda function has to run in seconds.                   | `number`       | 3       |    no    |
-| env_variables | A map of environment variables for the Lambda function at runtime.          | `map(string)`  | {}      |    no    |
-| tags          | A map of tags to add to all resources.                                      | `map(string)`  | {}      |    no    |
+| Name          | Description                                                                  | Type           | Default | Required |
+| ------------- | ---------------------------------------------------------------------------- | -------------- | ------- | :------: |
+| identifier    | Unique identifier to differentiate global resources.                         | `string`       | n/a     |   yes    |
+| policies      | List of IAM policy ARNs for the Lambda's IAM role.                           | `list(string)` | []      |    no    |
+| vpc_config    | Object to define the subnets and security groups for the Lambda function.    | `object`       | null    |    no    |
+| log_config    | Object to define logging configuration of the Lambda function to CloudWatch. | `object`       | null    |    no    |
+| image         | Object of the image which will be pulled by the Lambda function to execute.  | `object`       | null    |    no    |
+| memory_size   | Amount of memory in MB the Lambda function can use at runtime.               | `number`       | 128     |    no    |
+| timeout       | Amount of time the Lambda function has to run in seconds.                    | `number`       | 3       |    no    |
+| env_variables | A map of environment variables for the Lambda function at runtime.           | `map(string)`  | {}      |    no    |
+| tags          | A map of tags to add to all resources.                                       | `map(string)`  | {}      |    no    |
 
 ### `vpc_config`
 
@@ -40,6 +40,12 @@ This module provides a Lambda function which logs to CloudWatch. If no image URI
 | subnets         | List of subnet IDs in which the Lambda function will run in. | `list(string)` | n/a     |   yes    |
 | security_groups | List of security group IDs the Lambda function will hold.    | `list(string)` | n/a     |   yes    |
 
+### `log_config`
+
+| Name              | Description                                                                                                                | Type     | Default | Required |
+| ----------------- | -------------------------------------------------------------------------------------------------------------------------- | -------- | ------- | :------: |
+| retention_in_days | Specifies the number of days the log events shall be retained. Valid values: 1, 3, 5, 7, 14, 30, 365 and 0 (never expire). | `number` | n/a     |   yes    |
+
 ### `image`
 
 | Name | Description       | Type     | Default | Required |
@@ -48,10 +54,11 @@ This module provides a Lambda function which logs to CloudWatch. If no image URI
 
 ## Outputs
 
-| Name       | Description                            |
-| ---------- | -------------------------------------- |
-| arn        | The ARN of the Lambda function.        |
-| invoke_arn | The invoke ARN of the Lambda function. |
+| Name           | Description                                                                     |
+| -------------- | ------------------------------------------------------------------------------- |
+| arn            | The ARN of the Lambda function.                                                 |
+| invoke_arn     | The invoke ARN of the Lambda function.                                          |
+| log_group_name | The name of the CloudWatch log group created for the Lambda function to log to. |
 
 ## Example
 
diff --git a/main.tf b/main.tf
@@ -1,3 +1,15 @@
+################################
+# CloudWatch                   #
+################################
+
+resource "aws_cloudwatch_log_group" "main" {
+  count             = var.log_config != null ? 1 : 0
+  name              = "/aws/lambda/${var.identifier}"
+  retention_in_days = try(var.log_config["retention_in_days"], null)
+
+  tags = var.tags
+}
+
 ################################
 # IAM Role                     #
 ################################
@@ -58,28 +70,27 @@ resource "aws_iam_role_policy_attachment" "vpc" {
 
 # for lambda that issues logs
 data "aws_iam_policy_document" "log" {
-  count = var.log ? 1 : 0
+  count = var.log_config != null ? 1 : 0
   statement {
     actions = [
-      "logs:CreateLogGroup",
       "logs:CreateLogStream",
       "logs:PutLogEvents"
     ]
 
