feat(lambda): add support for X-Ray tracing (#3142)

mcaulifn · npalm · github-actions[bot] · web-flow · commit 998a0d1381e4 · 2023-04-20T13:09:41.000+02:00
* feat(lambda): Add support for X-Ray tracing

* Workflow fix

* Update update-docs.yml

Reverting docs fixes

* docs: auto update terraform docs

* Adding to multi-runner

* Adding to pool lambda

* docs: auto update terraform docs

* - enable tracing for all submodules in the multi-runner
- add missing policy for the pool

---------

Co-authored-by: Niek Palm &lt;npalm@users.noreply.github.com&gt;
Co-authored-by: github-actions[bot] &lt;github-actions[bot]@users.noreply.github.com&gt;
Co-authored-by: Niek Palm &lt;niek.palm@philips.com&gt;
diff --git a/README.md b/README.md
@@ -533,6 +533,7 @@ We welcome any improvement to the standard module to make the default as secure
 | <a name="input_lambda_s3_bucket"></a> [lambda\_s3\_bucket](#input\_lambda\_s3\_bucket) | S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. | `string` | `null` | no |
 | <a name="input_lambda_security_group_ids"></a> [lambda\_security\_group\_ids](#input\_lambda\_security\_group\_ids) | List of security group IDs associated with the Lambda function. | `list(string)` | `[]` | no |
 | <a name="input_lambda_subnet_ids"></a> [lambda\_subnet\_ids](#input\_lambda\_subnet\_ids) | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | `[]` | no |
+| <a name="input_lambda_tracing_mode"></a> [lambda\_tracing\_mode](#input\_lambda\_tracing\_mode) | Enable X-Ray tracing for the lambda functions. | `string` | `null` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | `string` | `"info"` | no |
 | <a name="input_log_type"></a> [log\_type](#input\_log\_type) | Logging format for lambda logging. Valid values are 'json', 'pretty', 'hidden'. | `string` | `null` | no |
 | <a name="input_logging_kms_key_id"></a> [logging\_kms\_key\_id](#input\_logging\_kms\_key\_id) | Specifies the kms key id to encrypt the logs with | `string` | `null` | no |
diff --git a/main.tf b/main.tf
@@ -154,6 +154,7 @@ module "webhook" {
   lambda_architecture                           = var.lambda_architecture
   lambda_zip                                    = var.webhook_lambda_zip
   lambda_timeout                                = var.webhook_lambda_timeout
+  lambda_tracing_mode                           = var.lambda_tracing_mode
   logging_retention_in_days                     = var.logging_retention_in_days
   logging_kms_key_id                            = var.logging_kms_key_id
 
@@ -235,6 +236,7 @@ module "runners" {
   lambda_timeout_scale_down        = var.runners_scale_down_lambda_timeout
   lambda_subnet_ids                = var.lambda_subnet_ids
   lambda_security_group_ids        = var.lambda_security_group_ids
+  lambda_tracing_mode              = var.lambda_tracing_mode
   logging_retention_in_days        = var.logging_retention_in_days
   logging_kms_key_id               = var.logging_kms_key_id
   enable_cloudwatch_agent          = var.enable_cloudwatch_agent
@@ -297,6 +299,7 @@ module "runner_binaries" {
   lambda_architecture             = var.lambda_architecture
   lambda_zip                      = var.runner_binaries_syncer_lambda_zip
   lambda_timeout                  = var.runner_binaries_syncer_lambda_timeout
+  lambda_tracing_mode             = var.lambda_tracing_mode
   logging_retention_in_days       = var.logging_retention_in_days
   logging_kms_key_id              = var.logging_kms_key_id
 
