Fixed code and examples to pass

Author: antonbabenko

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.99.4
+    rev: v1.101.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
@@ -23,7 +23,7 @@ repos:
           - '--args=--only=terraform_workspace_remote'
       - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer

README.md

@@ -14,14 +14,27 @@ Terraform module to create EventBridge resources.
 
 ### EventBridge Complete
 
-Most common use-case which creates custom bus, rules and targets.
+Most common use-case which creates custom bus, logging, rules and targets.
 
 ```hcl
 module "eventbridge" {
   source = "terraform-aws-modules/eventbridge/aws"
 
   bus_name = "my-bus"
 
+  logging = {
+    include_detail = "FULL"
+    level          = "INFO"
+    cloudwatch_logs = {
+      enabled = true
+      arn     = "arn:aws:logs:us-east-1:123456789012:log-group:my-log-group"
+    }
+    s3 = {
+      enabled = true
+      arn     = "arn:aws:s3:::my-log-bucket"
+    }
+  }
+
   rules = {
     orders = {
       description   = "Capture all order data"
@@ -347,6 +360,7 @@ module "eventbridge" {
   create_schedule_groups  = false  # to control creation of EventBridge Schedule Group resources
   create_schedules        = false  # to control creation of EventBridge Schedule resources
   create_pipes            = false  # to control creation of EventBridge Pipes resources
+  create_logging          = false  # to control creation of EventBridge Logging resources
 
   attach_cloudwatch_policy       = false
   attach_ecs_policy              = false
@@ -368,6 +382,7 @@ module "eventbridge" {
 * [HTTP API Gateway](https://github.com/terraform-aws-modules/terraform-aws-eventbridge/tree/master/examples/api-gateway-event-source) - Creates an integration with HTTP API Gateway as event source.
 * [Using Default Bus](https://github.com/terraform-aws-modules/terraform-aws-eventbridge/tree/master/examples/default-bus) - Creates resources in the `default` bus.
 * [Archive](https://github.com/terraform-aws-modules/terraform-aws-eventbridge/tree/master/examples/with-archive) - EventBridge Archives resources in various configurations.
+* [Logging](https://github.com/terraform-aws-modules/terraform-aws-eventbridge/tree/master/examples/with-bus-logging) - EventBridge Logging resources in various configurations.
 * [Permissions](https://github.com/terraform-aws-modules/terraform-aws-eventbridge/tree/master/examples/with-permissions) - Controls permissions to EventBridge.
 * [Scheduler](https://github.com/terraform-aws-modules/terraform-aws-eventbridge/tree/master/examples/with-schedules) - EventBridge Scheduler which works with any bus (recommended way).
 * [ECS Scheduling Events](https://github.com/terraform-aws-modules/terraform-aws-eventbridge/tree/master/examples/with-ecs-scheduling) - Use default bus to schedule events on ECS.
@@ -405,12 +420,8 @@ No modules.
 | [aws_cloudwatch_event_permission.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_permission) | resource |
 | [aws_cloudwatch_event_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
-| [aws_cloudwatch_log_delivery.cwlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery) | resource |
-| [aws_cloudwatch_log_delivery.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery) | resource |
-| [aws_cloudwatch_log_delivery.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery) | resource |
-| [aws_cloudwatch_log_delivery_destination.cwlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery_destination) | resource |
-| [aws_cloudwatch_log_delivery_destination.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery_destination) | resource |
-| [aws_cloudwatch_log_delivery_destination.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery_destination) | resource |
+| [aws_cloudwatch_log_delivery.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery) | resource |
+| [aws_cloudwatch_log_delivery_destination.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery_destination) | resource |
 | [aws_cloudwatch_log_delivery_source.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_delivery_source) | resource |
 | [aws_iam_policy.additional_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.additional_json](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -495,7 +506,6 @@ No modules.
