From 9ae4cce242e8d3b3a00fcc982975dd90ac7aa04d Mon Sep 17 00:00:00 2001
From: philberesford <philberesford@users.noreply.github.com>
Date: Wed, 20 Aug 2025 12:29:26 +0100
Subject: [PATCH] Enabled Edge lambdas to write to CloudWatch

---
 ...ata.aws_iam_policy_document.lambda_core.tf | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/modules/generic/lambda/data.aws_iam_policy_document.lambda_core.tf b/modules/generic/lambda/data.aws_iam_policy_document.lambda_core.tf
index cc7224a..8cd5175 100644
--- a/modules/generic/lambda/data.aws_iam_policy_document.lambda_core.tf
+++ b/modules/generic/lambda/data.aws_iam_policy_document.lambda_core.tf
@@ -27,6 +27,25 @@ data "aws_iam_policy_document" "lambda_core" {
     ]
   }
 
+  dynamic "statement" {
+    for_each = var.edge ? [1] : []
+
+    content {
+      sid    = "AllowEdgeLambdaLogging"
+      effect = "Allow"
+
+      actions = [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ]
+
+      resources = [
+        "arn:aws:logs:*:${local.aws_account_id}:log-group:/aws/lambda/us-east-1.${local.function_name}:*",
+      ]
+    }
+  }
+
   dynamic "statement" {
     for_each = var.insights["enabled"] ? [1] : []