added logging to lambda

Author: bknutson123

main.tf

@@ -5,6 +5,85 @@ module "acs" {
   vpc_vpn_to_campus = true
 }
 
+resource "aws_cloudwatch_log_group" "logs" {
+  name              = "/aws/lambda/${aws_lambda_function.lambda.function_name}"
+  retention_in_days = 14
+}
+
+resource "aws_iam_role" "iam_for_lambda" {
+  name = "${var.app-name}-lambda"
+  permissions_boundary = "arn:aws:iam::${var.account-id}:policy/iamRolePermissionBoundary"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource aws_iam_policy "ec2-network-interface-policy" {
+  name = "${var.app-name}-ec2"
+  description = "A policy to allow create, describe, and delete network interfaces"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+        "Effect": "Allow",
+        "Action": [
+            "ec2:CreateNetworkInterface",
+            "ec2:DescribeNetworkInterfaces",
+            "ec2:DeleteNetworkInterface"
+        ],
+        "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "ec2-network-interface-policy-attachment" {
+  role = aws_iam_role.iam_for_lambda.name
+  policy_arn = aws_iam_policy.ec2-network-interface-policy.arn
+}
+
+resource "aws_iam_policy" "lambda_logging" {
+  name = "${var.app-name}-lambda-logging"
+  description = "IAM policy for logging from a lambda"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "arn:aws:logs:*:*:*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_logs" {
+  role = aws_iam_role.iam_for_lambda.name
+  policy_arn = aws_iam_policy.lambda_logging.arn
+}
+
 resource "aws_api_gateway_rest_api" "api" {
   name = "${var.app-name}-api"
 }
@@ -69,8 +148,9 @@ resource "aws_lambda_permission" "apigw_lambda" {
   action = "lambda:InvokeFunction"
   function_name = aws_lambda_function.lambda.function_name
   principal = "apigateway.amazonaws.com"
-
   source_arn = "arn:aws:execute-api:us-west-2:${var.account-id}:${aws_api_gateway_rest_api.api.id}/*"
+  depends_on    = [aws_iam_role_policy_attachment.lambda_logs, aws_cloudwatch_log_group.logs]
+
 }
 
 resource "aws_api_gateway_domain_name" "api_domain" {
@@ -100,53 +180,6 @@ resource "aws_route53_record" "a_record" {
   }
 }
 
-resource "aws_iam_role" "iam_for_lambda" {
-  name = "${var.app-name}-lambda"
-  permissions_boundary = "arn:aws:iam::${var.account-id}:policy/iamRolePermissionBoundary"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "lambda.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-}
-
-resource aws_iam_policy "ec2-network-interface-policy" {
-  name = "${var.app-name}-ec2"
-  description = "A policy to allow create, describe, and delete network interfaces"
-
-  policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-        "Effect": "Allow",
-        "Action": [
-            "ec2:CreateNetworkInterface",
-            "ec2:DescribeNetworkInterfaces",
-            "ec2:DeleteNetworkInterface"
-        ],
-        "Resource": "*"
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "ec2-network-interface-policy-attachment" {
-  role = aws_iam_role.iam_for_lambda.name
-  policy_arn = aws_iam_policy.ec2-network-interface-policy.arn
-}
-
 resource "aws_security_group" "vpc_sec" {
   name = "${var.app-name}-sg"
   description = "${var.app-name}-sg"