Merge pull request #61 from scribd/fix-policy-size

fix: Work around the limit in lambda policy size
scribd · Sep 30, 2024 · f970130 · f970130
2 parents eb4e4e8 + 201d6c3
commit f970130
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/locals.tf b/locals.tf
@@ -5,4 +5,5 @@ locals {
     namespace = var.namespace
     terraform = "true"
   }
+  log_groups_to_use = length(var.log_group_prefixes) > 0 ? var.log_group_prefixes : var.cloudwatch_log_groups
 }
diff --git a/logs_monitoring_cloudwatch_log.tf b/logs_monitoring_cloudwatch_log.tf
@@ -8,10 +8,12 @@ resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter
 }
 
 resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
-  for_each      = { for lg in var.cloudwatch_log_groups : lg => lg }
+  for_each      = { for lg in local.log_groups_to_use : lg => lg }
   statement_id  = "${substr(replace(each.value, "/", "_"), 0, 67)}-AllowExecutionFromCloudWatchLogs"
   action        = "lambda:InvokeFunction"
   function_name = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn
   principal     = "logs.${var.aws_region}.amazonaws.com"
-  source_arn    = "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${each.value}:*"
+  source_arn = (length(var.log_group_prefixes) > 0 ?
+    "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${each.value}*" :
+  "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${each.value}:*")
 }
diff --git a/vars.tf b/vars.tf
@@ -37,6 +37,11 @@ variable "cloudwatch_log_groups" {
   type        = list(string)
   default     = []
 }
+variable "log_group_prefixes" {
+  description = "List of CloudWatch Log Group prefixes to create lambda permissions"
+  type        = list(string)
+  default     = []
+}
 variable "enable_datadog_aws_integration" {
   description = "Use datadog provider to give datadog aws account access to our resources"
   type        = bool