 | <a name="input_attach_sqs_policy"></a> [attach\_sqs\_policy](#input\_attach\_sqs\_policy) | Controls whether the SQS policy should be added to IAM role for EventBridge Target | `bool` | `false` | no |
 | <a name="input_attach_tracing_policy"></a> [attach\_tracing\_policy](#input\_attach\_tracing\_policy) | Controls whether X-Ray tracing policy should be added to IAM role for EventBridge | `bool` | `false` | no |
 | <a name="input_bus_description"></a> [bus\_description](#input\_bus\_description) | Event bus description | `string` | `null` | no |
-| <a name="input_bus_log_config"></a> [bus\_log\_config](#input\_bus\_log\_config) | The configuration block for the EventBridge bus logging | <pre>object({<br/>    include_detail = optional(string)<br/>    level          = optional(string)<br/><br/>    cloudwatch = optional(object({<br/>      enabled       = optional(bool, false)<br/>      log_group_arn = optional(string)<br/>    }))<br/><br/>    s3 = optional(object({<br/>      enabled    = optional(bool, false)<br/>      bucket_arn = optional(string)<br/>    }))<br/><br/>    firehose = optional(object({<br/>      enabled             = optional(bool, false)<br/>      delivery_stream_arn = optional(string)<br/>    }))<br/>  })</pre> | `null` | no |
 | <a name="input_bus_name"></a> [bus\_name](#input\_bus\_name) | A unique name for your EventBridge Bus | `string` | `"default"` | no |
 | <a name="input_cloudwatch_target_arns"></a> [cloudwatch\_target\_arns](#input\_cloudwatch\_target\_arns) | The Amazon Resource Name (ARN) of the Cloudwatch Log Streams you want to use as EventBridge targets | `list(string)` | `[]` | no |
 | <a name="input_connections"></a> [connections](#input\_connections) | A map of objects with EventBridge Connection definitions. | `any` | `{}` | no |
@@ -504,6 +514,7 @@ No modules.
 | <a name="input_create_archives"></a> [create\_archives](#input\_create\_archives) | Controls whether EventBridge Archive resources should be created | `bool` | `false` | no |
 | <a name="input_create_bus"></a> [create\_bus](#input\_create\_bus) | Controls whether EventBridge Bus resource should be created | `bool` | `true` | no |
 | <a name="input_create_connections"></a> [create\_connections](#input\_create\_connections) | Controls whether EventBridge Connection resources should be created | `bool` | `false` | no |
+| <a name="input_create_logging"></a> [create\_logging](#input\_create\_logging) | Controls whether EventBridge Logging resources should be created | `bool` | `true` | no |
 | <a name="input_create_permissions"></a> [create\_permissions](#input\_create\_permissions) | Controls whether EventBridge Permission resources should be created | `bool` | `true` | no |
 | <a name="input_create_pipe_role_only"></a> [create\_pipe\_role\_only](#input\_create\_pipe\_role\_only) | Controls whether an IAM role should be created for the pipes only | `bool` | `false` | no |
 | <a name="input_create_pipes"></a> [create\_pipes](#input\_create\_pipes) | Controls whether EventBridge Pipes resources should be created | `bool` | `true` | no |
@@ -521,6 +532,8 @@ No modules.
