CCM-6250: add edge lambda cap

Author: sidnhs

infrastructure/modules/lambda/data_iam_policy_document_put_logs.tf

@@ -14,6 +14,31 @@ data "aws_iam_policy_document" "put_logs" {
     ]
   }
 
+    dynamic "statement" {
+    # Lambda@Edge logs are logged into Log Groups in the region of the edge location
+    # that executes the code. Because of this, we need to allow the lambda role to create
+    # Log Groups in other regions
+    for_each = var.lambda_at_edge ? [1] : []
+    content {
+      sid    = "AllowLambdaAtEdgeLogging"
+      effect = "Allow"
+
+      actions = [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:CreateLogGroup",
+      ]
+
+      resources = [
+        format(
+          "arn:aws:logs:us-east-1:%s:log-group:/aws/lambda/%s:*",
+          var.aws_account_id,
+          var.function_name,
+        )
+      ]
+    }
+  }
+
   statement {
     sid    = "KMSCloudwatchKeyAccess"
     effect = "Allow"

infrastructure/modules/lambda/lambda_function.tf

@@ -22,7 +22,7 @@ resource "aws_lambda_function" "main" {
   layers = compact(concat(
     var.layers,
     [
-      var.enable_lambda_insights ? "arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:53" : null
+      var.enable_lambda_insights && var.lambda_at_edge == false ? "arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:53" : null
     ]
   ))
 

infrastructure/modules/lambda/variables.tf

@@ -212,3 +212,9 @@ variable "enable_lambda_insights" {
   description = "Enable the lambda insights layer, this must be disabled for lambda@edge usage"
   default     = true
 }
+
+variable "lambda_at_edge" {
+  type        = bool
+  description = "Enable the lambda insights layer, this must be disabled for lambda@edge usage"
+  default     = false
+}