Skip to content

Commit

Permalink
fix: Work around limit in lambda policy size
Browse files Browse the repository at this point in the history 
Currently failing with
```
│ Error: adding Lambda Permission (arn:aws:lambda:us-east-2:591234544403:function:model-inference-development-datadog-forwarder/_aws_sagemaker_Endpoints_recs-ranker-rn-scribd-has-read-after-AllowExecutionFromCloudWatchLogs): PolicyLengthExceededException: The final policy size (20782) is bigger than the limit (20480).
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "e220c7fb-c4c9-4b93-9f15-beba592a3afc"
│   },
│   Message_: "The final policy size (20782) is bigger than the limit (20480).",
│   Type: "User"
│ }
│
│   with module.datadog[0].aws_lambda_permission.allow_cloudwatch_logs_to_call_dd_lambda_handler["/aws/sagemaker/Endpoints/recs-ranker-rn-scribd-has-read-after"],
│   on .terraform/modules/datadog/logs_monitoring_cloudwatch_log.tf line 10, in resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler":
│   10: resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
}
```
  • Loading branch information
@zbstof
zbstof committed Sep 27, 2024
1 parent 3678529 commit 4666dd5
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions logs_monitoring_cloudwatch_log.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@ resource "aws_cloudwatch_log_subscription_filter" "test_lambdafunction_logfilter
distribution = "Random"
}

// we're using wildcard sources instead of making separate grant per source
// in order to avoid hitting limit of 20KB per lambda function's aggregated policy size
resource "aws_lambda_permission" "allow_cloudwatch_logs_to_call_dd_lambda_handler" {
for_each = { for lg in var.cloudwatch_log_groups : lg => lg }
statement_id = "${substr(replace(each.value, "/", "_"), 0, 67)}-AllowExecutionFromCloudWatchLogs"
statement_id = "AllowExecutionFromCloudWatchLogs"
action = "lambda:InvokeFunction"
function_name = aws_cloudformation_stack.datadog-forwarder.outputs.DatadogForwarderArn
principal = "logs.${var.aws_region}.amazonaws.com"
source_arn = "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:${each.value}:*"
source_arn = "arn:aws:logs:${var.aws_region}:${var.aws_account_id}:log-group:*"
}

0 comments on commit 4666dd5

Please sign in to comment.