Move log permissions into separate submodule and use from root module.

tobyclemson · tobyclemson · commit 218c356c93f2 · 2022-06-07T11:59:39.000+01:00
diff --git a/modules/log_permissions/account.tf b/modules/log_permissions/account.tf
@@ -0,0 +1,3 @@
+resource "aws_api_gateway_account" "api_gateway_account" {
+  cloudwatch_role_arn = aws_iam_role.api_gateway_logging_role.arn
+}
diff --git a/modules/log_permissions/iam.tf b/modules/log_permissions/iam.tf
@@ -0,0 +1,43 @@
+data "aws_iam_policy_document" "api_gateway_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = [
+        "apigateway.amazonaws.com"
+      ]
+      type = "Service"
+    }
+
+    effect = "Allow"
+  }
+}
+
+data "aws_iam_policy_document" "api_gateway_logging_policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+      "logs:PutLogEvents",
+      "logs:GetLogEvents",
+      "logs:FilterLogEvents"
+    ]
+    resources = [
+      "*"
+    ]
+  }
+}
+
+resource "aws_iam_role" "api_gateway_logging_role" {
+  name = "api-gateway-logging-role"
+  assume_role_policy = data.aws_iam_policy_document.api_gateway_assume_role_policy.json
+}
+
+resource "aws_iam_role_policy" "api_gateway_logging_role_policy" {
+  name = "api-gateway-logging-policy"
+  role = aws_iam_role.api_gateway_logging_role.name
+  policy = data.aws_iam_policy_document.api_gateway_logging_policy.json
+}
diff --git a/modules/log_permissions/outputs.tf b/modules/log_permissions/outputs.tf
@@ -0,0 +1,19 @@
+output "logging_role_id" {
+  value = aws_iam_role.api_gateway_logging_role.id
+}
+
+output "logging_role_arn" {
+  value = aws_iam_role.api_gateway_logging_role.arn
+}
+
+output "logging_role_name" {
+  value = aws_iam_role.api_gateway_logging_role.name
+}
+
+output "logging_role_policy_id" {
+  value = aws_iam_role_policy.api_gateway_logging_role_policy.id
+}
+
+output "logging_role_policy_name" {
+  value = aws_iam_role_policy.api_gateway_logging_role_policy.name
+}
diff --git a/modules/log_permissions/terraform.tf b/modules/log_permissions/terraform.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
+}
diff --git a/modules/log_permissions/variables.tf b/modules/log_permissions/variables.tf
diff --git a/modules/stage/log_group.tf b/modules/stage/log_group.tf
@@ -1,51 +1,3 @@
 resource "aws_cloudwatch_log_group" "access_logs" {
   name = "/${var.component}/${var.deployment_identifier}/api-gateway/${local.sanitised_name}"
 }
-
-data "aws_iam_policy_document" "api_gateway_assume_role_policy" {
-  statement {
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      identifiers = [
-        "apigateway.amazonaws.com"
-      ]
-      type = "Service"
-    }
-
-    effect = "Allow"
-  }
-}
-
-data "aws_iam_policy_document" "api_gateway_logging_policy" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:DescribeLogGroups",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents",
-      "logs:GetLogEvents",
-      "logs:FilterLogEvents"
-    ]
-    resources = [
-      "*"
-    ]
-  }
-}
-
-resource "aws_iam_role" "api_gateway_logging_role" {
-  name = "api-gateway-logging-role-${var.component}-${var.deployment_identifier}-${local.sanitised_name}"
-  assume_role_policy = data.aws_iam_policy_document.api_gateway_assume_role_policy.json
-}
-
-resource "aws_iam_role_policy" "api_gateway_logging_role_policy" {
-  name = "api-gateway-logging-policy-${var.component}-${var.deployment_identifier}-${local.sanitised_name}"
-  role = aws_iam_role.api_gateway_logging_role.name
-  policy = data.aws_iam_policy_document.api_gateway_logging_policy.json
-}
-
-resource "aws_api_gateway_account" "api_gateway_account" {
-  cloudwatch_role_arn = aws_iam_role.api_gateway_logging_role.arn
-}
diff --git a/permissions.tf b/permissions.tf
@@ -0,0 +1,3 @@
+module "log_permissions" {
+  source = "./modules/log_permissions"
+}
diff --git a/stages.tf b/stages.tf
@@ -16,10 +16,11 @@ module "default_stage" {
 
   tags = var.tags
 
+  enable_auto_deploy   = local.enable_default_stage_auto_deploy
+
   include_default_tags = local.include_default_tags
   include_domain_name  = local.include_default_stage_domain_name
   include_dns_record   = local.include_default_stage_dns_record
-  enable_auto_deploy   = local.enable_default_stage_auto_deploy
 
   providers = {
     aws = aws

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+resource "aws_api_gateway_account" "api_gateway_account" {`
	`2`	`+ cloudwatch_role_arn = aws_iam_role.api_gateway_logging_role.arn`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+module "log_permissions" {`
	`2`	`+ source = "./modules/log_permissions"`
	`3`	`+}`