Multiregional Log groups for Lambda Edge
View SourceRelease NotesThis module uses the lambda-edge-log-group module to create a Cloudwatch log group to receive Lambda Edge function logs in multiple AWS Regions.
Why are the resources in this module not created within the Lambda Edge Module?
Lambda@Edge automatically creates CloudWatch Logs log streams in the AWS Regions closest to the location where the function receives traffic and is executed. For these resources to be under Terraform control, a log group must be created in every region that have Regional Edge Caches.
Unfortunately, it is not possible to use a for_each on provider blocks and there are multiple issues related to
using nested providers. That means that, currently, the only way to create multi-regional modules is by code generating each
block and passing down the providers using the codegen module. A full example of creating the providers and using
this module can be found at the lambda-edge example.
Which regions have regional edge caches?
As of 22 Aug 2022, the list of regions with edge caches are:
US East (N. Virginia) – us-east-1
US East (Ohio) – us-east-2
US West (N. California) – us-west-1
US West (Oregon) – us-west-2
Asia Pacific (Mumbai) – ap-south-1
Asia Pacific (Seoul) – ap-northeast-2
Asia Pacific (Singapore) – ap-southeast-1
Asia Pacific (Sydney) – ap-southeast-2
Asia Pacific (Tokyo) – ap-northeast-1
Europe (Frankfurt) – eu-central-1
Europe (Ireland) – eu-west-1
Europe (London) – eu-west-2
South America (São Paulo) – sa-east-1
More information:
- https://aws.amazon.com/blogs/networking-and-content-delivery/aggregating-lambdaedge-logs/
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-cloudwatch-metrics-logging.html
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S LAMBDA-EDGE-MULTI-REGION-LOG-GROUPS MODULE
# ------------------------------------------------------------------------------------------------------
module "lambda_edge_multi_region_log_groups" {
source = "git::git@github.com:gruntwork-io/terraform-aws-lambda.git//modules/lambda-edge-multi-region-log-groups?ref=v0.21.6"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The name used to namespace all log groups.
name = <INPUT REQUIRED>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for
# encrypting log data.
cloudwatch_log_group_kms_key_id = null
# The number of days to retain log events in the log group. Refer to
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/clou
# watch_log_group#retention_in_days for all the valid values. When null, the log
# events are retained forever.
cloudwatch_log_group_retention_in_days = null
# The ARN of the destination to deliver matching log events to. Kinesis stream or
# Lambda function ARN. Only applicable if var.should_create_cloudwatch_log_group
# is true.
cloudwatch_log_group_subscription_destination_arn = null
# The method used to distribute log data to the destination. Only applicable when
# var.cloudwatch_log_group_subscription_destination_arn is a kinesis stream. Valid
# values are `Random` and `ByLogStream`.
cloudwatch_log_group_subscription_distribution = null
# A valid CloudWatch Logs filter pattern for subscribing to a filtered stream of
# log events.
cloudwatch_log_group_subscription_filter_pattern = ""
# ARN of an IAM role that grants Amazon CloudWatch Logs permissions to deliver
# ingested log events to the destination. Only applicable when
# var.cloudwatch_log_group_subscription_destination_arn is a kinesis stream.
cloudwatch_log_group_subscription_role_arn = null
# Tags to apply on the CloudWatch Log Group, encoded as a map where the keys are
# tag keys and values are tag values.
cloudwatch_log_group_tags = {}
}
# Coming soon!
Reference
- Inputs
- Outputs
Required
namestringThe name used to namespace all log groups.
Optional
The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for encrypting log data.
nullThe number of days to retain log events in the log group. Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#retention_in_days for all the valid values. When null, the log events are retained forever.
nullThe ARN of the destination to deliver matching log events to. Kinesis stream or Lambda function ARN. Only applicable if should_create_cloudwatch_log_group is true.
nullThe method used to distribute log data to the destination. Only applicable when cloudwatch_log_group_subscription_destination_arn is a kinesis stream. Valid values are Random and ByLogStream.
nullA valid CloudWatch Logs filter pattern for subscribing to a filtered stream of log events.
""ARN of an IAM role that grants Amazon CloudWatch Logs permissions to deliver ingested log events to the destination. Only applicable when cloudwatch_log_group_subscription_destination_arn is a kinesis stream.
nullcloudwatch_log_group_tagsmap(string)Tags to apply on the CloudWatch Log Group, encoded as a map where the keys are tag keys and values are tag values.
{}Map of log group names per region