From 157f247016d4a2b91240a787c920b28ccee6b4b1 Mon Sep 17 00:00:00 2001 From: CARLOS HENRIQUE GOMES DE LIMA Date: Thu, 28 May 2026 15:40:30 -0300 Subject: [PATCH 1/2] feat(lambda-edge): parametrize tracing mode with default Active --- modules/lambda-edge/main.tf | 30 ++++++++++++++++++++++++++++-- modules/lambda-edge/variables.tf | 11 +++++++++++ 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/modules/lambda-edge/main.tf b/modules/lambda-edge/main.tf index ef82ad4..edf1f2b 100644 --- a/modules/lambda-edge/main.tf +++ b/modules/lambda-edge/main.tf @@ -11,7 +11,7 @@ data "archive_file" "lambda_zip" { resource "aws_iam_role" "lambda_edge_role" { name = var.lambda_edge_role_name - assume_role_policy = < Date: Mon, 15 Jun 2026 17:52:11 -0300 Subject: [PATCH 2/2] fix(lambda-edge): reduce X-Ray cost with PassThrough default Default tracing to PassThrough for Lambda@Edge, add Off mode, attach X-Ray IAM only when Active, and document tracing cost trade-offs. Co-authored-by: Cursor --- modules/lambda-edge/README.md | 42 ++++++++++++++++++++++++++++++++ modules/lambda-edge/main.tf | 9 +++++-- modules/lambda-edge/variables.tf | 8 +++--- 3 files changed, 53 insertions(+), 6 deletions(-) create mode 100644 modules/lambda-edge/README.md diff --git a/modules/lambda-edge/README.md b/modules/lambda-edge/README.md new file mode 100644 index 0000000..5af5d25 --- /dev/null +++ b/modules/lambda-edge/README.md @@ -0,0 +1,42 @@ +# Lambda@Edge + +This module deploys a Lambda@Edge function (published version) with IAM role for CloudFront association. + +### Usage + +```tf +module "edge_security_headers" { + source = "github.com/escaletech/terraform-modules/modules/lambda-edge" + + lambda_file = "path/to/handler.js" + lambda_edge_role_name = "my-edge-role" + lambda_function_name = "my-edge-headers" + + tags = { + Name = "my-edge-headers" + Environment = "production" + } +} +``` + +### X-Ray tracing and cost + +Lambda@Edge runs on every CloudFront request that triggers the associated event. X-Ray charges per trace recorded (~$5 per million after the 100k/month free tier). + +| Mode | Default | Behavior | X-Ray cost | +|------|---------|----------|------------| +| `PassThrough` | yes | Propagates trace context; does not create segments | ~zero | +| `Off` | no | Tracing disabled | zero | +| `Active` | no | Creates sampled segments (1 req/s + 5%) | scales with traffic | + +**Recommendation:** keep the default `PassThrough` for edge functions (e.g. security headers). Use `Active` only when end-to-end distributed tracing at the edge is required. + +```tf +# Explicit opt-in to active tracing (higher X-Ray cost on high-traffic distributions) +lambda_tracing_mode = "Active" + +# Fully disable tracing +lambda_tracing_mode = "Off" +``` + +IAM permissions for X-Ray are attached only when `lambda_tracing_mode = "Active"`. diff --git a/modules/lambda-edge/main.tf b/modules/lambda-edge/main.tf index edf1f2b..1491cd7 100644 --- a/modules/lambda-edge/main.tf +++ b/modules/lambda-edge/main.tf @@ -34,6 +34,8 @@ EOF_ASSUME_ROLE } resource "aws_iam_role_policy" "lambda_edge_xray" { + count = var.lambda_tracing_mode == "Active" ? 1 : 0 + name = "${var.lambda_edge_role_name}-xray" role = aws_iam_role.lambda_edge_role.id @@ -65,7 +67,10 @@ resource "aws_lambda_function" "edge_security_headers_lambda" { role = aws_iam_role.lambda_edge_role.arn tags = var.tags - tracing_config { - mode = var.lambda_tracing_mode + dynamic "tracing_config" { + for_each = var.lambda_tracing_mode == "Off" ? [] : [var.lambda_tracing_mode] + content { + mode = tracing_config.value + } } } diff --git a/modules/lambda-edge/variables.tf b/modules/lambda-edge/variables.tf index f780ea6..3bfe9c4 100644 --- a/modules/lambda-edge/variables.tf +++ b/modules/lambda-edge/variables.tf @@ -32,11 +32,11 @@ variable "lambda_function_name" { variable "lambda_tracing_mode" { type = string - description = "AWS Lambda X-Ray tracing mode" - default = "Active" + description = "AWS Lambda X-Ray tracing mode. PassThrough (default) propagates trace context without creating segments — recommended for Lambda@Edge to minimize X-Ray cost. Active creates sampled trace segments (1 req/s + 5%). Off disables tracing entirely." + default = "PassThrough" validation { - condition = contains(["Active", "PassThrough"], var.lambda_tracing_mode) - error_message = "The lambda_tracing_mode must be either Active or PassThrough." + condition = contains(["Active", "PassThrough", "Off"], var.lambda_tracing_mode) + error_message = "The lambda_tracing_mode must be Active, PassThrough, or Off." } }