Split log_config and log_delivery

antonbabenko · antonbabenko · commit ca4ccdbe4bc6 · 2025-10-04T13:02:52.000+02:00
diff --git a/README.md b/README.md
@@ -514,7 +514,8 @@ No modules.
 | <a name="input_create_archives"></a> [create\_archives](#input\_create\_archives) | Controls whether EventBridge Archive resources should be created | `bool` | `false` | no |
 | <a name="input_create_bus"></a> [create\_bus](#input\_create\_bus) | Controls whether EventBridge Bus resource should be created | `bool` | `true` | no |
 | <a name="input_create_connections"></a> [create\_connections](#input\_create\_connections) | Controls whether EventBridge Connection resources should be created | `bool` | `false` | no |
-| <a name="input_create_logging"></a> [create\_logging](#input\_create\_logging) | Controls whether EventBridge Logging resources should be created | `bool` | `true` | no |
+| <a name="input_create_log_delivery"></a> [create\_log\_delivery](#input\_create\_log\_delivery) | Controls whether EventBridge log delivery resources should be created | `bool` | `true` | no |
+| <a name="input_create_log_delivery_source"></a> [create\_log\_delivery\_source](#input\_create\_log\_delivery\_source) | Controls whether EventBridge log delivery source resource should be created | `bool` | `true` | no |
 | <a name="input_create_permissions"></a> [create\_permissions](#input\_create\_permissions) | Controls whether EventBridge Permission resources should be created | `bool` | `true` | no |
 | <a name="input_create_pipe_role_only"></a> [create\_pipe\_role\_only](#input\_create\_pipe\_role\_only) | Controls whether an IAM role should be created for the pipes only | `bool` | `false` | no |
 | <a name="input_create_pipes"></a> [create\_pipes](#input\_create\_pipes) | Controls whether EventBridge Pipes resources should be created | `bool` | `true` | no |
@@ -532,8 +533,9 @@ No modules.
 | <a name="input_kinesis_target_arns"></a> [kinesis\_target\_arns](#input\_kinesis\_target\_arns) | The Amazon Resource Name (ARN) of the Kinesis Streams you want to use as EventBridge targets | `list(string)` | `[]` | no |
 | <a name="input_kms_key_identifier"></a> [kms\_key\_identifier](#input\_kms\_key\_identifier) | The identifier of the AWS KMS customer managed key for EventBridge to use, if you choose to use a customer managed key to encrypt events on this event bus. The identifier can be the key Amazon Resource Name (ARN), KeyId, key alias, or key alias ARN. | `string` | `null` | no |
 | <a name="input_lambda_target_arns"></a> [lambda\_target\_arns](#input\_lambda\_target\_arns) | The Amazon Resource Name (ARN) of the Lambda Functions you want to use as EventBridge targets | `list(string)` | `[]` | no |
+| <a name="input_log_config"></a> [log\_config](#input\_log\_config) | The configuration block for the EventBridge bus log config settings | <pre>object({<br/>    include_detail = string<br/>    level          = string<br/>  })</pre> | `null` | no |
+| <a name="input_log_delivery"></a> [log\_delivery](#input\_log\_delivery) | Map of the configuration block for the EventBridge bus log delivery settings (key is the type of log delivery: cloudwatch\_logs, s3, firehose) | <pre>map(object({<br/>    enabled         = optional(bool, true)<br/>    destination_arn = string<br/>    source_name     = optional(string)<br/>    name            = optional(string)<br/>    output_format   = optional(string)<br/>    field_delimiter = optional(string)<br/>    record_fields   = optional(list(string))<br/>    s3_delivery_configuration = optional(object({<br/>      enable_hive_compatible_path = optional(bool)<br/>      suffix_path                 = optional(string)<br/>    }))<br/>  }))</pre> | `{}` | no |
 | <a name="input_log_delivery_source_name"></a> [log\_delivery\_source\_name](#input\_log\_delivery\_source\_name) | Name of log delivery source | `string` | `null` | no |