diff --git a/modules/multi-runner/README.md b/modules/multi-runner/README.md
@@ -134,6 +134,7 @@ module "multi-runner" {
 | <a name="input_lambda_s3_bucket"></a> [lambda\_s3\_bucket](#input\_lambda\_s3\_bucket) | S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly. | `string` | `null` | no |
 | <a name="input_lambda_security_group_ids"></a> [lambda\_security\_group\_ids](#input\_lambda\_security\_group\_ids) | List of security group IDs associated with the Lambda function. | `list(string)` | `[]` | no |
 | <a name="input_lambda_subnet_ids"></a> [lambda\_subnet\_ids](#input\_lambda\_subnet\_ids) | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | `[]` | no |
+| <a name="input_lambda_tracing_mode"></a> [lambda\_tracing\_mode](#input\_lambda\_tracing\_mode) | Enable X-Ray tracing for the lambda functions. | `string` | `null` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | `string` | `"info"` | no |
 | <a name="input_log_type"></a> [log\_type](#input\_log\_type) | Logging format for lambda logging. Valid values are 'json', 'pretty', 'hidden'. | `string` | `null` | no |
 | <a name="input_logging_kms_key_id"></a> [logging\_kms\_key\_id](#input\_logging\_kms\_key\_id) | Specifies the kms key id to encrypt the logs with | `string` | `null` | no |
diff --git a/modules/multi-runner/runner-binaries.tf b/modules/multi-runner/runner-binaries.tf
@@ -16,6 +16,7 @@ module "runner_binaries" {
   lambda_architecture               = var.lambda_architecture
   lambda_zip                        = var.runner_binaries_syncer_lambda_zip
   lambda_timeout                    = var.runner_binaries_syncer_lambda_timeout
+  lambda_tracing_mode               = var.lambda_tracing_mode
   logging_retention_in_days         = var.logging_retention_in_days
   logging_kms_key_id                = var.logging_kms_key_id
   enable_event_rule_binaries_syncer = var.enable_event_rule_binaries_syncer
diff --git a/modules/multi-runner/runners.tf b/modules/multi-runner/runners.tf
@@ -63,6 +63,7 @@ module "runners" {
   lambda_timeout_scale_down        = var.runners_scale_down_lambda_timeout
   lambda_subnet_ids                = var.lambda_subnet_ids
   lambda_security_group_ids        = var.lambda_security_group_ids
+  lambda_tracing_mode              = var.lambda_tracing_mode
   logging_retention_in_days        = var.logging_retention_in_days
   logging_kms_key_id               = var.logging_kms_key_id
   enable_cloudwatch_agent          = each.value.runner_config.enable_cloudwatch_agent
diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf
@@ -527,3 +527,9 @@ variable "ssm_paths" {
   })
   default = {}
 }
+
+variable "lambda_tracing_mode" {
+  description = "Enable X-Ray tracing for the lambda functions."
+  type        = string
+  default     = null
+}
diff --git a/modules/multi-runner/webhook.tf b/modules/multi-runner/webhook.tf
@@ -19,6 +19,7 @@ module "webhook" {
   lambda_architecture                           = var.lambda_architecture
   lambda_zip                                    = var.webhook_lambda_zip
   lambda_timeout                                = var.webhook_lambda_timeout
+  lambda_tracing_mode                           = var.lambda_tracing_mode
   logging_retention_in_days                     = var.logging_retention_in_days
   logging_kms_key_id                            = var.logging_kms_key_id
 
diff --git a/modules/runner-binaries-syncer/README.md b/modules/runner-binaries-syncer/README.md
@@ -65,6 +65,7 @@ No modules.
 | [aws_iam_role_policy.lambda_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.lambda_syncer_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.syncer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.syncer_lambda_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.syncer_vpc_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_lambda_function.syncer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_permission.on_deploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
@@ -81,6 +82,7 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.action_dist_sse_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lambda_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
@@ -98,6 +100,7 @@ No modules.
 | <a name="input_lambda_security_group_ids"></a> [lambda\_security\_group\_ids](#input\_lambda\_security\_group\_ids) | List of security group IDs associated with the Lambda function. | `list(string)` | `[]` | no |
 | <a name="input_lambda_subnet_ids"></a> [lambda\_subnet\_ids](#input\_lambda\_subnet\_ids) | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | `[]` | no |
 | <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Time out of the lambda in seconds. | `number` | `300` | no |
+| <a name="input_lambda_tracing_mode"></a> [lambda\_tracing\_mode](#input\_lambda\_tracing\_mode) | Enable X-Ray tracing for the lambda functions. | `string` | `null` | no |
 | <a name="input_lambda_zip"></a> [lambda\_zip](#input\_lambda\_zip) | File location of the lambda zip file. | `string` | `null` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | `string` | `"info"` | no |
 | <a name="input_log_type"></a> [log\_type](#input\_log\_type) | Logging format for lambda logging. Valid values are 'json', 'pretty', 'hidden'. | `string` | `null` | no |
diff --git a/modules/runner-binaries-syncer/iam.tf b/modules/runner-binaries-syncer/iam.tf
@@ -0,0 +1,16 @@
+data "aws_iam_policy_document" "lambda_xray" {
+  count = var.lambda_tracing_mode != null ? 1 : 0
+  statement {
+    actions = [
+      "xray:BatchGetTraces",
+      "xray:GetTraceSummaries",
+      "xray:PutTelemetryRecords",
+      "xray:PutTraceSegments"
+    ]
+    effect = "Allow"
+    resources = [
+      "*"
+    ]
+    sid = "AllowXRay"
+  }
+}
diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
@@ -44,6 +44,13 @@ resource "aws_lambda_function" "syncer" {
   }
 
   tags = var.tags
+
+  dynamic "tracing_config" {
+    for_each = var.lambda_tracing_mode != null ? [true] : []
+    content {
+      mode = var.lambda_tracing_mode
+    }
+  }
 }
 
 resource "aws_iam_role_policy" "lambda_kms" {
@@ -182,4 +189,8 @@ resource "aws_lambda_permission" "on_deploy" {
   source_arn     = aws_s3_bucket.action_dist.arn
 }
 
