Create Cloudwatch log group

bashton-ajenkins · bashton-ajenkins · commit 064c560d4126 · 2020-02-27T12:32:37.000Z
Creates the Cloudwatch log group and allows setting it's options for
tags, retention, and KMS Key ID for encryption.
diff --git a/README.md b/README.md
@@ -23,6 +23,7 @@ This Terraform module creates and uploads an AWS Lambda function and hides the u
 | 1.x.x          | 0.12.x            |
 | 0.x.x          | 0.11.x            |
 
+
 ## Usage
 
 ```js
@@ -65,20 +66,60 @@ module "lambda" {
   }
 }
 ```
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Providers
 
-## Inputs
+| Name | Version |
+|------|---------|
+| aws | n/a |
+| external | n/a |
+| null | n/a |
 
-Inputs for this module are the same as the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource with the following additional arguments:
+## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|------|---------|----------|
-| **source\_path** | The absolute path to a local file or directory containing your Lambda source code | `string` | | yes |
+|------|-------------|------|---------|:-----:|
+| dead\_letter\_config | n/a | <pre>object({<br>    target_arn = string<br>  })</pre> | n/a | yes |
+| description | n/a | `string` | n/a | yes |
+| environment | n/a | <pre>object({<br>    variables = map(string)<br>  })</pre> | n/a | yes |
+| function\_name | n/a | `string` | n/a | yes |
+| handler | n/a | `string` | n/a | yes |
+| kms\_key\_arn | n/a | `string` | n/a | yes |
+| layers | n/a | `list(string)` | n/a | yes |
+| log\_group\_kms\_key\_id | The ID of a KMS key to use for encrypting the logs for the log group used by the Lambda if create\_log\_group is enabled. | `string` | n/a | yes |
+| log\_group\_retention | The retention time of the Cloudwatch Log group that the Lambda logs to if create\_log\_group is enabled. | `string` | n/a | yes |
+| log\_group\_tags | The tags to assign to the log group for the Lambda if create\_log\_group is enabled. This needs to be a list of maps of strings. | `list(map(string))` | n/a | yes |
+| memory\_size | n/a | `number` | n/a | yes |
+| policy | An additional policy to attach to the Lambda function role | <pre>object({<br>    json = string<br>  })</pre> | n/a | yes |
+| reserved\_concurrent\_executions | n/a | `number` | n/a | yes |
+| runtime | n/a | `string` | n/a | yes |
+| source\_path | The absolute path to a local file or directory containing your Lambda source code | `string` | n/a | yes |
+| tags | n/a | `map(string)` | n/a | yes |
+| tracing\_config | n/a | <pre>object({<br>    mode = string<br>  })</pre> | n/a | yes |
+| vpc\_config | n/a | <pre>object({<br>    security_group_ids = list(string)<br>    subnet_ids         = list(string)<br>  })</pre> | n/a | yes |
 | build\_command | The command to run to create the Lambda package zip file | `string` | `"python build.py '$filename' '$runtime' '$source'"` | no |
-| build\_paths | The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change | `list(string)` | `["build.py"]` | no |
+| build\_paths | The files or directories used by the build command, to trigger new Lambda package builds whenever build scripts change | `list(string)` | <pre>[<br>  "build.py"<br>]</pre> | no |
 | cloudwatch\_logs | Set this to false to disable logging your Lambda output to CloudWatch Logs | `bool` | `true` | no |
+| create\_log\_group | Whether or not to create the log group for the Lambda function. If the Lambda has been ran with logging enabled prior to this option being enabled Terraform will fail as the log group will already exist. In this case you will have to import the log group using a command like: terraform import module.lambda.aws\_cloudwatch\_log\_group.lambda /aws/lambda/lambda\_function\_name. Also note that if you disable this option or remove the module Terraform will want to remove the log group and it's associated logs. To keep the log group and its logs please ensure that you either remove module.lambda.aws\_cloudwatch\_log\_group.lambda from the state or move it to somewhere else in the state using either terraform state rm or terraform state mv. | `bool` | `false` | no |
 | lambda\_at\_edge | Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function | `bool` | `false` | no |
-| policy | An additional policy to attach to the Lambda function role | `object({json=string})` | | no |
-| trusted\_entities | Additional trusted entities for the Lambda function. The lambda.amazonaws.com (and edgelambda.amazonaws.com if lambda\_at\_edge is true) is always set  | `list(string)` | | no |
+| publish | n/a | `bool` | `false` | no |
+| timeout | n/a | `number` | `3` | no |
+| trusted\_entities | Lambda function additional trusted entities for assuming roles (trust relationship) | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cloudwatch\_log\_group\_arn | The ARN of the log group created for this Lambda if logging is enabled. |
+| cloudwatch\_log\_group\_name | The name of the log group created for this Lambda if logging is enabled. |
+| function\_arn | The ARN of the Lambda function |
+| function\_invoke\_arn | The Invoke ARN of the Lambda function |
+| function\_name | The name of the Lambda function |
+| function\_qualified\_arn | The qualified ARN of the Lambda function |
+| role\_arn | The ARN of the IAM role created for the Lambda function |
+| role\_name | The name of the IAM role created for the Lambda function |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 The following arguments from the [aws_lambda_function](https://www.terraform.io/docs/providers/aws/r/lambda_function.html) resource are not supported:
 
