From b24af693ed5f91c4e2ac5c384a2a51b990d8f840 Mon Sep 17 00:00:00 2001
From: jpluta <57197534+jpluta@users.noreply.github.com>
Date: Fri, 21 Jun 2024 14:21:58 +0200
Subject: [PATCH] cloudwatch (#8)

---
 README.md    |  11 ++++-
 main.tf      | 120 ++++++++++++++++++++++++++++++++++++++++-----------
 variables.tf |  36 +++++++++++++++-
 3 files changed, 140 insertions(+), 27 deletions(-)

diff --git a/README.md b/README.md
index 0e073b1..4a32830 100644
--- a/README.md
+++ b/README.md
@@ -102,6 +102,10 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_cloudwatch_log_group.postgres](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.postgres_custom_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.postgres_multi_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.postgres_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_db_instance.custom_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource |
 | [aws_db_instance.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource |
 | [aws_db_instance.multi_replica](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource |
@@ -121,6 +125,11 @@ No modules.
 | <a name="input_backup_window"></a> [backup\_window](#input\_backup\_window) | The daily time range (in UTC) during which automated backups are created if they are enabled. | `string` | `"03:00-06:00"` | no |
 | <a name="input_blue_green_update_enabled"></a> [blue\_green\_update\_enabled](#input\_blue\_green\_update\_enabled) | Enables low-downtime updates when true. | `bool` | `false` | no |
 | <a name="input_ca_cert_identifier"></a> [ca\_cert\_identifier](#input\_ca\_cert\_identifier) | The identifier of the CA certificate for the DB instance. | `string` | `null` | no |
+| <a name="input_cloudwatch_log_group_class"></a> [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | The log class of the log group. | `string` | `"STANDARD"` | no |
+| <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data. | `string` | `null` | no |
+| <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Tthe number of days to retain log events in the cloudwatch log group. | `number` | `7` | no |
+| <a name="input_cloudwatch_log_group_skip_destroy"></a> [cloudwatch\_log\_group\_skip\_destroy](#input\_cloudwatch\_log\_group\_skip\_destroy) | Set to true to prevent deletion fo the log group at terraform destroy time. | `bool` | `false` | no |
+| <a name="input_cloudwatch_logs_enabled"></a> [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | If true, cloudwatch log group is created. | `bool` | `false` | no |
 | <a name="input_common_tags"></a> [common\_tags](#input\_common\_tags) | A map of tags to assign to every resource in this module. | `map(string)` | `{}` | no |
 | <a name="input_copy_tags_to_snapshot"></a> [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | Copy all Instance tags to snapshots. | `bool` | `false` | no |
 | <a name="input_custom_iam_instance_profile"></a> [custom\_iam\_instance\_profile](#input\_custom\_iam\_instance\_profile) | The instance profile associated with the underlying Amazon EC2 instance of an RDS Custom DB instance. | `string` | `null` | no |
@@ -131,7 +140,7 @@ No modules.
 | <a name="input_dedicated_log_volume"></a> [dedicated\_log\_volume](#input\_dedicated\_log\_volume) | Use a dedicated log volume (DLV) for the DB instance. | `bool` | `false` | no |
 | <a name="input_delete_automated_backups"></a> [delete\_automated\_backups](#input\_delete\_automated\_backups) | Specifies whether to remove automated backups immediately after the DB instance is deleted. | `bool` | `true` | no |
 | <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | The database can't be deleted when this value is set to true. | `bool` | `false` | no |
-| <a name="input_enabled_cloudwatch_logs_exports"></a> [enabled\_cloudwatch\_logs\_exports](#input\_enabled\_cloudwatch\_logs\_exports) | value | `set(string)` | `null` | no |
+| <a name="input_enabled_cloudwatch_logs_exports"></a> [enabled\_cloudwatch\_logs\_exports](#input\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. | `set(string)` | <pre>[<br>  "postgresql",<br>  "upgrade"<br>]</pre> | no |
 | <a name="input_engine_version"></a> [engine\_version](#input\_engine\_version) | The engine version to use. | `string` | `"16.3"` | no |
 | <a name="input_final_snapshot_identifier"></a> [final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | he name of your final DB snapshot when this DB instance is deleted. | `string` | `null` | no |
 | <a name="input_iam_database_authentication_enabled"></a> [iam\_database\_authentication\_enabled](#input\_iam\_database\_authentication\_enabled) | Enables mappings of AWS IAM accounts to database accounts. | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index 71d0241..08c3f2b 100644
--- a/main.tf
+++ b/main.tf
@@ -14,6 +14,27 @@ locals {
   parameter_group_name = var.parameter_group_name != null ? var.parameter_group_name : (length(var.parameter_group_list) > 0 ? var.instance_name : null)
 