 | <a name="input_kinesis_target_arns"></a> [kinesis\_target\_arns](#input\_kinesis\_target\_arns) | The Amazon Resource Name (ARN) of the Kinesis Streams you want to use as EventBridge targets | `list(string)` | `[]` | no |
 | <a name="input_kms_key_identifier"></a> [kms\_key\_identifier](#input\_kms\_key\_identifier) | The identifier of the AWS KMS customer managed key for EventBridge to use, if you choose to use a customer managed key to encrypt events on this event bus. The identifier can be the key Amazon Resource Name (ARN), KeyId, key alias, or key alias ARN. | `string` | `null` | no |
 | <a name="input_lambda_target_arns"></a> [lambda\_target\_arns](#input\_lambda\_target\_arns) | The Amazon Resource Name (ARN) of the Lambda Functions you want to use as EventBridge targets | `list(string)` | `[]` | no |
+| <a name="input_log_delivery_source_name"></a> [log\_delivery\_source\_name](#input\_log\_delivery\_source\_name) | Name of log delivery source | `string` | `null` | no |
+| <a name="input_logging"></a> [logging](#input\_logging) | The configuration block for the EventBridge bus logging | <pre>object({<br/>    include_detail = optional(string)<br/>    level          = optional(string)<br/><br/>    cloudwatch_logs = optional(object({<br/>      enabled         = optional(bool, false)<br/>      name            = optional(string)<br/>      arn             = string<br/>      field_delimiter = optional(string)<br/>      record_fields   = optional(list(string))<br/>    }))<br/><br/>    s3 = optional(object({<br/>      enabled         = optional(bool, false)<br/>      name            = optional(string)<br/>      arn             = string<br/>      field_delimiter = optional(string)<br/>      record_fields   = optional(list(string))<br/>      s3_delivery_configuration = optional(object({<br/>        enable_hive_compatible_path = optional(bool)<br/>        suffix_path                 = optional(string)<br/>      }))<br/>    }))<br/><br/>    firehose = optional(object({<br/>      enabled         = optional(bool, false)<br/>      name            = optional(string)<br/>      arn             = string<br/>      field_delimiter = optional(string)<br/>      record_fields   = optional(list(string))<br/>    }))<br/>  })</pre> | `null` | no |
 | <a name="input_number_of_policies"></a> [number\_of\_policies](#input\_number\_of\_policies) | Number of policies to attach to IAM role | `number` | `0` | no |
 | <a name="input_number_of_policy_jsons"></a> [number\_of\_policy\_jsons](#input\_number\_of\_policy\_jsons) | Number of policies JSON to attach to IAM role | `number` | `0` | no |
 | <a name="input_permissions"></a> [permissions](#input\_permissions) | A map of objects with EventBridge Permission definitions. | `map(any)` | `{}` | no |

examples/with-bus-logging/README.md

@@ -31,7 +31,7 @@ $ terraform apply
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | terraform-aws-modules/cloudwatch/aws//modules/log-group | ~> 3.0 |
+| <a name="module_cloudwatch_log_group"></a> [cloudwatch\_log\_group](#module\_cloudwatch\_log\_group) | terraform-aws-modules/cloudwatch/aws//modules/log-group | ~> 5.0 |
 | <a name="module_eventbridge"></a> [eventbridge](#module\_eventbridge) | ../../ | n/a |
 | <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
 
@@ -42,7 +42,6 @@ $ terraform apply
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cwlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 

examples/with-bus-logging/main.tf

@@ -14,17 +14,18 @@ module "eventbridge" {
 
   create_bus = true
 
-  bus_name = "${random_pet.this.id}-bus"
-  bus_log_config = {
+  bus_name = random_pet.this.id
+
+  logging = {
