diff --git a/README.md b/README.md index d01a18d..95ebe1b 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ This Lambda Function forwards subject & body of SNS messages to CloudWatch Log G ``` ruby module "sns_logger" { source = "robertpeteuil/sns-to-cloudwatch-logs-lambda/aws" - version = "0.2.3" + version = "0.2.5" aws_region = "us-west-2" sns_topic_name = "projectx-logging" diff --git a/main.tf b/main.tf index 0f670dd..da2e2c4 100644 --- a/main.tf +++ b/main.tf @@ -1,17 +1,16 @@ -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- # AWS SNS TO CLOUDWATCH LOGS LAMBDA GATEWAY -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- -# Only tested on Terraform 0.11.1+ terraform { - required_version = ">= 0.11.1" + required_version = "~> 0.11.7" } -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- # CREATE LAMBDA FUNCTION - SNS TO CLOUDWATCH LOGS GATEWAY -# environment variables used for the log_group and log_stream so they aren't hardcoded into the function -# function can be published (versioned) by setting the optional lambda_publish_func flag -# ------------------------------------------------------------------------------------------------------------- +# environment variables used for the 'log_group' and 'log_stream' +# function published if 'lambda_publish_func' set +# ----------------------------------------------------------------- resource "aws_lambda_function" "sns_cloudwatchlog" { function_name = "${var.lambda_func_name}" @@ -36,12 +35,11 @@ resource "aws_lambda_function" "sns_cloudwatchlog" { } } -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- # SNS TOPIC -# create new topic if create_sns_topic == true -# otherwise retrieve existing topic metadata -# topic arn used in "lambda_permssion" and "aws_sns_topic_subscription" -# ------------------------------------------------------------------------------------------------------------- +# create new topic (if create_sns_topic set), else use existing topic +# arn referenced by "lambda_permssion" and "aws_sns_topic_subscription" +# ----------------------------------------------------------------- # create if specified resource "aws_sns_topic" "sns_log_topic" { @@ -49,16 +47,16 @@ resource "aws_sns_topic" "sns_log_topic" { name = "${var.sns_topic_name}" } -# find existing if not creating +# retrieve topic if not created, arn referenced data "aws_sns_topic" "sns_log_topic" { count = "${var.create_sns_topic ? 0 : 1}" name = "${var.sns_topic_name}" } -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- # CLOUDWATCH LOG GROUP -# create new log_group if create_log_group == true -# ------------------------------------------------------------------------------------------------------------- +# create new log_group (if create_log_group set) +# ----------------------------------------------------------------- resource "aws_cloudwatch_log_group" "sns_logged_item_group" { count = "${var.create_log_group ? 1 : 0}" @@ -66,42 +64,40 @@ resource "aws_cloudwatch_log_group" "sns_logged_item_group" { retention_in_days = "${var.log_group_retention_days}" } -# retrieve metadata for log group if no created, so arn can be included in outputs +# retrieve log group if not created, arn included in outputs data "aws_cloudwatch_log_group" "sns_logged_item_group" { count = "${var.create_log_group ? 0 : 1}" name = "${var.log_group_name}" } -# ------------------------------------------------------------------------------------------------------------- -# CLOUDWATCH LOG STREAM IF create_log_stream == true -# stream created in log_group specified or created -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- +# CLOUDWATCH LOG STREAM +# created new log stream (if create_log_stream set) +# ----------------------------------------------------------------- +# create stream in log_group previously created or specified resource "aws_cloudwatch_log_stream" "sns_logged_item_stream" { count = "${var.create_log_stream ? 1 : 0}" name = "${var.log_stream_name}" log_group_name = "${var.create_log_group ? join("", aws_cloudwatch_log_group.sns_logged_item_group.*.name) : var.log_group_name}" } -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- # SUBSCRIBE LAMBDA FUNCTION TO SNS TOPIC -# Lambda function subscription to sns topic -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- resource "aws_sns_topic_subscription" "lambda" { topic_arn = "${var.create_sns_topic ? join("", aws_sns_topic.sns_log_topic.*.arn) : join("", data.aws_sns_topic.sns_log_topic.*.arn)}" protocol = "lambda" - endpoint = "${var.lambda_publish_func ? aws_lambda_function.sns_cloudwatchlog.qualified_arn : aws_lambda_function.sns_cloudwatchlog.arn}" + endpoint = "${var.lambda_publish_func ? aws_lambda_function.sns_cloudwatchlog.qualified_arn : aws_lambda_function.sns_cloudwatchlog.arn}" } -# ------------------------------------------------------------------------------------------------------------- -# ENABLE SNS TOPIC AS LAMBDA FUNCTION TRIGGER -# use multiple resource blocks as condition parameters aren't possible until Terraform v0.12.0 -# ------------------------------------------------------------------------------------------------------------- - # ----------------------------------------------------------------- -# function published - "qualifier" parameter set to function version +# ENABLE SNS TOPIC AS LAMBDA FUNCTION TRIGGER +# multiple resource blockss until 'null' parameter feature in Terraform v0.12.0 # ----------------------------------------------------------------- + +# function published - "qualifier" set to function version resource "aws_lambda_permission" "sns_cloudwatchlog_published" { count = "${var.lambda_publish_func ? 