   backup_retention_period = var.blue_green_update_enabled ? coalesce(var.backup_retention_period, 1) : var.backup_retention_period
+  replica_name            = var.replica_name != null ? var.replica_name : "${var.instance_name}-replica"
+
+  enabled_cloudwatch_logs_exports = var.cloudwatch_logs_enabled ? var.enabled_cloudwatch_logs_exports : []
+
+  multi_replica_instance_names = [for replica_id in range(1, var.number_of_replicas + 1) : var.replica_name != null ? "${var.replica_name}-${replica_id}" : "${var.instance_name}-replica-${replica_id}"]
+  multi_replica_cloudwatch_log_groups = distinct(flatten([
+    for replica_id in local.multi_replica_instance_names : [
+      for log in var.enabled_cloudwatch_logs_exports : {
+        replica_id = replica_id
+        log        = log
+      }
+    ]
+  ]))
+  custom_replicas_cloudwatch_log_groups = distinct(flatten([
+    for replica_id, params in var.custom_replicas : [
+      for log in var.enabled_cloudwatch_logs_exports : {
+        replica_id = replica_id
+        log        = log
+      }
+    ]
+  ]))
 }
 
 resource "aws_db_parameter_group" "main" {
@@ -64,7 +85,7 @@ resource "aws_db_instance" "main" {
   dedicated_log_volume                  = var.dedicated_log_volume
   delete_automated_backups              = var.delete_automated_backups
   deletion_protection                   = var.deletion_protection
-  enabled_cloudwatch_logs_exports       = var.enabled_cloudwatch_logs_exports
+  enabled_cloudwatch_logs_exports       = local.enabled_cloudwatch_logs_exports
   engine                                = "postgres"
   engine_version                        = var.engine_version
   final_snapshot_identifier             = var.final_snapshot_identifier
@@ -137,14 +158,15 @@ resource "aws_db_instance_role_association" "main" {
 resource "aws_db_instance" "replica" {
   count = var.replica_enabled ? 1 : 0
 
-  replicate_source_db        = aws_db_instance.main.identifier
-  instance_class             = var.instance_class
-  availability_zone          = var.replica_availability_zone
-  identifier                 = var.replica_name != null ? var.replica_name : "${var.instance_name}-replica"
-  kms_key_id                 = var.kms_key_id
-  auto_minor_version_upgrade = var.auto_minor_version_upgrade
-  skip_final_snapshot        = var.skip_final_snapshot
-  max_allocated_storage      = var.max_allocated_storage
+  replicate_source_db             = aws_db_instance.main.identifier
+  instance_class                  = var.instance_class
+  availability_zone               = var.replica_availability_zone
+  identifier                      = local.replica_name
+  enabled_cloudwatch_logs_exports = local.enabled_cloudwatch_logs_exports
+  kms_key_id                      = var.kms_key_id
+  auto_minor_version_upgrade      = var.auto_minor_version_upgrade
+  skip_final_snapshot             = var.skip_final_snapshot
+  max_allocated_storage           = var.max_allocated_storage
 
   tags = merge(
     var.common_tags,
@@ -163,13 +185,14 @@ resource "aws_db_instance" "replica" {
 resource "aws_db_instance" "multi_replica" {
   count = var.number_of_replicas
 
-  replicate_source_db        = aws_db_instance.main.identifier
-  instance_class             = var.instance_class
-  identifier                 = var.replica_name != null ? "${var.replica_name}-${count.index + 1}" : "${var.instance_name}-replica-${count.index + 1}"
-  kms_key_id                 = var.kms_key_id
-  auto_minor_version_upgrade = var.auto_minor_version_upgrade
-  skip_final_snapshot        = var.skip_final_snapshot
-  max_allocated_storage      = var.max_allocated_storage
+  replicate_source_db             = aws_db_instance.main.identifier
+  instance_class                  = var.instance_class
+  identifier                      = var.replica_name != null ? "${var.replica_name}-${count.index + 1}" : "${var.instance_name}-replica-${count.index + 1}"
+  enabled_cloudwatch_logs_exports = local.enabled_cloudwatch_logs_exports
+  kms_key_id                      = var.kms_key_id
+  auto_minor_version_upgrade      = var.auto_minor_version_upgrade
+  skip_final_snapshot             = var.skip_final_snapshot
+  max_allocated_storage           = var.max_allocated_storage
 
   tags = merge(
     var.common_tags,
@@ -188,14 +211,15 @@ resource "aws_db_instance" "multi_replica" {
 resource "aws_db_instance" "custom_replica" {
   for_each = var.custom_replicas
 
