fix: Adds region wildcard to log group arn when lambda@edge (claranet#35)

Author: ofhouse

Diff for: examples/simple/main.tf

@@ -14,6 +14,19 @@ resource "random_pet" "this" {
   length = 2
 }
 
+//module "lambda_at_edge" {
+//  source = "../../"
+//
+//  function_name = "${random_pet.this.id}-lambda-edge"
+//  handler       = "index.lambda_handler"
+//  runtime       = "python3.8"
+//  lambda_at_edge = true
+//
+//  attach_cloudwatch_logs_policy = true
+//
+//  source_path = "${path.module}/../fixtures/python3.8-app1/"
+//}
+
 //resource "aws_cloudwatch_log_group" "this" {
 //  name = "/aws/lambda/us-east-1.${random_pet.this.id}-lambda-simple"
 //}

Diff for: iam.tf

@@ -1,6 +1,10 @@
 locals {
-  create_role   = var.create && var.create_function && ! var.create_layer && var.create_role
-  log_group_arn = element(concat(data.aws_cloudwatch_log_group.lambda.*.arn, aws_cloudwatch_log_group.lambda.*.arn, [""]), 0)
+  create_role = var.create && var.create_function && ! var.create_layer && var.create_role
+
+  # Lambda@Edge uses the Cloudwatch region closest to the location where the function is executed
+  # The region part of the LogGroup ARN is then replaced with a wildcard (*) so Lambda@Edge is able to log in every region
+  log_group_arn_regional = element(concat(data.aws_cloudwatch_log_group.lambda.*.arn, aws_cloudwatch_log_group.lambda.*.arn, [""]), 0)
+  log_group_arn          = local.create_role && var.lambda_at_edge ? format("arn:%s:%s:%s:%s:%s", data.aws_arn.log_group_arn[0].partition, data.aws_arn.log_group_arn[0].service, "*", data.aws_arn.log_group_arn[0].account, data.aws_arn.log_group_arn[0].resource) : local.log_group_arn_regional
 }
 
 ###########
@@ -38,6 +42,12 @@ resource "aws_iam_role" "lambda" {
 # Cloudwatch Logs
 ##################
 
+data "aws_arn" "log_group_arn" {
+  count = local.create_role && var.lambda_at_edge ? 1 : 0
+
+  arn = local.log_group_arn_regional
+}
+
 data "aws_iam_policy_document" "logs" {
   count = local.create_role && var.attach_cloudwatch_logs_policy ? 1 : 0