     include_detail = "FULL"
     level          = "INFO"
-    cloudwatch = {
-      enabled       = true
-      log_group_arn = module.cloudwatch_log_group.cloudwatch_log_group_arn
+    cloudwatch_logs = {
+      enabled = true
+      arn     = module.cloudwatch_log_group.cloudwatch_log_group_arn
     }
     s3 = {
-      enabled    = true
-      bucket_arn = module.s3_bucket.s3_bucket_arn
+      enabled = true
+      arn     = module.s3_bucket.s3_bucket_arn
     }
   }
 }
@@ -42,41 +43,12 @@ resource "random_pet" "this" {
 ######################
 module "cloudwatch_log_group" {
   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
-  version = "~> 3.0"
+  version = "~> 5.0"
 
   name              = "/aws/vendedlogs/events/event-bus/${random_pet.this.id}-bus"
   retention_in_days = 14
 }
 
-data "aws_iam_policy_document" "cwlogs" {
-  statement {
-    effect = "Allow"
-    principals {
-      type        = "Service"
-      identifiers = ["delivery.logs.amazonaws.com"]
-    }
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents"
-    ]
-    resources = [
-      "${module.cloudwatch_log_group.arn}:log-stream:*"
-    ]
-    condition {
-      test     = "StringEquals"
-      variable = "aws:SourceAccount"
-      values   = [data.aws_caller_identity.current.account_id]
-    }
-    condition {
-      test     = "ArnLike"
-      variable = "aws:SourceArn"
-      values = [
-        module.eventbridge.eventbridge_log_delivery_source.arn
-      ]
-    }
-  }
-}
-
 ####
 # S3
 ####
@@ -85,6 +57,8 @@ module "s3_bucket" {
   version = "~> 5.0"
 
   bucket        = "${random_pet.this.id}-eventbridge-bus-logs-bucket"
+  force_destroy = true
+
   attach_policy = true
   policy        = data.aws_iam_policy_document.bucket_policy.json
 
@@ -125,13 +99,8 @@ data "aws_iam_policy_document" "bucket_policy" {
       test     = "ArnLike"
       variable = "aws:SourceArn"
       values = [
-        module.eventbridge.eventbridge_log_delivery_source.arn
+        module.eventbridge.eventbridge_log_delivery_source[0].arn
       ]
     }
   }
 }
-
-#
-# Kinesis Fire
-#
-

main.tf

@@ -53,7 +53,8 @@ locals {
       "Name" = var.append_pipe_postfix ? "${replace(index, "_", "-")}-pipe" : index
     })
   ])
-  enabled_bus_log_type = var.bus_log_config != null ? "${upper(var.bus_log_config.level)}_LOGS" : null
+
+  create_logging = var.create && var.create_bus && var.create_logging && var.logging != null
 }
 
 data "aws_cloudwatch_event_bus" "this" {
@@ -80,7 +81,7 @@ resource "aws_cloudwatch_event_bus" "this" {
   }
 
   dynamic "log_config" {
-    for_each = var.bus_log_config != null ? [var.bus_log_config] : []
+    for_each = var.logging != null ? [var.logging] : []
     content {
       include_detail = log_config.value.include_detail
       level          = log_config.value.level
@@ -91,110 +92,55 @@ resource "aws_cloudwatch_event_bus" "this" {
 }
 
 resource "aws_cloudwatch_log_delivery_source" "this" {
-  count = (
-    var.create &&
-    var.create_bus &&
-    var.bus_log_config != null
-  ) ? 1 : 0
-
-  name         = "EventBusSource-${var.bus_name}-${local.enabled_bus_log_type}"
-  log_type     = local.enabled_bus_log_type
-  resource_arn = aws_cloudwatch_event_bus.this[0].arn
-}
+  count = local.create_logging ? 1 : 0
 
-resource "aws_cloudwatch_log_delivery_destination" "cwlogs" {
-  count = (
-    var.create &&
-    var.create_bus &&
-    var.bus_log_config != null &&
-    var.bus_log_config.cloudwatch != null &&
-    var.bus_log_config.cloudwatch.enabled
-  ) ? 1 : 0
-
-  name = "EventsDeliveryDestination-${var.bus_name}-CWLogs"
+  region = var.region
 
-  delivery_destination_configuration {
