diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
index 74550aa..69db187 100644
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@@ -6,6 +6,11 @@ on:
types: [opened, reopened, synchronize]
branches: [main]
+env:
+ DEFAULT_REGION: us-east-1
+ AWS_ACCESS_KEY_ID: localstack
+ AWS_SECRET_ACCESS_KEY: localstack
+
jobs:
check-format:
runs-on: ubuntu-latest
@@ -40,6 +45,13 @@ jobs:
matrix: {
dir: ['examples/test']
}
+ services:
+ localstack:
+ image: localstack/localstack
+ env:
+ SERVICES: apigateway,cloudformation,cloudwatch,dynamodb,es,firehose,iam,kinesis,lambda,route53,redshift,s3,secretsmanager,ses,sns,sqs,ssm,stepfunctions,sts
+ ports:
+ - 4566:4566
steps:
- name: Checkout repository
uses: actions/checkout@v3
diff --git a/README.md b/README.md
index 3e2d451..f596518 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,7 @@ In order to run all checks at any point run the following command:
| Name | Source | Version |
|------|--------|---------|
-| [aws\_cw\_logs](#module\_aws\_cw\_logs) | cn-terraform/cloudwatch-logs/aws | 1.0.10 |
+| [aws\_cw\_logs](#module\_aws\_cw\_logs) | cn-terraform/cloudwatch-logs/aws | 1.0.11 |
| [ecs-cluster](#module\_ecs-cluster) | cn-terraform/ecs-cluster/aws | 1.0.10 |
| [ecs-fargate-service](#module\_ecs-fargate-service) | cn-terraform/ecs-fargate-service/aws | 2.0.30 |
| [td](#module\_td) | cn-terraform/ecs-fargate-task-definition/aws | 1.0.29 |
@@ -72,7 +72,10 @@ In order to run all checks at any point run the following command:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [create\_kms\_key](#input\_create\_kms\_key) | If true a new KMS key will be created to encrypt the logs. Defaults true. If set to false a custom key can be used by setting the variable `log_group_kms_key_id` | `bool` | `false` | no |
| [enable\_autoscaling](#input\_enable\_autoscaling) | (Optional) If true, autoscaling alarms will be created. | `bool` | `true` | no |
+| [log\_group\_kms\_key\_id](#input\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data. Please note, after the AWS KMS CMK is disassociated from the log group, AWS CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data remains encrypted, and AWS CloudWatch Logs requires permissions for the CMK whenever the encrypted data is requested. | `string` | `null` | no |
+| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | (Optional) Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. Default to 30 days. | `number` | `30` | no |
| [name\_prefix](#input\_name\_prefix) | Name prefix for resources on AWS | `any` | n/a | yes |
| [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of Private Subnets IDs | `list(any)` | n/a | yes |
| [public\_subnets\_ids](#input\_public\_subnets\_ids) | List of Public Subnets IDs | `list(any)` | n/a | yes |
diff --git a/examples/test/mock_provider.tf b/examples/test/mock_provider.tf
index 934ad5a..bcc022c 100644
--- a/examples/test/mock_provider.tf
+++ b/examples/test/mock_provider.tf
@@ -14,6 +14,26 @@ provider "aws" {
skip_requesting_account_id = true
skip_metadata_api_check = true
s3_use_path_style = true
- access_key = "mock_access_key"
- secret_key = "mock_secret_key"
+
+ endpoints {
+ apigateway = "http://localstack:4566"
+ cloudformation = "http://localstack:4566"
+ cloudwatch = "http://localstack:4566"
+ dynamodb = "http://localstack:4566"
+ es = "http://localstack:4566"
+ firehose = "http://localstack:4566"
+ iam = "http://localstack:4566"
+ kinesis = "http://localstack:4566"
+ lambda = "http://localstack:4566"
+ route53 = "http://localstack:4566"
+ redshift = "http://localstack:4566"
+ s3 = "http://localstack:4566"
+ secretsmanager = "http://localstack:4566"
+ ses = "http://localstack:4566"
+ sns = "http://localstack:4566"
+ sqs = "http://localstack:4566"
+ ssm = "http://localstack:4566"
+ stepfunctions = "http://localstack:4566"
+ sts = "http://localstack:4566"
+ }
}
diff --git a/main.tf b/main.tf
index 364e65b..c5034a2 100644
--- a/main.tf
+++ b/main.tf
@@ -3,10 +3,13 @@
#------------------------------------------------------------------------------
module "aws_cw_logs" {
source = "cn-terraform/cloudwatch-logs/aws"
- version = "1.0.10"
+ version = "1.0.11"
# source = "../terraform-aws-cloudwatch-logs"
- logs_path = "/ecs/service/${var.name_prefix}-jenkins-master"
+ create_kms_key = var.create_kms_key
+ log_group_kms_key_id = var.log_group_kms_key_id
+ log_group_retention_in_days = var.log_group_retention_in_days
+ logs_path = "/ecs/service/${var.name_prefix}-jenkins-master"
}
#------------------------------------------------------------------------------
diff --git a/variables.tf b/variables.tf
index 6a9b75b..740216b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -36,4 +36,25 @@ variable "enable_autoscaling" {
description = "(Optional) If true, autoscaling alarms will be created."
type = bool
default = true
-}
\ No newline at end of file
+}
+
+#------------------------------------------------------------------------------
+# CloudWatch logs
+#------------------------------------------------------------------------------
+variable "create_kms_key" {
+ description = "If true a new KMS key will be created to encrypt the logs. Defaults true. If set to false a custom key can be used by setting the variable `log_group_kms_key_id`"
+ type = bool
+ default = false
+}
+
+variable "log_group_kms_key_id" {
+ description = "The ARN of the KMS Key to use when encrypting log data. Please note, after the AWS KMS CMK is disassociated from the log group, AWS CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data remains encrypted, and AWS CloudWatch Logs requires permissions for the CMK whenever the encrypted data is requested."
+ type = string
+ default = null
+}
+
+variable "log_group_retention_in_days" {
+ description = "(Optional) Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. Default to 30 days."
+ type = number
+ default = 30
+}