1 : 0}" statement_id = "AllowExecutionFromSNS" @@ -112,9 +108,7 @@ resource "aws_lambda_permission" "sns_cloudwatchlog_published" { qualifier = "${aws_lambda_function.sns_cloudwatchlog.version}" } -# ----------------------------------------------------------------- -# function not published - "qualifier" parameter not be set -# ----------------------------------------------------------------- +# function not published - dont specify "qualifier" parameter resource "aws_lambda_permission" "sns_cloudwatchlog" { count = "${var.lambda_publish_func ? 0 : 1}" statement_id = "AllowExecutionFromSNS" @@ -124,30 +118,24 @@ resource "aws_lambda_permission" "sns_cloudwatchlog" { source_arn = "${var.create_sns_topic ? join("", aws_sns_topic.sns_log_topic.*.arn) : join("", data.aws_sns_topic.sns_log_topic.*.arn)}" } -# ------------------------------------------------------------------------------------------------------------- +# ------------------------------------------------------------------------------------- # CREATE IAM ROLE AND POLICIES FOR LAMBDA FUNCTION -# ------------------------------------------------------------------------------------------------------------- +# ------------------------------------------------------------------------------------- -# ----------------------------------------------------------------- -# Create base IAM role -# ----------------------------------------------------------------- +# Create IAM role resource "aws_iam_role" "lambda_cloudwatch_logs" { name = "lambda_${lower(var.lambda_func_name)}" assume_role_policy = "${data.aws_iam_policy_document.lambda_cloudwatch_logs.json}" } -# ----------------------------------------------------------------- -# Add policy enabling access to other AWS services -# ----------------------------------------------------------------- +# Add base Lambda Execution policy resource "aws_iam_role_policy" "lambda_cloudwatch_logs_polcy" { name = "lambda_${lower(var.lambda_func_name)}_policy" role = "${aws_iam_role.lambda_cloudwatch_logs.id}" policy = "${data.aws_iam_policy_document.lambda_cloudwatch_logs_policy.json}" } -# ----------------------------------------------------------------- -# JSON POLICY - execution -# ----------------------------------------------------------------- +# JSON POLICY - assume role data "aws_iam_policy_document" "lambda_cloudwatch_logs" { statement { actions = ["sts:AssumeRole"] @@ -159,9 +147,7 @@ data "aws_iam_policy_document" "lambda_cloudwatch_logs" { } } -# ----------------------------------------------------------------- -# JSON POLICY - enable access to other AWS services -# ----------------------------------------------------------------- +# JSON POLICY - base Lambda Execution policy data "aws_iam_policy_document" "lambda_cloudwatch_logs_policy" { statement { actions = [ @@ -174,13 +160,11 @@ data "aws_iam_policy_document" "lambda_cloudwatch_logs_policy" { } } -# ------------------------------------------------------------------------------------------------------------- -# CREATE CLOUDWATCH TRIGGER EVENT TO PERIODICALLY CONTACT THE LAMBDA FUNCTION AND PREVENT IT FROM SUSPENDING -# ------------------------------------------------------------------------------------------------------------- - # ----------------------------------------------------------------- -# create cloudwatch event to run every 15 minutes +# CREATE CLOUDWATCH EVENT TO PREVENT LAMBDA FUNCTION SUSPENSION # ----------------------------------------------------------------- + +# create cloudwatch event to run every 15 minutes resource "aws_cloudwatch_event_rule" "warmer" { count = "${var.create_warmer_event ? 1 : 0}" @@ -189,9 +173,7 @@ resource "aws_cloudwatch_event_rule" "warmer" { schedule_expression = "rate(15 minutes)" } -# ----------------------------------------------------------------- -# set event target as sns_to_cloudwatch_logs lambda function -# ----------------------------------------------------------------- +# set event target as sns_to_cloudwatch_logs lambda function resource "aws_cloudwatch_event_target" "warmer" { count = "${var.create_warmer_event ? 1 : 0}" @@ -208,14 +190,12 @@ resource "aws_cloudwatch_event_target" "warmer" { JSON } -# ------------------------------------------------------------------------------------------------------------- -# ENABLE CLOUDWATCH EVENT AS LAMBDA FUNCTION TRIGGER -# use multiple resource blocks as condition parameters aren't possible until Terraform v0.12.0 -# ------------------------------------------------------------------------------------------------------------- - # ----------------------------------------------------------------- -# function published - "qualifier" parameter set to function version +# ENABLE CLOUDWATCH EVENT AS LAMBDA FUNCTION TRIGGER +# multiple resource blockss until 'null' parameter feature in Terraform v0.12.0 # ----------------------------------------------------------------- + +# function published - "qualifier" set to function version resource "aws_lambda_permission" "warmer_published" { count = "${var.create_warmer_event ? var.lambda_publish_func ? 