diff --git a/modules/lambda-edge/README.md b/modules/lambda-edge/README.md new file mode 100644 index 0000000..5af5d25 --- /dev/null +++ b/modules/lambda-edge/README.md @@ -0,0 +1,42 @@ +# Lambda@Edge + +This module deploys a Lambda@Edge function (published version) with IAM role for CloudFront association. + +### Usage + +```tf +module "edge_security_headers" { + source = "github.com/escaletech/terraform-modules/modules/lambda-edge" + + lambda_file = "path/to/handler.js" + lambda_edge_role_name = "my-edge-role" + lambda_function_name = "my-edge-headers" + + tags = { + Name = "my-edge-headers" + Environment = "production" + } +} +``` + +### X-Ray tracing and cost + +Lambda@Edge runs on every CloudFront request that triggers the associated event. X-Ray charges per trace recorded (~$5 per million after the 100k/month free tier). + +| Mode | Default | Behavior | X-Ray cost | +|------|---------|----------|------------| +| `PassThrough` | yes | Propagates trace context; does not create segments | ~zero | +| `Off` | no | Tracing disabled | zero | +| `Active` | no | Creates sampled segments (1 req/s + 5%) | scales with traffic | + +**Recommendation:** keep the default `PassThrough` for edge functions (e.g. security headers). Use `Active` only when end-to-end distributed tracing at the edge is required. + +```tf +# Explicit opt-in to active tracing (higher X-Ray cost on high-traffic distributions) +lambda_tracing_mode = "Active" + +# Fully disable tracing +lambda_tracing_mode = "Off" +``` + +IAM permissions for X-Ray are attached only when `lambda_tracing_mode = "Active"`. diff --git a/modules/lambda-edge/main.tf b/modules/lambda-edge/main.tf index ef82ad4..1491cd7 100644 --- a/modules/lambda-edge/main.tf +++ b/modules/lambda-edge/main.tf @@ -11,7 +11,7 @@ data "archive_file" "lambda_zip" { resource "aws_iam_role" "lambda_edge_role" { name = var.lambda_edge_role_name - assume_role_policy = <