-| <a name="input_logging"></a> [logging](#input\_logging) | The configuration block for the EventBridge bus logging | <pre>object({<br/>    include_detail = optional(string)<br/>    level          = optional(string)<br/><br/>    cloudwatch_logs = optional(object({<br/>      enabled         = optional(bool, false)<br/>      name            = optional(string)<br/>      arn             = string<br/>      field_delimiter = optional(string)<br/>      record_fields   = optional(list(string))<br/>    }))<br/><br/>    s3 = optional(object({<br/>      enabled         = optional(bool, false)<br/>      name            = optional(string)<br/>      arn             = string<br/>      field_delimiter = optional(string)<br/>      record_fields   = optional(list(string))<br/>      s3_delivery_configuration = optional(object({<br/>        enable_hive_compatible_path = optional(bool)<br/>        suffix_path                 = optional(string)<br/>      }))<br/>    }))<br/><br/>    firehose = optional(object({<br/>      enabled         = optional(bool, false)<br/>      name            = optional(string)<br/>      arn             = string<br/>      field_delimiter = optional(string)<br/>      record_fields   = optional(list(string))<br/>    }))<br/>  })</pre> | `null` | no |
 | <a name="input_number_of_policies"></a> [number\_of\_policies](#input\_number\_of\_policies) | Number of policies to attach to IAM role | `number` | `0` | no |
 | <a name="input_number_of_policy_jsons"></a> [number\_of\_policy\_jsons](#input\_number\_of\_policy\_jsons) | Number of policies JSON to attach to IAM role | `number` | `0` | no |
 | <a name="input_permissions"></a> [permissions](#input\_permissions) | A map of objects with EventBridge Permission definitions. | `map(any)` | `{}` | no |
@@ -579,7 +581,8 @@ No modules.
 | <a name="output_eventbridge_connection_ids"></a> [eventbridge\_connection\_ids](#output\_eventbridge\_connection\_ids) | The EventBridge Connection IDs |
 | <a name="output_eventbridge_connections"></a> [eventbridge\_connections](#output\_eventbridge\_connections) | The EventBridge Connections created and their attributes |
 | <a name="output_eventbridge_iam_roles"></a> [eventbridge\_iam\_roles](#output\_eventbridge\_iam\_roles) | The EventBridge IAM roles created and their attributes |
-| <a name="output_eventbridge_log_delivery_source"></a> [eventbridge\_log\_delivery\_source](#output\_eventbridge\_log\_delivery\_source) | The EventBridge Bus CloudWatch Log Delivery Source created and their attributes |
+| <a name="output_eventbridge_log_delivery_source_arn"></a> [eventbridge\_log\_delivery\_source\_arn](#output\_eventbridge\_log\_delivery\_source\_arn) | The EventBridge Bus CloudWatch Log Delivery Source ARN |
+| <a name="output_eventbridge_log_delivery_source_name"></a> [eventbridge\_log\_delivery\_source\_name](#output\_eventbridge\_log\_delivery\_source\_name) | The EventBridge Bus CloudWatch Log Delivery Source Name |
 | <a name="output_eventbridge_permission_ids"></a> [eventbridge\_permission\_ids](#output\_eventbridge\_permission\_ids) | The EventBridge Permission IDs |
 | <a name="output_eventbridge_permissions"></a> [eventbridge\_permissions](#output\_eventbridge\_permissions) | The EventBridge Permissions created and their attributes |
 | <a name="output_eventbridge_pipe_arns"></a> [eventbridge\_pipe\_arns](#output\_eventbridge\_pipe\_arns) | The EventBridge Pipes ARNs |
diff --git a/examples/with-bus-logging/README.md b/examples/with-bus-logging/README.md
@@ -33,6 +33,8 @@ $ terraform apply
 |------|--------|---------|
 | <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | terraform-aws-modules/cloudwatch/aws//modules/log-group | ~> 5.0 |
 | <a name="module_eventbridge"></a> [eventbridge](#module\_eventbridge) | ../../ | n/a |
+| <a name="module_eventbridge_external"></a> [eventbridge\_external](#module\_eventbridge\_external) | ../../ | n/a |
+| <a name="module_eventbridge_log_delivery_only"></a> [eventbridge\_log\_delivery\_only](#module\_eventbridge\_log\_delivery\_only) | ../../ | n/a |
 | <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
 