1 : 0 : 0}" @@ -227,9 +207,7 @@ resource "aws_lambda_permission" "warmer_published" { qualifier = "${aws_lambda_function.sns_cloudwatchlog.version}" } -# ----------------------------------------------------------------- -# function not published - "qualifier" parameter not be set -# ----------------------------------------------------------------- +# function not published - dont specify "qualifier" parameter resource "aws_lambda_permission" "warmer" { count = "${var.create_warmer_event ? var.lambda_publish_func ? 0 : 1 : 0}" diff --git a/outputs.tf b/outputs.tf index bc2ec45..fc0c204 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,9 +1,9 @@ -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- # AWS SNS TO CLOUDWATCH LOGS LAMBDA GATEWAY - OUTPUTS -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- output "lambda_name" { - description = "Name assigned to the Lambda Function." + description = "Name assigned to Lambda Function." value = "${var.lambda_func_name}" } @@ -18,7 +18,7 @@ output "lambda_version" { } output "lambda_last_modified" { - description = "The date the Lambda Function was last modified." + description = "The date Lambda Function was last modified." value = "${aws_lambda_function.sns_cloudwatchlog.last_modified}" } diff --git a/variables.tf b/variables.tf index 3240aae..e4a5b76 100644 --- a/variables.tf +++ b/variables.tf @@ -1,48 +1,46 @@ -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- # REQUIRED VARIABLES WITHOUT DEFAULT VALUES -# ------------------------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------- variable aws_region { type = "string" - description = "Region where AWS resources will be created and used." + description = "Region where AWS resources will be created." } variable sns_topic_name { type = "string" - description = "Name of SNS Topic to be logged to CloudWatch Logs." + description = "Name of SNS Topic logging to CloudWatch Log." } variable log_group_name { type = "string" - description = "Name of CloudWatch Log Group to create or use." + description = "Name of CloudWatch Log Group created or used (if previously created)." } variable log_stream_name { type = "string" - description = "Name of CloudWatch Log Stream to create or use. If using an existing stream, it must exist in the Log group specified in 'log_group_name'." + description = "Name of CloudWatch Log Stream created or used (if previously created). If using an existing stream it must exist in the Log group specified in 'log_group_name'." } -# ------------------------------------------------------------------------------------------------------------- -# VARIABLES DEFINITIONS WITH DEFAULT VALUES -# ------------------------------------------------------------------------------------------------------------- - # ----------------------------------------------------------------- -# SNS, LOG GROUP, LOG STREAM +# VARIABLES DEFINITIONS WITH DEFAULT VALUES # ----------------------------------------------------------------- +# SNS TOPIC, LOG GROUP, LOG STREAM + variable create_sns_topic { default = true - description = "Boolean flag that determines if SNS topic: 'sns_topic_name' is created. If 'false' it uses an existing topic of that name." + description = "Boolean flag that determines if SNS topic, 'sns_topic_name' is created. If 'false' it uses an existing topic of that name." } variable create_log_group { default = true - description = "Boolean flag that determines if log group: 'log_group_name' is created. If 'false' it uses an existing group of that name." + description = "Boolean flag that determines if log group, 'log_group_name' is created. If 'false' it uses an existing group of that name." } variable create_log_stream { default = true - description = "Boolean flag that determines if log stream: 'log_stream_name' is created. If 'false' it uses an existing stream of that name." + description = "Boolean flag that determines if log stream, 'log_stream_name' is created. If 'false' it uses an existing stream of that name." } variable log_group_retention_days { @@ -50,30 +48,28 @@ variable log_group_retention_days { description = "Number of days to retain data in the log group (0 = always retain)." } -# ----------------------------------------------------------------- # LAMBDA FUNCTION -# ----------------------------------------------------------------- variable lambda_func_name { type = "string" default = "SNStoCloudWatchLogs" - description = "Name to assign to the Lambda Function." + description = "Name to assign to Lambda Function." } variable lambda_description { type = "string" default = "Route SNS messages to CloudWatch Logs" - description = "Description to assign to the Lambda Function." + description = "Description to assign to Lambda Function." } variable lambda_publish_func { default = false - description = "Boolean flag that determines if the Lambda function is published as a version." + description = "Boolean flag that determines if Lambda function is published as a version." } variable create_warmer_event { default = false - description = "Boolean flag that determines if a CloudWatch Trigger event is created to prevent the Lambda function from suspending." + description = "Boolean flag that determines if a CloudWatch Trigger event is created to prevent Lambda function from suspending." } variable lambda_timeout {