Skip to content

Commit

Permalink
Add configurable retention period for cluster logs (cloudposse#37)
Browse files Browse the repository at this point in the history
* Add configurable retention period for cluster logs

Per example in docs: https://www.terraform.io/docs/providers/aws/r/eks_cluster.html#enabling-control-plane-logging

Until `depends_on` is supported by modules, there can be a race
condition if `resource "aws_cloudwatch_log_group"` is called at the same
time as this `module`. This can result in the module creating the log
group first requiring a `terraform import ... ; terraform apply` dance.

* Correct ternary logic for enabling retention period

* Add cluster log variables to example

Co-authored-by: Andriy Knysh <[email protected]>
  • Loading branch information
karlskewes and aknysh committed Jan 24, 2020
1 parent 6fc1f84 commit 74965f5
Show file tree
Hide file tree
Showing 7 changed files with 37 additions and 2 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -381,6 +381,7 @@ Available targets:
| aws_cli_assume_role_arn | IAM Role ARN for AWS CLI to assume before calling `aws eks` to update `kubeconfig` | string | `` | no |
| aws_cli_assume_role_session_name | An identifier for the assumed role session when assuming the IAM Role for AWS CLI before calling `aws eks` to update `kubeconfig` | string | `` | no |
| aws_eks_update_kubeconfig_additional_arguments | Additional arguments for `aws eks update-kubeconfig` command, e.g. `--role-arn xxxxxxxxx`. For more info, see https://docs.aws.amazon.com/cli/latest/reference/eks/update-kubeconfig.html | string | `` | no |
| cluster_log_retention_period | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | number | `0` | no |
| configmap_auth_file | Path to `configmap_auth_file` | string | `` | no |
| configmap_auth_template_file | Path to `config_auth_template_file` | string | `` | no |
| delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | string | `-` | no |
Expand Down
1 change: 1 addition & 0 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
| aws_cli_assume_role_arn | IAM Role ARN for AWS CLI to assume before calling `aws eks` to update `kubeconfig` | string | `` | no |
| aws_cli_assume_role_session_name | An identifier for the assumed role session when assuming the IAM Role for AWS CLI before calling `aws eks` to update `kubeconfig` | string | `` | no |
| aws_eks_update_kubeconfig_additional_arguments | Additional arguments for `aws eks update-kubeconfig` command, e.g. `--role-arn xxxxxxxxx`. For more info, see https://docs.aws.amazon.com/cli/latest/reference/eks/update-kubeconfig.html | string | `` | no |
| cluster_log_retention_period | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | number | `0` | no |
| configmap_auth_file | Path to `configmap_auth_file` | string | `` | no |
| configmap_auth_template_file | Path to `config_auth_template_file` | string | `` | no |
| delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | string | `-` | no |
Expand Down
6 changes: 5 additions & 1 deletion examples/complete/fixtures.us-east-2.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,8 @@ kubernetes_version = "1.14"

kubeconfig_path = "/.kube/config"

oidc_provider_enabled = true
oidc_provider_enabled = true

enabled_cluster_log_types = ["audit"]

cluster_log_retention_period = 7
3 changes: 3 additions & 0 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,9 @@ module "eks_cluster" {
aws_cli_assume_role_arn = var.aws_cli_assume_role_arn
aws_cli_assume_role_session_name = var.aws_cli_assume_role_session_name

enabled_cluster_log_types = var.enabled_cluster_log_types
cluster_log_retention_period = var.cluster_log_retention_period

workers_role_arns = [module.eks_workers.workers_role_arn]
workers_security_group_ids = [module.eks_workers.security_group_id]
}
12 changes: 12 additions & 0 deletions examples/complete/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,18 @@ variable "cpu_utilization_low_threshold_percent" {
description = "Worker nodes AutoScaling Group CPU utilization low threshold percent"
}

variable "enabled_cluster_log_types" {
type = list(string)
default = []
description = "A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`]"
}

variable "cluster_log_retention_period" {
type = number
default = 0
description = "Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html."
}

variable "map_additional_aws_accounts" {
description = "Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap"
type = list(string)
Expand Down
10 changes: 9 additions & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,13 @@ resource "aws_security_group_rule" "ingress_cidr_blocks" {
type = "ingress"
}

resource "aws_cloudwatch_log_group" "default" {
count = var.enabled && length(var.enabled_cluster_log_types) > 0 ? 1 : 0
name = "/aws/eks/${module.label.id}/cluster"
retention_in_days = var.cluster_log_retention_period
tags = module.label.tags
}

resource "aws_eks_cluster" "default" {
count = var.enabled ? 1 : 0
name = module.label.id
Expand All @@ -112,7 +119,8 @@ resource "aws_eks_cluster" "default" {

depends_on = [
aws_iam_role_policy_attachment.amazon_eks_cluster_policy,
aws_iam_role_policy_attachment.amazon_eks_service_policy
aws_iam_role_policy_attachment.amazon_eks_service_policy,
aws_cloudwatch_log_group.default
]
}

Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,12 @@ variable "enabled_cluster_log_types" {
description = "A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`]"
}

variable "cluster_log_retention_period" {
type = number
default = 0
description = "Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html."
}

variable "apply_config_map_aws_auth" {
type = bool
default = true
Expand Down

0 comments on commit 74965f5

Please sign in to comment.