 ## Resources
diff --git a/examples/with-bus-logging/main.tf b/examples/with-bus-logging/main.tf
@@ -16,18 +16,57 @@ module "eventbridge" {
 
   bus_name = random_pet.this.id
 
-  logging = {
+  log_config = {
     include_detail = "FULL"
     level          = "INFO"
+  }
+
+  log_delivery = {
+    cloudwatch_logs = {
+      destination_arn = module.cloudwatch_log_group.cloudwatch_log_group_arn
+    }
+    s3 = {
+      destination_arn = module.s3_bucket.s3_bucket_arn
+    }
+  }
+}
+
+# External EventBridge bus with log delivery attached to the bus
+module "eventbridge_external" {
+  source = "../../"
+
+  create_bus = true
+
+  bus_name = "${random_pet.this.id}-external-bus"
+
+  log_config = {
+    include_detail = "FULL"
+    level          = "TRACE"
+  }
+}
+
+module "eventbridge_log_delivery_only" {
+  source = "../../"
+
+  create_bus  = false
+  create_role = false
+
+  bus_name = module.eventbridge_external.eventbridge_bus_name
+
+  create_log_delivery_source = false
+
+  log_delivery = {
     cloudwatch_logs = {
-      enabled = true
-      arn     = module.cloudwatch_log_group.cloudwatch_log_group_arn
+      destination_arn = module.cloudwatch_log_group.cloudwatch_log_group_arn
+      source_name     = module.eventbridge_external.eventbridge_log_delivery_source_name
     }
     s3 = {
-      enabled = true
-      arn     = module.s3_bucket.s3_bucket_arn
+      destination_arn = module.s3_bucket.s3_bucket_arn
+      source_name     = module.eventbridge_external.eventbridge_log_delivery_source_name
     }
   }
+
+  depends_on = [module.eventbridge_external]
 }
 
 #################
@@ -99,7 +138,8 @@ data "aws_iam_policy_document" "bucket_policy" {
       test     = "ArnLike"
       variable = "aws:SourceArn"
       values = [
-        module.eventbridge.eventbridge_log_delivery_source[0].arn
+        module.eventbridge.eventbridge_log_delivery_source_arn,
+        module.eventbridge_external.eventbridge_log_delivery_source_arn
       ]
     }
   }
diff --git a/main.tf b/main.tf
@@ -54,7 +54,7 @@ locals {
     })
   ])
 
-  create_logging = var.create && var.create_bus && var.create_logging && var.logging != null
+  create_log_delivery = var.create && var.create_log_delivery
 }
 
 data "aws_cloudwatch_event_bus" "this" {
@@ -75,66 +75,68 @@ resource "aws_cloudwatch_event_bus" "this" {
 
   dynamic "dead_letter_config" {
     for_each = length(var.dead_letter_config) > 0 ? [var.dead_letter_config] : []
+
     content {
       arn = try(dead_letter_config.value.arn, null)
     }
   }
 
   dynamic "log_config" {
-    for_each = var.logging != null ? [var.logging] : []
+    for_each = var.log_config != null ? [var.log_config] : []
+
     content {
-      include_detail = log_config.value.include_detail
-      level          = log_config.value.level
+      include_detail = try(log_config.value.include_detail, null)
+      level          = try(upper(log_config.value.level), null)
     }
   }
 
   tags = var.tags
 }
 
 resource "aws_cloudwatch_log_delivery_source" "this" {
-  count = local.create_logging ? 1 : 0
+  count = local.create_log_delivery && var.create_log_delivery_source ? 1 : 0
 
   region = var.region
 
   name         = coalesce(var.log_delivery_source_name, var.bus_name)
-  log_type     = "${upper(var.logging.level)}_LOGS"
-  resource_arn = aws_cloudwatch_event_bus.this[0].arn
+  log_type     = format("%s_LOGS", try(contains(["INFO", "ERROR", "TRACE"], upper(var.log_config.level)), false) ? upper(var.log_config.level) : "ERROR")
+  resource_arn = var.create_bus ? aws_cloudwatch_event_bus.this[0].arn : data.aws_cloudwatch_event_bus.this[0].arn
 
   tags = var.tags
 }
 
 resource "aws_cloudwatch_log_delivery_destination" "this" {
-  for_each = { for k, v in var.logging : k => v if(local.create_logging && contains(["s3", "cloudwatch_logs", "firehose"], k) && try(v.enabled, true) && v != null) }
+  for_each = { for k, v in var.log_delivery : k => v if(local.create_log_delivery && try(v.enabled, true)) }
 
   region = var.region
 
   name          = coalesce(each.value.name, "${var.bus_name}-${each.key}")
-  output_format = try(each.value.output_format, null)
+  output_format = each.value.output_format
 
   delivery_destination_configuration {
-    destination_resource_arn = each.value.arn
+    destination_resource_arn = each.value.destination_arn
   }
 
   tags = var.tags
 }
 
 resource "aws_cloudwatch_log_delivery" "this" {
-  for_each = { for k, v in var.logging : k => v if(local.create_logging && contains(["s3", "cloudwatch_logs", "firehose"], k) && try(v.enabled, true) && v != null) }
+  for_each = { for k, v in var.log_delivery : k => v if(local.create_log_delivery && try(v.enabled, true)) }
 
