From bcff87bf6f1e466052d0358a62b4e845e9033a2f Mon Sep 17 00:00:00 2001
From: Tomasz Rychlewicz <tomasz.rychlewicz@explaineverything.com>
Date: Tue, 16 May 2023 12:40:05 +0200
Subject: [PATCH] Do not allow to create logs by Lambda@Edge in all regions

---
 iam.tf       | 2 +-
 variables.tf | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/iam.tf b/iam.tf
index b146350b..0436a4a4 100644
--- a/iam.tf
+++ b/iam.tf
@@ -5,7 +5,7 @@ locals {
   # The region part of the LogGroup ARN is then replaced with a wildcard (*) so Lambda@Edge is able to log in every region
   log_group_arn_regional = try(data.aws_cloudwatch_log_group.lambda[0].arn, aws_cloudwatch_log_group.lambda[0].arn, "")
   log_group_name         = try(data.aws_cloudwatch_log_group.lambda[0].name, aws_cloudwatch_log_group.lambda[0].name, "")
-  log_group_arn          = local.create_role && var.lambda_at_edge ? format("arn:%s:%s:%s:%s:%s", data.aws_arn.log_group_arn[0].partition, data.aws_arn.log_group_arn[0].service, "*", data.aws_arn.log_group_arn[0].account, data.aws_arn.log_group_arn[0].resource) : local.log_group_arn_regional
+  log_group_arn          = local.create_role && var.lambda_at_edge ? format("arn:%s:%s:%s:%s:%s", data.aws_arn.log_group_arn[0].partition, data.aws_arn.log_group_arn[0].service, var.lambda_at_edge_logs_all_regions ? "*" : "us-east-1", data.aws_arn.log_group_arn[0].account, data.aws_arn.log_group_arn[0].resource) : local.log_group_arn_regional
 
   # Defaulting to "*" (an invalid character for an IAM Role name) will cause an error when
   #   attempting to plan if the role_name and function_name are not set.  This is a workaround
diff --git a/variables.tf b/variables.tf
index 7e0d96db..ea847f26 100644
--- a/variables.tf
+++ b/variables.tf
@@ -50,6 +50,12 @@ variable "lambda_at_edge" {
   default     = false
 }
 
+variable "lambda_at_edge_logs_all_regions" {
+  description = "Whether to specify a wildcard in IAM policy used by Lambda@Edge to allow logging in all regions"
+  type        = bool
+  default     = true
+}
+
 variable "function_name" {
   description = "A unique name for your Lambda Function"
   type        = string