feat: Add options to manage log group RDSOSMetrics

giner · giner · commit dc3f5ae74de2 · 2024-11-22T23:02:40.000+09:00
Usually RDSOSMetrics is created by a DB instance itself when enhanced
monitoring is enabled. The new options allow make this log group managed
so that:
- non-default retention could be configured (AWS default is 30 days)
- tags could be assigned (tags are not propagated from the DB instance)
- the log group is removed if not used
diff --git a/README.md b/README.md
@@ -246,11 +246,13 @@ No resources.
 | <a name="input_character_set_name"></a> [character\_set\_name](#input\_character\_set\_name) | The character set name to use for DB encoding in Oracle instances. This can't be changed. See Oracle Character Sets Supported in Amazon RDS and Collations and Character Sets for Microsoft SQL Server for more information. This can only be set on creation | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_class"></a> [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT\_ACCESS | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
+| <a name="input_cloudwatch_log_group_rdsosmetrics_retention_in_days"></a> [cloudwatch\_log\_group\_rdsosmetrics\_retention\_in\_days](#input\_cloudwatch\_log\_group\_rdsosmetrics\_retention\_in\_days) | The number of days to retain CloudWatch logs for RDSOSMetrics log group | `number` | `30` | no |
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no |
 | <a name="input_cloudwatch_log_group_skip_destroy"></a> [cloudwatch\_log\_group\_skip\_destroy](#input\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `null` | no |
 | <a name="input_cloudwatch_log_group_tags"></a> [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | Additional tags for the CloudWatch log group(s) | `map(string)` | `{}` | no |
 | <a name="input_copy_tags_to_snapshot"></a> [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | On delete, copy all Instance tags to the final snapshot | `bool` | `false` | no |
 | <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports` | `bool` | `false` | no |
+| <a name="input_create_cloudwatch_log_group_rdsosmetrics"></a> [create\_cloudwatch\_log\_group\_rdsosmetrics](#input\_create\_cloudwatch\_log\_group\_rdsosmetrics) | Determines whether a RDSOSMetrics CloudWatch log group is created by and managed by Terraform (otherwise it's created by RDS). This is useful only if monitoring\_interval > 0 | `bool` | `false` | no |
 | <a name="input_create_db_instance"></a> [create\_db\_instance](#input\_create\_db\_instance) | Whether to create a database instance | `bool` | `true` | no |
 | <a name="input_create_db_option_group"></a> [create\_db\_option\_group](#input\_create\_db\_option\_group) | Create a database option group | `bool` | `true` | no |
 | <a name="input_create_db_parameter_group"></a> [create\_db\_parameter\_group](#input\_create\_db\_parameter\_group) | Whether to create a database parameter group | `bool` | `true` | no |
diff --git a/examples/enhanced-monitoring/main.tf b/examples/enhanced-monitoring/main.tf
@@ -57,6 +57,8 @@ module "db" {
   monitoring_interval = 30
   monitoring_role_arn = aws_iam_role.rds_enhanced_monitoring.arn
 
+  create_cloudwatch_log_group_rdsosmetrics = true
+
   performance_insights_enabled          = true
   performance_insights_retention_period = 7
   create_monitoring_role                = true
diff --git a/main.tf b/main.tf
@@ -139,6 +139,9 @@ module "db_instance" {
   create_monitoring_role               = var.create_monitoring_role
   monitoring_role_permissions_boundary = var.monitoring_role_permissions_boundary
 
