Merge pull request #43 from lgallard/feature/multiple-log-types

Feature/multiple log types

CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.12.0 (August 26, 2021)
+
+ENHANCEMENTS:
+
+* Add multiple log types support
+
 ## 0.11.0 (June 8, 2021)
 
 ENHANCEMENTS:

README.md

@@ -40,8 +40,23 @@ module "aws_es" {
   }
 
   log_publishing_options = {
-    enabled                  = true
-    log_type                 = "INDEX_SLOW_LOGS"
+    index_slow_logs = {
+      enabled                          = true
+      cloudwatch_log_group_arn         = "arn:aws:logs:us-east-1:123456789101:log-group:/aws/elasticsearch/index_slow_logs:*"
+      rog_publishing_options_retention = 90
+    }
+    search_slow_logs = {
+      enabled                  = true
+      cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789101:log-group:/aws/elasticsearch/search_slow_logs:*"
+    }
+    es_application_logs = {
+      enabled                   = true
+      cloudwatch_log_group_name = "es_application_logs_dev"
+    }
+    audit_logs = {
+      enabled                   = false
+      cloudwatch_log_group_name = "audit_logs_dev"
+    }
   }
 
   advanced_options = {
@@ -179,9 +194,6 @@ No modules.
 | <a name="input_encrypt_at_rest_enabled"></a> [encrypt\_at\_rest\_enabled](#input\_encrypt\_at\_rest\_enabled) | Whether to enable encryption at rest | `bool` | `true` | no |
 | <a name="input_encrypt_at_rest_kms_key_id"></a> [encrypt\_at\_rest\_kms\_key\_id](#input\_encrypt\_at\_rest\_kms\_key\_id) | The KMS key id to encrypt the Elasticsearch domain with. If not specified then it defaults to using the aws/es service KMS key | `string` | `"alias/aws/es"` | no |
 | <a name="input_log_publishing_options"></a> [log\_publishing\_options](#input\_log\_publishing\_options) | Options for publishing slow logs to CloudWatch Logs | `any` | `{}` | no |
-| <a name="input_log_publishing_options_cloudwatch_log_group_arn"></a> [log\_publishing\_options\_cloudwatch\_log\_group\_arn](#input\_log\_publishing\_options\_cloudwatch\_log\_group\_arn) | iARN of the Cloudwatch log group to which log needs to be published | `string` | `""` | no |
-| <a name="input_log_publishing_options_enabled"></a> [log\_publishing\_options\_enabled](#input\_log\_publishing\_options\_enabled) | Specifies whether given log publishing option is enabled or not | `bool` | `true` | no |
-| <a name="input_log_publishing_options_log_type"></a> [log\_publishing\_options\_log\_type](#input\_log\_publishing\_options\_log\_type) | A type of Elasticsearch log. Valid values: INDEX\_SLOW\_LOGS, SEARCH\_SLOW\_LOGS, ES\_APPLICATION\_LOGS | `string` | `"INDEX_SLOW_LOGS"` | no |
 | <a name="input_log_publishing_options_retention"></a> [log\_publishing\_options\_retention](#input\_log\_publishing\_options\_retention) | Retention in days for the created Cloudwatch log group | `number` | `90` | no |
 | <a name="input_node_to_node_encryption"></a> [node\_to\_node\_encryption](#input\_node\_to\_node\_encryption) | Node-to-node encryption options | `any` | `{}` | no |
 | <a name="input_node_to_node_encryption_enabled"></a> [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether to enable node-to-node encryption | `bool` | `true` | no |

examples/public/README.md

@@ -27,7 +27,23 @@ module "aws_es" {
   }
 
   log_publishing_options = {
-    enabled = "true"
+    index_slow_logs = {
+      enabled                          = true
+      cloudwatch_log_group_arn         = "arn:aws:logs:us-east-1:123456789101:log-group:/aws/elasticsearch/index_slow_logs:*"
+      rog_publishing_options_retention = 90
+    }
+    search_slow_logs = {
+      enabled                  = true
+      cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789101:log-group:/aws/elasticsearch/search_slow_logs:*"
+    }
+    es_application_logs = {
+      enabled                   = true
+      cloudwatch_log_group_name = "es_application_logs_dev"
+    }
+    audit_logs = {
+      enabled                   = false
+      cloudwatch_log_group_name = "audit_logs_dev"
+    }
   }
 
   advanced_options = {

examples/public/main.tf

@@ -1,6 +1,6 @@
 module "aws_es" {
 
-  source = "lgallard/elasticsearch/aws"
+  source = "../../"
 
   domain_name           = var.es_domain_name
   elasticsearch_version = var.es_version
@@ -19,12 +19,28 @@ module "aws_es" {
   }
 
   encrypt_at_rest = {
-    enabled    = true
-    kms_key_id = "arn:aws:kms:us-east-1:123456789101:key/cccc103b-4ba3-5993-6fc7-b7e538b25fd8"
+    enabled = true
+    #kms_key_id = "arn:aws:kms:us-east-1:123456789101:key/cccc103b-4ba3-5993-6fc7-b7e538b25fd8"
   }
 