diff --git a/lambda.tf b/lambda.tf
@@ -15,7 +15,7 @@ resource "aws_lambda_function" "lambda" {
   # Use a generated filename to determine when the source code has changed.
 
   filename   = data.external.built.result.filename
-  depends_on = [null_resource.archive]
+  depends_on = [null_resource.archive, aws_cloudwatch_log_group.lambda]
 
   # Add dynamic blocks based on variables.
 
diff --git a/logging.tf b/logging.tf
@@ -0,0 +1,7 @@
+resource "aws_cloudwatch_log_group" "lambda" {
+  count             = var.create_log_group == true ? 1 : 0
+  name              = "/aws/lambda/${var.function_name}"
+  retention_in_days = var.log_group_retention
+  kms_key_id        = var.log_group_kms_key_id
+  tags              = var.log_group_tags
+}
diff --git a/outputs.tf b/outputs.tf
@@ -27,3 +27,13 @@ output "role_name" {
   description = "The name of the IAM role created for the Lambda function"
   value       = aws_iam_role.lambda.name
 }
+
+output "cloudwatch_log_group_arn" {
+  description = "The ARN of the log group created for this Lambda if logging is enabled."
+  value       = aws_cloudwatch_log_group.lambda[0].arn
+}
+
+output "cloudwatch_log_group_name" {
+  description = "The name of the log group created for this Lambda if logging is enabled."
+  value       = aws_cloudwatch_log_group.lambda[0].name
+}
diff --git a/variables.tf b/variables.tf
@@ -37,6 +37,29 @@ variable "cloudwatch_logs" {
   default     = true
 }
 
+variable "create_log_group" {
+  description = "Whether or not to create the log group for the Lambda function. If the Lambda has been ran with logging enabled prior to this option being enabled Terraform will fail as the log group will already exist. In this case you will have to import the log group using a command like: terraform import module.lambda.aws_cloudwatch_log_group.lambda /aws/lambda/lambda_function_name. Also note that if you disable this option or remove the module Terraform will want to remove the log group and it's associated logs. To keep the log group and its logs please ensure that you either remove module.lambda.aws_cloudwatch_log_group.lambda from the state or move it to somewhere else in the state using either terraform state rm or terraform state mv."
+  type        = bool
+  default     = false
+}
+variable "log_group_retention" {
+  description = "The retention time of the Cloudwatch Log group that the Lambda logs to if create_log_group is enabled."
+  type        = string
+  default     = null
+}
+
+variable "log_group_kms_key_id" {
+  description = "The ID of a KMS key to use for encrypting the logs for the log group used by the Lambda if create_log_group is enabled."
+  type        = string
+  default     = null
+}
+
+variable "log_group_tags" {
+  description = "The tags to assign to the log group for the Lambda if create_log_group is enabled. This needs to be a list of maps of strings."
+  type        = list(map(string))
+  default     = null
+}
+
 variable "lambda_at_edge" {
   description = "Set this to true if using Lambda@Edge, to enable publishing, limit the timeout, and allow edgelambda.amazonaws.com to invoke the function"
   type        = bool
@@ -53,8 +76,8 @@ variable "policy" {
 
 variable "trusted_entities" {
   description = "Lambda function additional trusted entities for assuming roles (trust relationship)"
-  type = list(string)
-  default = []
+  type        = list(string)
+  default     = []
 }
 
 locals {
