Merge pull request #61 from scribd/fix-policy-size

zbstof · web-flow · commit f9701303cfbb · 2024-09-30T16:07:37.000+03:00
fix: Work around the limit in lambda policy size
diff --git a/locals.tf b/locals.tf
@@ -5,4 +5,5 @@ locals {
     namespace = var.namespace
     terraform = "true"
   }
+  log_groups_to_use = length(var.log_group_prefixes) > 0 ? var.log_group_prefixes : var.cloudwatch_log_groups
 }
diff --git a/logs_monitoring_cloudwatch_log.tf b/logs_monitoring_cloudwatch_log.tf
@@ -8,10 +8,12 @@ resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter
 }
 
 resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
-  for_each      = { for lg in var.cloudwatch_log_groups : lg => lg }
+  for_each      = { for lg in local.log_groups_to_use : lg => lg }
   statement_id  = "${substr(replace(each.value, "/", "_"), 0, 67)}-AllowExecutionFromCloudWatchLogs"
   action        = "lambda:InvokeFunction"
   function_name = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn
   principal     = "logs.${var.aws_region}.amazonaws.com"
-  source_arn    = "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${each.value}:*"
+  source_arn = (length(var.log_group_prefixes) > 0 ?
+    "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${each.value}*" :
+  "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${each.value}:*")
 }
diff --git a/vars.tf b/vars.tf
@@ -37,6 +37,11 @@ variable "cloudwatch_log_groups" {
   type        = list(string)
   default     = []
 }
+variable "log_group_prefixes" {
+  description = "List of CloudWatch Log Group prefixes to create lambda permissions"
+  type        = list(string)
+  default     = []
+}
 variable "enable_datadog_aws_integration" {
   description = "Use datadog provider to give datadog aws account access to our resources"
   type        = bool

Original file line number	Diff line number	Diff line change
`@@ -5,4 +5,5 @@ locals {`
`5`	`5`	`namespace = var.namespace`
`6`	`6`	`terraform = "true"`
`7`	`7`	`}`
	`8`	`+ log_groups_to_use = length(var.log_group_prefixes) > 0 ? var.log_group_prefixes : var.cloudwatch_log_groups`
`8`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,10 +8,12 @@ resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter`
`8`	`8`	`}`
`9`	`9`
`10`	`10`	`resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler" {`
`11`		`- for_each = { for lg in var.cloudwatch_log_groups : lg => lg }`
	`11`	`+ for_each = { for lg in local.log_groups_to_use : lg => lg }`
`12`	`12`	`statement_id = "${substr(replace(each.value, "/", "_"), 0, 67)}-AllowExecutionFromCloudWatchLogs"`
`13`	`13`	`action = "lambda:InvokeFunction"`
`14`	`14`	`function_name = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn`
`15`	`15`	`principal = "logs.${var.aws_region}.amazonaws.com"`
`16`		`- source_arn = "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${each.value}:*"`
	`16`	`+ source_arn = (length(var.log_group_prefixes) > 0 ?`
	`17`	`+ "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${each.value}*" :`
	`18`	`+ "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${each.value}:*")`
`17`	`19`	`}`