chore: add cloudwatch export for OS module (#177)

* chore: add cloudwatch export to os module * fix: remove variable from readme that doesnt exist
camunda · Oct 29, 2024 · ac1da74 · ac1da74
1 parent 77dd8ac
commit ac1da74
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 2 deletions.
diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md
@@ -25,7 +25,6 @@ module "opensearch_domain" {
   advanced_security_master_user_name = "admin"
   advanced_security_master_user_password = "password"
 
-  encrypt_at_rest_kms_key_id = "kms-key-id"
   access_policies = <<EOF
 {
   "Version": "2012-10-17",
@@ -67,6 +66,8 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_cloudwatch_log_group.log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_resource_policy.log_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource |
 | [aws_iam_policy.access_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.attach_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -75,6 +76,7 @@ No modules.
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.allow_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_iam_policy_document.log_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -112,6 +114,7 @@ No modules.
 | <a name="input_kms_key_delete_window_in_days"></a> [kms\_key\_delete\_window\_in\_days](#input\_kms\_key\_delete\_window\_in\_days) | The number of days before the KMS key is deleted after being disabled. | `number` | `7` | no |
 | <a name="input_kms_key_enable_key_rotation"></a> [kms\_key\_enable\_key\_rotation](#input\_kms\_key\_enable\_key\_rotation) | Specifies whether automatic key rotation is enabled for the KMS key. | `bool` | `true` | no |
 | <a name="input_kms_key_tags"></a> [kms\_key\_tags](#input\_kms\_key\_tags) | The tags to associate with the KMS key. | `map(string)` | `{}` | no |
+| <a name="input_log_types"></a> [log\_types](#input\_log\_types) | The types of logs to publish to CloudWatch Logs. Example: [SEARCH\_SLOW\_LOGS, INDEX\_SLOW\_LOGS, ES\_APPLICATION\_LOGS] | `list(string)` | `[]` | no |
 | <a name="input_multi_az_with_standby_enabled"></a> [multi\_az\_with\_standby\_enabled](#input\_multi\_az\_with\_standby\_enabled) | Whether a multi-AZ domain is turned on with a standby AZ. | `bool` | `false` | no |
 | <a name="input_node_to_node_encryption_enabled"></a> [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether node to node encryption is enabled. | `bool` | `true` | no |
 | <a name="input_off_peak_window_enabled"></a> [off\_peak\_window\_enabled](#input\_off\_peak\_window\_enabled) | Whether to enable off peak update | `bool` | `true` | no |

diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf
@@ -89,6 +89,16 @@ resource "aws_opensearch_domain" "opensearch_cluster" {
 
   access_policies = var.enable_access_policy ? var.access_policies : null
 
+  dynamic "log_publishing_options" {
+    for_each = var.log_types
+
+    content {
+      enabled                  = true
+      cloudwatch_log_group_arn = join("", aws_cloudwatch_log_group.log_group[*].arn)
+      log_type                 = log_publishing_options.value
+    }
+  }
+
   domain_endpoint_options {
     enforce_https       = var.domain_endpoint_options.enforce_https
     tls_security_policy = var.domain_endpoint_options.tls_security_policy

diff --git a/modules/opensearch/monitoring.tf b/modules/opensearch/monitoring.tf
@@ -1 +1,30 @@
-# TODO: add monitoring
+resource "aws_cloudwatch_log_group" "log_group" {
+  count = length(var.log_types) > 0 ? 1 : 0
+  name  = "${var.domain_name}-os-logs"
+}
+
+data "aws_iam_policy_document" "log_policy_document" {
+  count = length(var.log_types) > 0 ? 1 : 0
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["es.amazonaws.com"]
+    }
+
+    actions = [
+      "logs:PutLogEvents",
+      "logs:PutLogEventsBatch",
+      "logs:CreateLogStream",
+    ]
+
+    resources = ["arn:aws:logs:*"]
+  }
+}
+
+resource "aws_cloudwatch_log_resource_policy" "log_policy" {
+  count           = length(var.log_types) > 0 ? 1 : 0
+  policy_name     = "${var.domain_name}-os-log-policy"
+  policy_document = join("", data.aws_iam_policy_document.log_policy_document[*].json)
+}
diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf
@@ -339,3 +339,9 @@ variable "iam_roles_with_policies" {
   # By default, don't create any role and associated policies.
   default = []
 }
+
+variable "log_types" {
+  type        = list(string)
+  default     = []
+  description = "The types of logs to publish to CloudWatch Logs. Example: [SEARCH_SLOW_LOGS, INDEX_SLOW_LOGS, ES_APPLICATION_LOGS]"
+}