   region = var.region
 
-  delivery_source_name     = aws_cloudwatch_log_delivery_source.this[0].name
+  delivery_source_name     = var.create_log_delivery_source ? aws_cloudwatch_log_delivery_source.this[0].name : each.value.source_name
   delivery_destination_arn = aws_cloudwatch_log_delivery_destination.this[each.key].arn
 
   field_delimiter = each.value.field_delimiter
   record_fields   = each.value.record_fields
 
   dynamic "s3_delivery_configuration" {
-    for_each = try(each.value.s3_delivery_configuration, null) != null ? [true] : []
+    for_each = each.value.s3_delivery_configuration != null ? [each.value.s3_delivery_configuration] : []
 
     content {
-      enable_hive_compatible_path = each.value.s3_delivery_configuration.enable_hive_compatible_path
-      suffix_path                 = each.value.s3_delivery_configuration.suffix_path
+      enable_hive_compatible_path = s3_delivery_configuration.value.enable_hive_compatible_path
+      suffix_path                 = s3_delivery_configuration.value.suffix_path
     }
   }
 
diff --git a/outputs.tf b/outputs.tf
@@ -161,9 +161,15 @@ output "eventbridge_pipes" {
   value       = aws_pipes_pipe.this
 }
 
-output "eventbridge_log_delivery_source" {
-  description = "The EventBridge Bus CloudWatch Log Delivery Source created and their attributes"
-  value       = aws_cloudwatch_log_delivery_source.this
+# EventBridge Log Delivery Source
+output "eventbridge_log_delivery_source_arn" {
+  description = "The EventBridge Bus CloudWatch Log Delivery Source ARN"
+  value       = try(aws_cloudwatch_log_delivery_source.this[0].arn, "")
+}
+
+output "eventbridge_log_delivery_source_name" {
+  description = "The EventBridge Bus CloudWatch Log Delivery Source Name"
+  value       = try(aws_cloudwatch_log_delivery_source.this[0].name, "")
 }
 
 # IAM Roles
diff --git a/variables.tf b/variables.tf
@@ -118,8 +118,14 @@ variable "create_pipes" {
   default     = true
 }
 
-variable "create_logging" {
-  description = "Controls whether EventBridge Logging resources should be created"
+variable "create_log_delivery_source" {
+  description = "Controls whether EventBridge log delivery source resource should be created"
+  type        = bool
+  default     = true
+}
+
+variable "create_log_delivery" {
+  description = "Controls whether EventBridge log delivery resources should be created"
   type        = bool
   default     = true
 }
@@ -144,43 +150,33 @@ variable "bus_description" {
   default     = null
 }
 
-variable "logging" {
-  description = "The configuration block for the EventBridge bus logging"
+variable "log_config" {
+  description = "The configuration block for the EventBridge bus log config settings"
   type = object({
-    include_detail = optional(string)
-    level          = optional(string)
-
-    cloudwatch_logs = optional(object({
-      enabled         = optional(bool, false)
-      name            = optional(string)
-      arn             = string
-      field_delimiter = optional(string)
-      record_fields   = optional(list(string))
-    }))
-
-    s3 = optional(object({
-      enabled         = optional(bool, false)
-      name            = optional(string)
-      arn             = string
-      field_delimiter = optional(string)
-      record_fields   = optional(list(string))
-      s3_delivery_configuration = optional(object({
-        enable_hive_compatible_path = optional(bool)
-        suffix_path                 = optional(string)
-      }))
-    }))
-
-    firehose = optional(object({
-      enabled         = optional(bool, false)
-      name            = optional(string)
-      arn             = string
-      field_delimiter = optional(string)
-      record_fields   = optional(list(string))
-    }))
+    include_detail = string
+    level          = string
   })
   default = null
 }
 
+variable "log_delivery" {
+  description = "Map of the configuration block for the EventBridge bus log delivery settings (key is the type of log delivery: cloudwatch_logs, s3, firehose)"
+  type = map(object({
+    enabled         = optional(bool, true)
+    destination_arn = string
+    source_name     = optional(string)
+    name            = optional(string)
+    output_format   = optional(string)
+    field_delimiter = optional(string)
+    record_fields   = optional(list(string))
+    s3_delivery_configuration = optional(object({
+      enable_hive_compatible_path = optional(bool)
+      suffix_path                 = optional(string)
+    }))
+  }))
+  default = {}
+}
+
 variable "log_delivery_source_name" {
   description = "Name of log delivery source"
   type        = string