-  replicate_source_db        = aws_db_instance.main.identifier
-  instance_class             = try(each.value.instance_class)
-  availability_zone          = try(each.value.availability_zone)
-  identifier                 = each.key
-  kms_key_id                 = var.kms_key_id
-  auto_minor_version_upgrade = var.auto_minor_version_upgrade
-  skip_final_snapshot        = var.skip_final_snapshot
-  max_allocated_storage      = var.max_allocated_storage
+  replicate_source_db             = aws_db_instance.main.identifier
+  instance_class                  = try(each.value.instance_class)
+  availability_zone               = try(each.value.availability_zone)
+  identifier                      = each.key
+  enabled_cloudwatch_logs_exports = local.enabled_cloudwatch_logs_exports
+  kms_key_id                      = var.kms_key_id
+  auto_minor_version_upgrade      = var.auto_minor_version_upgrade
+  skip_final_snapshot             = var.skip_final_snapshot
+  max_allocated_storage           = var.max_allocated_storage
 
   tags = merge(
     var.common_tags,
@@ -210,3 +234,51 @@ resource "aws_db_instance" "custom_replica" {
     delete = var.timeouts.delete
   }
 }
+
+resource "aws_cloudwatch_log_group" "postgres" {
+  for_each = local.enabled_cloudwatch_logs_exports
+
+  name              = "/aws/rds/instance/${var.instance_name}/${each.value}"
+  retention_in_days = var.cloudwatch_log_group_retention_in_days
+  kms_key_id        = var.cloudwatch_log_group_kms_key_id
+  skip_destroy      = var.cloudwatch_log_group_skip_destroy
+  log_group_class   = var.cloudwatch_log_group_class
+
+  tags = merge(var.common_tags, var.instance_tags)
+}
+
+resource "aws_cloudwatch_log_group" "postgres_replica" {
+  for_each = toset([for log in local.enabled_cloudwatch_logs_exports : log if var.replica_enabled])
+
+  name              = "/aws/rds/instance/${local.replica_name}/${each.value}"
+  retention_in_days = var.cloudwatch_log_group_retention_in_days
+  kms_key_id        = var.cloudwatch_log_group_kms_key_id
+  skip_destroy      = var.cloudwatch_log_group_skip_destroy
+  log_group_class   = var.cloudwatch_log_group_class
+
+  tags = merge(var.common_tags, var.replica_tags)
+}
+
+resource "aws_cloudwatch_log_group" "postgres_multi_replica" {
+  for_each = { for e in local.multi_replica_cloudwatch_log_groups : "${e.replica_id}.${e.log}" => e }
+
+  name              = "/aws/rds/instance/${each.value.replica_id}/${each.value.log}"
+  retention_in_days = var.cloudwatch_log_group_retention_in_days
+  kms_key_id        = var.cloudwatch_log_group_kms_key_id
+  skip_destroy      = var.cloudwatch_log_group_skip_destroy
+  log_group_class   = var.cloudwatch_log_group_class
+
+  tags = merge(var.common_tags, var.replica_tags)
+}
+
+resource "aws_cloudwatch_log_group" "postgres_custom_replica" {
+  for_each = { for e in local.custom_replicas_cloudwatch_log_groups : "${e.replica_id}.${e.log}" => e }
+
+  name              = "/aws/rds/instance/${each.value.replica_id}/${each.value.log}"
+  retention_in_days = var.cloudwatch_log_group_retention_in_days
+  kms_key_id        = var.cloudwatch_log_group_kms_key_id
+  skip_destroy      = var.cloudwatch_log_group_skip_destroy
+  log_group_class   = var.cloudwatch_log_group_class
+
+  tags = merge(var.common_tags, var.replica_tags)
+}
diff --git a/variables.tf b/variables.tf
index e5f6809..1f30a3c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -95,9 +95,9 @@ variable "deletion_protection" {
 }
 
 variable "enabled_cloudwatch_logs_exports" {
-  description = "value"
+  description = "Set of log types to enable for exporting to CloudWatch logs."
   type        = set(string)
-  default     = null
+  default     = ["postgresql", "upgrade"]
 }
 
 variable "engine_version" {
@@ -380,3 +380,35 @@ variable "replica_tags" {
   type        = map(string)
   default     = {}
 }
+
+# Cloudwatch
+
+variable "cloudwatch_logs_enabled" {
+  description = "If true, cloudwatch log group is created."
+  type        = bool
+  default     = false
+}
+
+variable "cloudwatch_log_group_retention_in_days" {
+  description = "Tthe number of days to retain log events in the cloudwatch log group."
+  type        = number
+  default     = 7
+}
+
+variable "cloudwatch_log_group_kms_key_id" {
+  description = "The ARN of the KMS Key to use when encrypting log data."
+  type        = string
+  default     = null
+}
+
+variable "cloudwatch_log_group_skip_destroy" {
+  description = "Set to true to prevent deletion fo the log group at terraform destroy time."
+  type        = bool
+  default     = false
+}
+
+variable "cloudwatch_log_group_class" {
+  description = "The log class of the log group."
+  type        = string
+  default     = "STANDARD"
+}