-
+resource "aws_iam_role_policy" "syncer_lambda_xray" {
+  count  = var.lambda_tracing_mode != null ? 1 : 0
+  policy = data.aws_iam_policy_document.lambda_xray[0].json
+  role   = aws_iam_role.syncer_lambda.name
+}
diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf
@@ -241,3 +241,9 @@ variable "lambda_architecture" {
     error_message = "`lambda_architecture` value is not valid, valid values are: `arm64` and `x86_64`."
   }
 }
+
+variable "lambda_tracing_mode" {
+  description = "Enable X-Ray tracing for the lambda functions."
+  type        = string
+  default     = null
+}
diff --git a/modules/runners/README.md b/modules/runners/README.md
@@ -92,8 +92,10 @@ yarn run dist
 | [aws_iam_role_policy.runner_session_manager_aws_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.scale_down](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.scale_down_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.scale_down_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.scale_up](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.scale_up_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.scale_up_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.service_linked_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.ssm_parameters](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.ami_id_ssm_parameter_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -115,6 +117,7 @@ yarn run dist
 | [aws_ami.runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.lambda_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lambda_xray](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
@@ -161,6 +164,7 @@ yarn run dist
 | <a name="input_lambda_subnet_ids"></a> [lambda\_subnet\_ids](#input\_lambda\_subnet\_ids) | List of subnets in which the lambda will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | `[]` | no |
 | <a name="input_lambda_timeout_scale_down"></a> [lambda\_timeout\_scale\_down](#input\_lambda\_timeout\_scale\_down) | Time out for the scale down lambda in seconds. | `number` | `60` | no |
 | <a name="input_lambda_timeout_scale_up"></a> [lambda\_timeout\_scale\_up](#input\_lambda\_timeout\_scale\_up) | Time out for the scale up lambda in seconds. | `number` | `60` | no |
+| <a name="input_lambda_tracing_mode"></a> [lambda\_tracing\_mode](#input\_lambda\_tracing\_mode) | Enable X-Ray tracing for the lambda functions. | `string` | `null` | no |
 | <a name="input_lambda_zip"></a> [lambda\_zip](#input\_lambda\_zip) | File location of the lambda zip file. | `string` | `null` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | `string` | `"info"` | no |
 | <a name="input_log_type"></a> [log\_type](#input\_log\_type) | Logging format for lambda logging. Valid values are 'json', 'pretty', 'hidden'. | `string` | `null` | no |
diff --git a/modules/runners/policies-lambda-common.tf b/modules/runners/policies-lambda-common.tf
@@ -31,3 +31,20 @@ resource "aws_iam_policy" "ami_id_ssm_parameter_read" {
     }
   JSON
 }
+
+data "aws_iam_policy_document" "lambda_xray" {
+  count = var.lambda_tracing_mode != null ? 1 : 0
+  statement {
+    actions = [
+      "xray:BatchGetTraces",
+      "xray:GetTraceSummaries",
+      "xray:PutTelemetryRecords",
+      "xray:PutTraceSegments"
+    ]
+    effect = "Allow"
+    resources = [
+      "*"
+    ]
+    sid = "AllowXRay"
+  }
+}
diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf
@@ -52,6 +52,7 @@ module "pool" {
     tags                                 = local.tags
   }
 
-  aws_partition = var.aws_partition
+  aws_partition       = var.aws_partition
+  lambda_tracing_mode = var.lambda_tracing_mode
 