-    destination_resource_arn = var.bus_log_config.cloudwatch.log_group_arn
-  }
+  name         = coalesce(var.log_delivery_source_name, var.bus_name)
+  log_type     = "${upper(var.logging.level)}_LOGS"
+  resource_arn = aws_cloudwatch_event_bus.this[0].arn
 
   tags = var.tags
 }
 
-resource "aws_cloudwatch_log_delivery" "cwlogs" {
-  count = (
-    var.create &&
-    var.create_bus &&
-    var.bus_log_config != null &&
-    var.bus_log_config.cloudwatch != null &&
-    var.bus_log_config.cloudwatch.enabled
-  ) ? 1 : 0
-
-  delivery_destination_arn = aws_cloudwatch_log_delivery_destination.cwlogs[0].arn
-  delivery_source_name     = aws_cloudwatch_log_delivery_source.this[0].name
-}
+resource "aws_cloudwatch_log_delivery_destination" "this" {
+  for_each = { for k, v in var.logging : k => v if(local.create_logging && contains(["s3", "cloudwatch_logs", "firehose"], k) && try(v.enabled, true) && v != null) }
 
-resource "aws_cloudwatch_log_delivery_destination" "s3" {
-  count = (
-    var.create &&
-    var.create_bus &&
-    var.bus_log_config != null &&
-    var.bus_log_config.s3 != null &&
-    var.bus_log_config.s3.enabled
-  ) ? 1 : 0
+  region = var.region
 
-  name = "EventsDeliveryDestination-${var.bus_name}-S3"
+  name          = coalesce(each.value.name, "${var.bus_name}-${each.key}")
+  output_format = try(each.value.output_format, null)
 
   delivery_destination_configuration {
-    destination_resource_arn = var.bus_log_config.s3.bucket_arn
+    destination_resource_arn = each.value.arn
   }
 
   tags = var.tags
 }
 
-resource "aws_cloudwatch_log_delivery" "s3" {
-  count = (
-    var.create &&
-    var.create_bus &&
-    var.bus_log_config != null &&
-    var.bus_log_config.s3 != null &&
-    var.bus_log_config.s3.enabled
-  ) ? 1 : 0
+resource "aws_cloudwatch_log_delivery" "this" {
+  for_each = { for k, v in var.logging : k => v if(local.create_logging && contains(["s3", "cloudwatch_logs", "firehose"], k) && try(v.enabled, true) && v != null) }
+
+  region = var.region
 
-  delivery_destination_arn = aws_cloudwatch_log_delivery_destination.s3[0].arn
   delivery_source_name     = aws_cloudwatch_log_delivery_source.this[0].name
-}
+  delivery_destination_arn = aws_cloudwatch_log_delivery_destination.this[each.key].arn
 
-resource "aws_cloudwatch_log_delivery_destination" "firehose" {
-  count = (
-    var.create &&
-    var.create_bus &&
-    var.bus_log_config != null &&
-    var.bus_log_config.firehose != null &&
-    var.bus_log_config.firehose.enabled
-  ) ? 1 : 0
+  field_delimiter = each.value.field_delimiter
+  record_fields   = each.value.record_fields
 
-  name = "EventsDeliveryDestination-${var.bus_name}-Firehose"
+  dynamic "s3_delivery_configuration" {
+    for_each = try(each.value.s3_delivery_configuration, null) != null ? [true] : []
 
-  delivery_destination_configuration {
-    destination_resource_arn = var.bus_log_config.firehose.delivery_stream_arn
+    content {
+      enable_hive_compatible_path = each.value.s3_delivery_configuration.enable_hive_compatible_path
+      suffix_path                 = each.value.s3_delivery_configuration.suffix_path
+    }
   }
 
   tags = var.tags
 }
 
-resource "aws_cloudwatch_log_delivery" "firehose" {
-  count = (
-    var.create &&
-    var.create_bus &&
-    var.bus_log_config != null &&
-    var.bus_log_config.firehose != null &&
-    var.bus_log_config.firehose.enabled
-  ) ? 1 : 0
-
-  delivery_destination_arn = aws_cloudwatch_log_delivery_destination.firehose[0].arn
-  delivery_source_name     = aws_cloudwatch_log_delivery_source.this[0].name
-}
-
 resource "aws_schemas_discoverer" "this" {
   count = var.create && var.create_schemas_discoverer ? 1 : 0