feat: Add option for KMS encryption for cloudwatch log groups (#1833)

julada · web-flow · commit 3f1a67ff2135 · 2022-03-10T13:54:36.000+01:00
* feat: added kms encryption to cloudwatch log groups

* chore: added documentation for log kms encryption
diff --git a/README.md b/README.md
@@ -430,6 +430,7 @@ In case the setup does not work as intended follow the trace of events:
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | `string` | `"info"` | no |
 | <a name="input_log_type"></a> [log\_type](#input\_log\_type) | Logging format for lambda logging. Valid values are 'json', 'pretty', 'hidden'. | `string` | `"pretty"` | no |
 | <a name="input_logging_retention_in_days"></a> [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `180` | no |
+| <a name="input_logging_kms_key_id"></a> [logging\_retention\_in\_days](#input\_kms\_key\_id) | Specifies the kms key id to encrypt the cloudwatch logs with. | `string` | `null` | no |
 | <a name="input_market_options"></a> [market\_options](#input\_market\_options) | DEPCRECATED: Replaced by `instance_target_capacity_type`. | `string` | `null` | no |
 | <a name="input_minimum_running_time_in_minutes"></a> [minimum\_running\_time\_in\_minutes](#input\_minimum\_running\_time\_in\_minutes) | The time an ec2 action runner should be running at minimum before terminated if not busy. | `number` | `null` | no |
 | <a name="input_pool_config"></a> [pool\_config](#input\_pool\_config) | The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the the `schedule_expression. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1.` | <pre>list(object({<br>    schedule_expression = string<br>    size                = number<br>  }))</pre> | `[]` | no |
diff --git a/main.tf b/main.tf
@@ -67,6 +67,7 @@ module "webhook" {
   lambda_zip                       = var.webhook_lambda_zip
   lambda_timeout                   = var.webhook_lambda_timeout
   logging_retention_in_days        = var.logging_retention_in_days
+  logging_kms_key_id               = var.logging_kms_key_id
 
   # labels
   enable_workflow_job_labels_check = var.runner_enable_workflow_job_labels_check
@@ -133,6 +134,7 @@ module "runners" {
   lambda_subnet_ids                = var.lambda_subnet_ids
   lambda_security_group_ids        = var.lambda_security_group_ids
   logging_retention_in_days        = var.logging_retention_in_days
+  logging_kms_key_id               = var.logging_kms_key_id
   enable_cloudwatch_agent          = var.enable_cloudwatch_agent
   cloudwatch_config                = var.cloudwatch_config
   runner_log_files                 = var.runner_log_files
@@ -188,6 +190,7 @@ module "runner_binaries" {
   lambda_zip                      = var.runner_binaries_syncer_lambda_zip
   lambda_timeout                  = var.runner_binaries_syncer_lambda_timeout
   logging_retention_in_days       = var.logging_retention_in_days
+  logging_kms_key_id              = var.logging_kms_key_id
 
   server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration
 
diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
@@ -45,6 +45,7 @@ resource "aws_lambda_function" "syncer" {
 resource "aws_cloudwatch_log_group" "syncer" {
   name              = "/aws/lambda/${aws_lambda_function.syncer.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 
diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf
@@ -84,6 +84,12 @@ variable "logging_retention_in_days" {
   default     = 7
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "runner_allow_prerelease_binaries" {
   description = "Allow the runners to update to prerelease binaries."
   type        = bool
diff --git a/modules/runners/logging.tf b/modules/runners/logging.tf
@@ -54,6 +54,7 @@ resource "aws_cloudwatch_log_group" "gh_runners" {
   count             = length(local.loggroups_names)
   name              = local.loggroups_names[count.index]
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = local.tags
 }
 
diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf
@@ -19,6 +19,7 @@ module "pool" {
       log_level                      = var.log_level
       log_type                       = var.log_type
       logging_retention_in_days      = var.logging_retention_in_days
+      logging_kms_key_id             = var.logging_retention_in_days
       reserved_concurrent_executions = var.pool_lambda_reserved_concurrent_executions
       s3_bucket                      = var.lambda_s3_bucket
       s3_key                         = var.runners_lambda_s3_key
diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf
@@ -49,6 +49,7 @@ resource "aws_lambda_function" "pool" {
 resource "aws_cloudwatch_log_group" "pool" {
   name              = "/aws/lambda/${aws_lambda_function.pool.function_name}"
   retention_in_days = var.config.lambda.logging_retention_in_days
+  kms_key_id        = var.config.lambda.logging_kms_key_id
   tags              = var.config.tags
 }
 
diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf
@@ -4,6 +4,7 @@ variable "config" {
       log_level                      = string
       log_type                       = string
       logging_retention_in_days      = number
+      logging_kms_key_id             = string
       reserved_concurrent_executions = number
       s3_bucket                      = string
       s3_key                         = string
diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf
@@ -46,6 +46,7 @@ resource "aws_lambda_function" "scale_down" {
 resource "aws_cloudwatch_log_group" "scale_down" {
   name              = "/aws/lambda/${aws_lambda_function.scale_down.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
@@ -49,6 +49,7 @@ resource "aws_lambda_function" "scale_up" {
 resource "aws_cloudwatch_log_group" "scale_up" {
   name              = "/aws/lambda/${aws_lambda_function.scale_up.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
@@ -280,6 +280,12 @@ variable "logging_retention_in_days" {
   default     = 180
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "enable_ssm_on_runners" {
   description = "Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
   type        = bool
diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf
@@ -56,6 +56,12 @@ variable "logging_retention_in_days" {
   default     = 7
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "lambda_s3_bucket" {
   description = "S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly."
   default     = null
diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf
@@ -29,6 +29,7 @@ resource "aws_lambda_function" "webhook" {
 resource "aws_cloudwatch_log_group" "webhook" {
   name              = "/aws/lambda/${aws_lambda_function.webhook.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 
diff --git a/variables.tf b/variables.tf
@@ -211,6 +211,12 @@ variable "logging_retention_in_days" {
   default     = 180
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "runner_allow_prerelease_binaries" {
   description = "Allow the runners to update to prerelease binaries."
   type        = bool

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@ resource "aws_lambda_function" "syncer" {`
`45`	`45`	`resource "aws_cloudwatch_log_group" "syncer" {`
`46`	`46`	`name = "/aws/lambda/${aws_lambda_function.syncer.function_name}"`
`47`	`47`	`retention_in_days = var.logging_retention_in_days`
	`48`	`+ kms_key_id = var.logging_kms_key_id`
`48`	`49`	`tags = var.tags`
`49`	`50`	`}`
`50`	`51`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ resource "aws_cloudwatch_log_group" "gh_runners" {`
`54`	`54`	`count = length(local.loggroups_names)`
`55`	`55`	`name = local.loggroups_names[count.index]`
`56`	`56`	`retention_in_days = var.logging_retention_in_days`
	`57`	`+ kms_key_id = var.logging_kms_key_id`
`57`	`58`	`tags = local.tags`
`58`	`59`	`}`
`59`	`60`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ resource "aws_lambda_function" "pool" {`
`49`	`49`	`resource "aws_cloudwatch_log_group" "pool" {`
`50`	`50`	`name = "/aws/lambda/${aws_lambda_function.pool.function_name}"`
`51`	`51`	`retention_in_days = var.config.lambda.logging_retention_in_days`
	`52`	`+ kms_key_id = var.config.lambda.logging_kms_key_id`
`52`	`53`	`tags = var.config.tags`
`53`	`54`	`}`
`54`	`55`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ resource "aws_lambda_function" "scale_down" {`
`46`	`46`	`resource "aws_cloudwatch_log_group" "scale_down" {`
`47`	`47`	`name = "/aws/lambda/${aws_lambda_function.scale_down.function_name}"`
`48`	`48`	`retention_in_days = var.logging_retention_in_days`
	`49`	`+ kms_key_id = var.logging_kms_key_id`
`49`	`50`	`tags = var.tags`
`50`	`51`	`}`
`51`	`52`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ resource "aws_lambda_function" "webhook" {`
`29`	`29`	`resource "aws_cloudwatch_log_group" "webhook" {`
`30`	`30`	`name = "/aws/lambda/${aws_lambda_function.webhook.function_name}"`
`31`	`31`	`retention_in_days = var.logging_retention_in_days`
	`32`	`+ kms_key_id = var.logging_kms_key_id`
`32`	`33`	`tags = var.tags`
`33`	`34`	`}`
`34`	`35`