forked from StateFarmIns/terraform-aws-default-log-retention
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtf-log-retention-lambda.tf
84 lines (74 loc) · 2.65 KB
/
tf-log-retention-lambda.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
data "archive_file" "log_retention" {
type = "zip"
source_file = "${path.module}/dist/log_retention_setter/bootstrap"
output_path = "${path.module}/dist/log_retention_setter/bootstrap.zip"
}
resource "aws_lambda_function" "log_retention" {
depends_on = [aws_cloudwatch_log_group.log_retention_lambda]
function_name = local.log_retention_lambda_name
filename = data.archive_file.log_retention.output_path
source_code_hash = data.archive_file.log_retention.output_base64sha256
runtime = local.runtime
architectures = local.architectures
handler = "bootstrap"
role = aws_iam_role.log_retention.arn
timeout = 60
kms_key_arn = var.kms_key_arn
memory_size = 128
description = "Sets default CloudWatch Logs retention settings for new log groups."
environment {
variables = {
log_retention_in_days = var.log_retention_in_days
log_group_tags = local.log_group_tags_json
metric_namespace = var.metric_namespace
aws_partition = data.aws_partition.current.partition
RUST_BACKTRACE = 1
RUST_LOG = "warn,terraform_aws_default_log_retention=${var.log_level}" # https://docs.rs/env_logger/latest/env_logger/
}
}
dynamic "vpc_config" {
for_each = var.subnet_ids == null ? [] : ["make this block once"]
content {
subnet_ids = var.subnet_ids
security_group_ids = [var.https_egress_security_group_id]
}
}
tags = var.tags
}
resource "aws_cloudwatch_event_rule" "log_group_creation" {
name = "${var.name}-log-group-creation"
event_pattern = <<PATTERN
{
"source": [
"aws.logs"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"logs.amazonaws.com"
],
"eventName": [
"CreateLogGroup"
]
}
}
PATTERN
tags = merge({ "description" = "Log Group Creation CloudWatch Rule" }, var.tags)
}
resource "aws_cloudwatch_event_target" "log_group_creation" {
rule = aws_cloudwatch_event_rule.log_group_creation.name
arn = aws_lambda_function.log_retention.arn
}
resource "aws_lambda_permission" "log_retention" {
statement_id = "AllowExecutionFromCloudWatch"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.log_retention.function_name
principal = "events.amazonaws.com"
source_arn = aws_cloudwatch_event_rule.log_group_creation.arn
}
resource "aws_lambda_function_event_invoke_config" "log_retention" {
function_name = aws_lambda_function.log_retention.function_name
maximum_retry_attempts = 2 # This is default, but setting it to ensure that is the case.
}