   log_publishing_options = {
-    enabled = true
+    index_slow_logs = {
+      enabled                          = true
+      cloudwatch_log_group_arn         = "arn:aws:logs:us-east-1:123456789101:log-group:/aws/elasticsearch/index_slow_logs:*"
+      rog_publishing_options_retention = 90
+    }
+    search_slow_logs = {
+      enabled                  = true
+      cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789101:log-group:/aws/elasticsearch/search_slow_logs:*"
+    }
+    es_application_logs = {
+      enabled                   = true
+      cloudwatch_log_group_name = "es_application_logs_dev"
+    }
+    audit_logs = {
+      enabled                   = false
+      cloudwatch_log_group_name = "audit_logs_dev"
+    }
   }
 
   advanced_options = {

iam.tf

@@ -1,8 +1,12 @@
 resource "aws_cloudwatch_log_group" "es_cloudwatch_log_group" {
-  count             = var.enabled && var.cloudwatch_log_enabled ? 1 : 0
-  name              = "${var.domain_name}-log_group"
-  tags              = var.tags
-  retention_in_days = var.log_publishing_options_retention
+
+  for_each = { for k, v in var.log_publishing_options :
+    k => v if var.enabled && lookup(v, "enabled", false) && lookup(v, "cloudwatch_log_group_arn", null) == null
+  }
+
+  name              = lookup(each.value, "cloudwatch_log_group_name", null)
+  retention_in_days = lookup(each.value, "log_publishing_options_retention", var.log_publishing_options_retention)
+  tags              = merge(lookup(each.value, "tags", null), var.tags)
 }
 
 resource "aws_cloudwatch_log_resource_policy" "es_aws_cloudwatch_log_resource_policy" {

main.tf

@@ -113,10 +113,12 @@ resource "aws_elasticsearch_domain" "es_domain" {
 
   # log_publishing_options
   dynamic "log_publishing_options" {
-    for_each = local.log_publishing_options
+    for_each = { for k, v in var.log_publishing_options :
+      k => v if var.enabled && lookup(v, "enabled", false)
+    }
     content {
-      log_type                 = lookup(log_publishing_options.value, "log_type")
-      cloudwatch_log_group_arn = lookup(log_publishing_options.value, "cloudwatch_log_group_arn")
+      log_type                 = upper(log_publishing_options.key)
+      cloudwatch_log_group_arn = lookup(log_publishing_options.value, "cloudwatch_log_group_arn", null) != null ? lookup(log_publishing_options.value, "cloudwatch_log_group_arn") : aws_cloudwatch_log_group.es_cloudwatch_log_group[log_publishing_options.key].arn
       enabled                  = lookup(log_publishing_options.value, "enabled")
     }
   }
@@ -144,9 +146,7 @@ resource "aws_elasticsearch_domain" "es_domain" {
   tags = var.tags
 
   # Service-linked role to give Amazon ES permissions to access your VPC
-  depends_on = [
-    aws_iam_service_linked_role.es,
-  ]
+  depends_on = [aws_iam_service_linked_role.es, aws_cloudwatch_log_group.es_cloudwatch_log_group]
 
 }
 
@@ -244,16 +244,6 @@ locals {
 
   vpc_options = length(lookup(local.vpc_options_default, "subnet_ids")) == 0 ? [] : [local.vpc_options_default]
 
-  # log_publishing_options
-  # If no log_publishing_options list is provided, build a log_publishing_options using the default values
-  log_publishing_options_default = {
-    log_type                 = lookup(var.log_publishing_options, "log_type", null) == null ? var.log_publishing_options_log_type : lookup(var.log_publishing_options, "log_type")
-    cloudwatch_log_group_arn = lookup(var.log_publishing_options, "cloudwatch_log_group_arn", null) == null ? (var.log_publishing_options_cloudwatch_log_group_arn == "" && var.enabled && var.cloudwatch_log_enabled ? aws_cloudwatch_log_group.es_cloudwatch_log_group[0].arn : var.log_publishing_options_cloudwatch_log_group_arn) : lookup(var.log_publishing_options, "cloudwatch_log_group_arn")
-    enabled                  = lookup(var.log_publishing_options, "enabled", null) == null ? var.log_publishing_options_enabled : lookup(var.log_publishing_options, "enabled")
-  }
-
-  log_publishing_options = var.log_publishing_options_enabled == false || lookup(local.log_publishing_options_default, "enabled") == false ? [] : [local.log_publishing_options_default]
-
   # cognito_options
   # If no cognito_options list is provided, build a cognito_options using the default values
   cognito_options_default = {

variables.tf

@@ -280,23 +280,6 @@ variable "log_publishing_options" {
   default     = {}
 }
 
-variable "log_publishing_options_log_type" {
-  description = "A type of Elasticsearch log. Valid values: INDEX_SLOW_LOGS, SEARCH_SLOW_LOGS, ES_APPLICATION_LOGS"
-  type        = string
-  default     = "INDEX_SLOW_LOGS"
-}
-
-variable "log_publishing_options_cloudwatch_log_group_arn" {
-  description = "iARN of the Cloudwatch log group to which log needs to be published"
-  type        = string
-  default     = ""
-}
-
-variable "log_publishing_options_enabled" {
-  description = "Specifies whether given log publishing option is enabled or not"
-  type        = bool
-  default     = true
-}
 
 variable "log_publishing_options_retention" {
   description = "Retention in days for the created Cloudwatch log group"