 }
diff --git a/modules/runners/pool/README.md b/modules/runners/pool/README.md
@@ -46,6 +46,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_partition"></a> [aws\_partition](#input\_aws\_partition) | (optional) partition for the arn if not 'aws' | `string` | `"aws"` | no |
 | <a name="input_config"></a> [config](#input\_config) | n/a | <pre>object({<br>    lambda = object({<br>      log_level                      = string<br>      logging_retention_in_days      = number<br>      logging_kms_key_id             = string<br>      reserved_concurrent_executions = number<br>      s3_bucket                      = string<br>      s3_key                         = string<br>      s3_object_version              = string<br>      security_group_ids             = list(string)<br>      runtime                        = string<br>      architecture                   = string<br>      timeout                        = number<br>      zip                            = string<br>      subnet_ids                     = list(string)<br>    })<br>    tags = map(string)<br>    ghes = object({<br>      url        = string<br>      ssl_verify = string<br>    })<br>    github_app_parameters = object({<br>      key_base64 = map(string)<br>      id         = map(string)<br>    })<br>    subnet_ids = list(string)<br>    runner = object({<br>      disable_runner_autoupdate = bool<br>      ephemeral                 = bool<br>      boot_time_in_minutes      = number<br>      extra_labels              = string<br>      launch_template = object({<br>        name = string<br>      })<br>      group_name  = string<br>      name_prefix = string<br>      pool_owner  = string<br>      role = object({<br>        arn = string<br>      })<br>    })<br>    instance_types                = list(string)<br>    instance_target_capacity_type = string<br>    instance_allocation_strategy  = string<br>    instance_max_spot_price       = string<br>    prefix                        = string<br>    pool = list(object({<br>      schedule_expression = string<br>      size                = number<br>    }))<br>    role_permissions_boundary            = string<br>    kms_key_arn                          = string<br>    ami_kms_key_arn                      = string<br>    role_path                            = string<br>    ssm_token_path                       = string<br>    ami_id_ssm_parameter_name            = string<br>    ami_id_ssm_parameter_read_policy_arn = string<br>  })</pre> | n/a | yes |
+| <a name="input_lambda_tracing_mode"></a> [lambda\_tracing\_mode](#input\_lambda\_tracing\_mode) | Enable X-Ray tracing for the lambda functions. | `string` | `null` | no |
 
 ## Outputs
 
diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf
@@ -50,6 +50,13 @@ resource "aws_lambda_function" "pool" {
       subnet_ids         = var.config.lambda.subnet_ids
     }
   }
+
+  dynamic "tracing_config" {
+    for_each = var.lambda_tracing_mode != null ? [true] : []
+    content {
+      mode = var.lambda_tracing_mode
+    }
+  }
 }
 
 resource "aws_cloudwatch_log_group" "pool" {
@@ -147,3 +154,27 @@ resource "aws_iam_role_policy_attachment" "ami_id_ssm_parameter_read" {
   role       = aws_iam_role.pool.name
   policy_arn = var.config.ami_id_ssm_parameter_read_policy_arn
 }
+
+# lambda xray policy
+data "aws_iam_policy_document" "lambda_xray" {
+  count = var.lambda_tracing_mode != null ? 1 : 0
+  statement {
+    actions = [
+      "xray:BatchGetTraces",
+      "xray:GetTraceSummaries",
+      "xray:PutTelemetryRecords",
+      "xray:PutTraceSegments"
+    ]
+    effect = "Allow"
+    resources = [
+      "*"
+    ]
+    sid = "AllowXRay"
+  }
+}
+
+resource "aws_iam_role_policy" "pool_xray" {
+  count  = var.lambda_tracing_mode != null ? 1 : 0
+  policy = data.aws_iam_policy_document.lambda_xray[0].json
+  role   = aws_iam_role.pool.name
+}
diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf
@@ -64,3 +64,9 @@ variable "aws_partition" {
   type        = string
   default     = "aws"
 }
+
+variable "lambda_tracing_mode" {
+  description = "Enable X-Ray tracing for the lambda functions."
+  type        = string
+  default     = null
+}
diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf
@@ -43,6 +43,13 @@ resource "aws_lambda_function" "scale_down" {
       subnet_ids         = var.lambda_subnet_ids
     }
   }
+
+  dynamic "tracing_config" {
+    for_each = var.lambda_tracing_mode != null ? [true] : []
+    content {
+      mode = var.lambda_tracing_mode
+    }
+  }
 }
 
 resource "aws_cloudwatch_log_group" "scale_down" {
@@ -110,3 +117,9 @@ resource "aws_iam_role_policy_attachment" "scale_down_vpc_execution_role" {
   role       = aws_iam_role.scale_down.name
   policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
 }
+
+resource "aws_iam_role_policy" "scale_down_xray" {
+  count  = var.lambda_tracing_mode != null ? 1 : 0
+  policy = data.aws_iam_policy_document.lambda_xray[0].json
+  role   = aws_iam_role.scale_down.name
+}
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
@@ -51,6 +51,13 @@ resource "aws_lambda_function" "scale_up" {
       subnet_ids         = var.lambda_subnet_ids
     }
   }
+
+  dynamic "tracing_config" {
+    for_each = var.lambda_tracing_mode != null ? [true] : []
+    content {
+      mode = var.lambda_tracing_mode
+    }
+  }
 }
 
