Allow authorizer lambda to log

Author: stevebux

infrastructure/terraform/components/api/module_authorizer_lambda.tf

@@ -31,6 +31,8 @@ module "authorizer_lambda" {
   log_destination_arn       = local.destination_arn
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
+  depends_on = [aws_cloudwatch_log_group.api_gateway_execution]
+
   lambda_env_vars = {
     CLOUDWATCH_NAMESPACE                     = "/aws/api-gateway/supplier/alarms",
     CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS = 14,
@@ -39,7 +41,7 @@ module "authorizer_lambda" {
   }
 }
 
-data "aws_iam_policy_document" "authorizer_lambda" {
+data "aws_iam_policy_document" "authorizer_lambda_iam" {
   statement {
     sid    = "AllowPutMetricData"
     effect = "Allow"
@@ -53,3 +55,25 @@ data "aws_iam_policy_document" "authorizer_lambda" {
     ]
   }
 }
+
+resource "aws_iam_policy" "authorizer_lambda_logging_policy" {
+  name   = "function-logging-policy"
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        Action : [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        Effect : "Allow",
+        Resource : "arn:aws:logs:*:*:*"
+      }
+    ]
+  })
+
+  resource "aws_iam_role_policy_attachment" "authorizer_lambda_logging_policy_attachment" {
+  role       = aws_iam_role.authorizer_lambda_iam.id
+  policy_arn = aws_iam_policy.authorizer_lambda_logging_policy
+}
+}