-    resources = ["*"]
+    resources = [aws_cloudwatch_log_group.main[0].arn]
   }
 }
 
 resource "aws_iam_policy" "log" {
-  count  = var.log ? 1 : 0
+  count  = var.log_config != null ? 1 : 0
   name   = "${var.identifier}-CloudWatchCreateLog"
   policy = data.aws_iam_policy_document.log[0].json
 
   tags = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "log" {
-  count      = var.log ? 1 : 0
+  count      = var.log_config != null ? 1 : 0
   role       = aws_iam_role.main.name
   policy_arn = aws_iam_policy.log[0].arn
 }
@@ -121,5 +132,13 @@ resource "aws_lambda_function" "main" {
     }
   }
 
+  dynamic "logging_config" {
+    for_each = var.log_config != null ? [1] : []
+    content {
+      log_group  = aws_cloudwatch_log_group.main[0].arn
+      log_format = "Text"
+    }
+  }
+
   tags = var.tags
 }
diff --git a/outputs.tf b/outputs.tf
@@ -1,9 +1,14 @@
 output "arn" {
-  description = "ARN of the Lambda function."
-  value       = aws_lambda_function.main.arn
+  description = "The ARN of the Lambda function."
+  value       = try(aws_lambda_function.main.arn, null)
 }
 
 output "invoke_arn" {
-  description = "Invoke ARN of the Lambda function."
-  value       = aws_lambda_function.main.invoke_arn
+  description = "The invoke ARN of the Lambda function."
+  value       = try(aws_lambda_function.main.invoke_arn, null)
+}
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group created for the Lambda function to log to."
+  value       = try(aws_cloudwatch_log_group.main[0].name, null)
 }
diff --git a/tests/lambda.tftest.hcl b/tests/lambda.tftest.hcl
@@ -64,3 +64,27 @@ run "valid_vpc_config" {
     }
   }
 }
+
+run "invalid_retention_in_days" {
+  command = plan
+
+  variables {
+    identifier = "abc"
+    log_config = {
+      retention_in_days = 6
+    }
+  }
+
+  expect_failures = [var.log_config]
+}
+
+run "valid_log_config" {
+  command = plan
+
+  variables {
+    identifier = "abc"
+    log_config = {
+      retention_in_days = 365
+    }
+  }
+}
diff --git a/tests/policies.tftest.hcl b/tests/policies.tftest.hcl
@@ -29,7 +29,7 @@ run "without_log" {
 
   variables {
     identifier = "abc"
-    log        = false
+    log_config = null
   }
 
   assert {
@@ -48,7 +48,9 @@ run "with_log" {
 
   variables {
     identifier = "abc"
-    log        = true
+    log_config = {
+      retention_in_days = 7
+    }
   }
 
   assert {
diff --git a/variables.tf b/variables.tf
@@ -30,10 +30,23 @@ variable "vpc_config" {
   }
 }
 
-variable "log" {
-  description = "A flag for make the Lambda function submit logs to CloudWatch."
-  type        = bool
-  default     = false
+variable "log_config" {
+  description = "Object to define logging configuration of the Lambda function to CloudWatch."
+  type = object({
+    retention_in_days = number
+  })
+  default = null
+  validation {
+    condition = try(var.log_config["retention_in_days"], 1) == 1 || (
+      try(var.log_config["retention_in_days"], 3) == 3) || (
+      try(var.log_config["retention_in_days"], 5) == 5) || (
+      try(var.log_config["retention_in_days"], 7) == 7) || (
+      try(var.log_config["retention_in_days"], 14) == 14) || (
+      try(var.log_config["retention_in_days"], 30) == 30) || (
+      try(var.log_config["retention_in_days"], 365) == 365) || (
+    try(var.log_config["retention_in_days"], 0) == 0)
+    error_message = "Retention in days must be one of these values: 0, 1, 3, 5, 7, 14, 30, 365"
+  }
 }
 
 variable "image" {