 resource "aws_cloudwatch_log_group" "scale_up" {
@@ -130,3 +137,9 @@ resource "aws_iam_role_policy_attachment" "ami_id_ssm_parameter_read" {
   role       = aws_iam_role.scale_up.name
   policy_arn = aws_iam_policy.ami_id_ssm_parameter_read[0].arn
 }
+
+resource "aws_iam_role_policy" "scale_up_xray" {
+  count  = var.lambda_tracing_mode != null ? 1 : 0
+  policy = data.aws_iam_policy_document.lambda_xray[0].json
+  role   = aws_iam_role.scale_up.name
+}
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
diff --git a/modules/webhook/README.md b/modules/webhook/README.md
diff --git a/modules/webhook/policies.tf b/modules/webhook/policies.tf
diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf
diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -241,3 +241,9 @@ variable "lambda_architecture" {`
`241`	`241`	error_message = "`lambda_architecture` value is not valid, valid values are: `arm64` and `x86_64`."
`242`	`242`	`}`
`243`	`243`	`}`
	`244`	`+`
	`245`	`+variable "lambda_tracing_mode" {`
	`246`	`+ description = "Enable X-Ray tracing for the lambda functions."`
	`247`	`+ type = string`
	`248`	`+ default = null`
	`249`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ module "pool" {`
`52`	`52`	`tags = local.tags`
`53`	`53`	`}`
`54`	`54`
`55`		`- aws_partition = var.aws_partition`
	`55`	`+ aws_partition = var.aws_partition`
	`56`	`+ lambda_tracing_mode = var.lambda_tracing_mode`
`56`	`57`
`57`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,13 @@ resource "aws_lambda_function" "scale_down" {`
`43`	`43`	`subnet_ids = var.lambda_subnet_ids`
`44`	`44`	`}`
`45`	`45`	`}`
	`46`	`+`
	`47`	`+ dynamic "tracing_config" {`
	`48`	`+ for_each = var.lambda_tracing_mode != null ? [true] : []`
	`49`	`+ content {`
	`50`	`+ mode = var.lambda_tracing_mode`
	`51`	`+ }`
	`52`	`+ }`
`46`	`53`	`}`
`47`	`54`
`48`	`55`	`resource "aws_cloudwatch_log_group" "scale_down" {`
`@@ -110,3 +117,9 @@ resource "aws_iam_role_policy_attachment" "scale_down_vpc_execution_role" {`
`110`	`117`	`role = aws_iam_role.scale_down.name`
`111`	`118`	`policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"`
`112`	`119`	`}`
	`120`	`+`
	`121`	`+resource "aws_iam_role_policy" "scale_down_xray" {`
	`122`	`+ count = var.lambda_tracing_mode != null ? 1 : 0`
	`123`	`+ policy = data.aws_iam_policy_document.lambda_xray[0].json`
	`124`	`+ role = aws_iam_role.scale_down.name`
	`125`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,13 @@ resource "aws_lambda_function" "scale_up" {`
`51`	`51`	`subnet_ids = var.lambda_subnet_ids`
`52`	`52`	`}`
`53`	`53`	`}`
	`54`	`+`
	`55`	`+ dynamic "tracing_config" {`
	`56`	`+ for_each = var.lambda_tracing_mode != null ? [true] : []`
	`57`	`+ content {`
	`58`	`+ mode = var.lambda_tracing_mode`
	`59`	`+ }`
	`60`	`+ }`
`54`	`61`	`}`
`55`	`62`
`56`	`63`	`resource "aws_cloudwatch_log_group" "scale_up" {`
`@@ -130,3 +137,9 @@ resource "aws_iam_role_policy_attachment" "ami_id_ssm_parameter_read" {`
`130`	`137`	`role = aws_iam_role.scale_up.name`
`131`	`138`	`policy_arn = aws_iam_policy.ami_id_ssm_parameter_read[0].arn`
`132`	`139`	`}`
	`140`	`+`
	`141`	`+resource "aws_iam_role_policy" "scale_up_xray" {`
	`142`	`+ count = var.lambda_tracing_mode != null ? 1 : 0`
	`143`	`+ policy = data.aws_iam_policy_document.lambda_xray[0].json`
	`144`	`+ role = aws_iam_role.scale_up.name`
	`145`	`+}`