+  create_cloudwatch_log_group_rdsosmetrics            = var.create_cloudwatch_log_group_rdsosmetrics
+  cloudwatch_log_group_rdsosmetrics_retention_in_days = var.cloudwatch_log_group_rdsosmetrics_retention_in_days
+
   character_set_name       = var.character_set_name
   nchar_character_set_name = var.nchar_character_set_name
   timezone                 = var.timezone
diff --git a/modules/db_instance/README.md b/modules/db_instance/README.md
@@ -49,12 +49,14 @@ No modules.
 | <a name="input_character_set_name"></a> [character\_set\_name](#input\_character\_set\_name) | The character set name to use for DB encoding in Oracle instances. This can't be changed. See Oracle Character Sets Supported in Amazon RDS and Collations and Character Sets for Microsoft SQL Server for more information. This can only be set on creation. | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_class"></a> [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT\_ACCESS | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
+| <a name="input_cloudwatch_log_group_rdsosmetrics_retention_in_days"></a> [cloudwatch\_log\_group\_rdsosmetrics\_retention\_in\_days](#input\_cloudwatch\_log\_group\_rdsosmetrics\_retention\_in\_days) | The number of days to retain CloudWatch logs for RDSOSMetrics log group | `number` | `30` | no |
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no |
 | <a name="input_cloudwatch_log_group_skip_destroy"></a> [cloudwatch\_log\_group\_skip\_destroy](#input\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `null` | no |
 | <a name="input_cloudwatch_log_group_tags"></a> [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | Additional tags for the CloudWatch log group(s) | `map(string)` | `{}` | no |
 | <a name="input_copy_tags_to_snapshot"></a> [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | On delete, copy all Instance tags to the final snapshot | `bool` | `false` | no |
 | <a name="input_create"></a> [create](#input\_create) | Whether to create this resource or not? | `bool` | `true` | no |
 | <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports` | `bool` | `false` | no |
+| <a name="input_create_cloudwatch_log_group_rdsosmetrics"></a> [create\_cloudwatch\_log\_group\_rdsosmetrics](#input\_create\_cloudwatch\_log\_group\_rdsosmetrics) | Determines whether a RDSOSMetrics CloudWatch log group is created by and managed by Terraform (otherwise it's created by RDS). This is useful only if monitoring\_interval > 0 | `bool` | `false` | no |
 | <a name="input_create_monitoring_role"></a> [create\_monitoring\_role](#input\_create\_monitoring\_role) | Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. | `bool` | `false` | no |
 | <a name="input_custom_iam_instance_profile"></a> [custom\_iam\_instance\_profile](#input\_custom\_iam\_instance\_profile) | RDS custom iam instance profile | `string` | `null` | no |
 | <a name="input_db_instance_tags"></a> [db\_instance\_tags](#input\_db\_instance\_tags) | A map of additional tags for the DB instance | `map(string)` | `{}` | no |
diff --git a/modules/db_instance/main.tf b/modules/db_instance/main.tf
@@ -137,7 +137,10 @@ resource "aws_db_instance" "this" {
 
   tags = merge(var.tags, var.db_instance_tags)
 
-  depends_on = [aws_cloudwatch_log_group.this]
+  depends_on = [
+    aws_cloudwatch_log_group.this,
+    aws_cloudwatch_log_group.rdsosmetrics,
+  ]
 
   timeouts {
     create = lookup(var.timeouts, "create", null)
@@ -223,3 +226,12 @@ resource "aws_secretsmanager_secret_rotation" "this" {
     schedule_expression      = var.master_user_password_rotation_schedule_expression
   }
 }
+
+resource "aws_cloudwatch_log_group" "rdsosmetrics" {
+  count = var.create_cloudwatch_log_group_rdsosmetrics ? 1 : 0
+
+  name              = "RDSOSMetrics"
+  retention_in_days = var.cloudwatch_log_group_rdsosmetrics_retention_in_days
+
+  tags = var.tags
+}
diff --git a/modules/db_instance/variables.tf b/modules/db_instance/variables.tf
@@ -444,6 +444,18 @@ variable "upgrade_storage_config" {
   default     = null
 }
 
+variable "create_cloudwatch_log_group_rdsosmetrics" {
+  description = "Determines whether a RDSOSMetrics CloudWatch log group is created by and managed by Terraform (otherwise it's created by RDS). This is useful only if monitoring_interval > 0"
+  type        = bool
+  default     = false
+}
+
+variable "cloudwatch_log_group_rdsosmetrics_retention_in_days" {
+  description = "The number of days to retain CloudWatch logs for RDSOSMetrics log group"
+  type        = number
+  default     = 30
+}
+
 ################################################################################
 # CloudWatch Log Group
 ################################################################################
diff --git a/variables.tf b/variables.tf
@@ -571,6 +571,18 @@ variable "upgrade_storage_config" {
   default     = null
 }
 
+variable "create_cloudwatch_log_group_rdsosmetrics" {
+  description = "Determines whether a RDSOSMetrics CloudWatch log group is created by and managed by Terraform (otherwise it's created by RDS). This is useful only if monitoring_interval > 0"
+  type        = bool
+  default     = false
+}
+
+variable "cloudwatch_log_group_rdsosmetrics_retention_in_days" {
+  description = "The number of days to retain CloudWatch logs for RDSOSMetrics log group"
+  type        = number
+  default     = 30
+}
+
 ################################################################################
 # CloudWatch Log Group
 ################################################################################
