diff --git a/README.md b/README.md
index 9e04d43..d627b7e 100644
--- a/README.md
+++ b/README.md
@@ -245,6 +245,7 @@ No modules.
|------|------|
| [aws_appautoscaling_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
| [aws_appautoscaling_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
+| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_db_parameter_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource |
| [aws_db_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
| [aws_iam_role.rds_enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -285,11 +286,14 @@ No modules.
| [backtrack\_window](#input\_backtrack\_window) | The target backtrack window, in seconds. Only available for `aurora` engine currently. To disable backtracking, set this value to 0. Must be between 0 and 259200 (72 hours) | `number` | `null` | no |
| [backup\_retention\_period](#input\_backup\_retention\_period) | The days to retain backups for. Default `7` | `number` | `7` | no |
| [ca\_cert\_identifier](#input\_ca\_cert\_identifier) | The identifier of the CA certificate for the DB instance | `string` | `null` | no |
+| [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
+| [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no |
| [cluster\_members](#input\_cluster\_members) | List of RDS Instances that are a part of this cluster | `list(string)` | `null` | no |
| [cluster\_tags](#input\_cluster\_tags) | A map of tags to add to only the cluster. Used for AWS Instance Scheduler tagging | `map(string)` | `{}` | no |
| [cluster\_timeouts](#input\_cluster\_timeouts) | Create, update, and delete timeout configurations for the cluster | `map(string)` | `{}` | no |
| [cluster\_use\_name\_prefix](#input\_cluster\_use\_name\_prefix) | Whether to use `name` as a prefix for the cluster | `bool` | `false` | no |
| [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | Copy all Cluster `tags` to snapshots | `bool` | `null` | no |
+| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports` | `bool` | `false` | no |
| [create\_cluster](#input\_create\_cluster) | Whether cluster should be created (affects nearly all resources) | `bool` | `true` | no |
| [create\_db\_cluster\_parameter\_group](#input\_create\_db\_cluster\_parameter\_group) | Determines whether a cluster parameter should be created or use existing | `bool` | `false` | no |
| [create\_db\_parameter\_group](#input\_create\_db\_parameter\_group) | Determines whether a DB parameter should be created or use existing | `bool` | `false` | no |
@@ -392,6 +396,7 @@ No modules.
| [cluster\_reader\_endpoint](#output\_cluster\_reader\_endpoint) | A read-only endpoint for the cluster, automatically load-balanced across replicas |
| [cluster\_resource\_id](#output\_cluster\_resource\_id) | The RDS Cluster Resource ID |
| [cluster\_role\_associations](#output\_cluster\_role\_associations) | A map of IAM roles associated with the cluster and their attributes |
+| [db\_cluster\_cloudwatch\_log\_groups](#output\_db\_cluster\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
| [db\_cluster\_parameter\_group\_arn](#output\_db\_cluster\_parameter\_group\_arn) | The ARN of the DB cluster parameter group created |
| [db\_cluster\_parameter\_group\_id](#output\_db\_cluster\_parameter\_group\_id) | The ID of the DB cluster parameter group created |
| [db\_parameter\_group\_arn](#output\_db\_parameter\_group\_arn) | The ARN of the DB parameter group created |
diff --git a/examples/autoscaling/README.md b/examples/autoscaling/README.md
index a88d688..f984b22 100644
--- a/examples/autoscaling/README.md
+++ b/examples/autoscaling/README.md
@@ -66,6 +66,7 @@ No inputs.
| [cluster\_reader\_endpoint](#output\_cluster\_reader\_endpoint) | A read-only endpoint for the cluster, automatically load-balanced across replicas |
| [cluster\_resource\_id](#output\_cluster\_resource\_id) | The RDS Cluster Resource ID |
| [cluster\_role\_associations](#output\_cluster\_role\_associations) | A map of IAM roles associated with the cluster and their attributes |
+| [db\_cluster\_cloudwatch\_log\_groups](#output\_db\_cluster\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
| [db\_subnet\_group\_name](#output\_db\_subnet\_group\_name) | The db subnet group name |
| [enhanced\_monitoring\_iam\_role\_arn](#output\_enhanced\_monitoring\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the enhanced monitoring role |
| [enhanced\_monitoring\_iam\_role\_name](#output\_enhanced\_monitoring\_iam\_role\_name) | The name of the enhanced monitoring role |
diff --git a/examples/autoscaling/outputs.tf b/examples/autoscaling/outputs.tf
index 2ba2da7..1e887a1 100644
--- a/examples/autoscaling/outputs.tf
+++ b/examples/autoscaling/outputs.tf
@@ -107,3 +107,9 @@ output "security_group_id" {
description = "The security group ID of the cluster"
value = module.aurora.security_group_id
}
+
+# Cloudwatch log groups
+output "db_cluster_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = module.aurora.db_cluster_cloudwatch_log_groups
+}
diff --git a/examples/global-cluster/README.md b/examples/global-cluster/README.md
index 2cba25d..0078461 100644
--- a/examples/global-cluster/README.md
+++ b/examples/global-cluster/README.md
@@ -58,6 +58,7 @@ No inputs.
|------|-------------|
| [mysql\_additional\_cluster\_endpoints](#output\_mysql\_additional\_cluster\_endpoints) | A map of additional cluster endpoints and their attributes |
| [mysql\_cluster\_arn](#output\_mysql\_cluster\_arn) | Amazon Resource Name (ARN) of cluster |
+| [mysql\_cluster\_cloudwatch\_log\_groups](#output\_mysql\_cluster\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
| [mysql\_cluster\_database\_name](#output\_mysql\_cluster\_database\_name) | Name for an automatically created database on cluster creation |
| [mysql\_cluster\_endpoint](#output\_mysql\_cluster\_endpoint) | Writer endpoint for the cluster |
| [mysql\_cluster\_engine\_version\_actual](#output\_mysql\_cluster\_engine\_version\_actual) | The running version of the cluster database |
@@ -78,6 +79,7 @@ No inputs.
| [mysql\_security\_group\_id](#output\_mysql\_security\_group\_id) | The security group ID of the cluster |
| [primary\_additional\_cluster\_endpoints](#output\_primary\_additional\_cluster\_endpoints) | A map of additional cluster endpoints and their attributes |
| [primary\_cluster\_arn](#output\_primary\_cluster\_arn) | Amazon Resource Name (ARN) of cluster |
+| [primary\_cluster\_cloudwatch\_log\_groups](#output\_primary\_cluster\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
| [primary\_cluster\_database\_name](#output\_primary\_cluster\_database\_name) | Name for an automatically created database on cluster creation |
| [primary\_cluster\_endpoint](#output\_primary\_cluster\_endpoint) | Writer endpoint for the cluster |
| [primary\_cluster\_engine\_version\_actual](#output\_primary\_cluster\_engine\_version\_actual) | The running version of the cluster database |
diff --git a/examples/global-cluster/outputs.tf b/examples/global-cluster/outputs.tf
index 6bb20e0..ef08560 100644
--- a/examples/global-cluster/outputs.tf
+++ b/examples/global-cluster/outputs.tf
@@ -112,6 +112,12 @@ output "primary_security_group_id" {
value = module.aurora_primary.security_group_id
}
+# Cloudwatch log groups
+output "primary_cluster_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = module.aurora_primary.db_cluster_cloudwatch_log_groups
+}
+
################################################################################
# RDS Aurora Module - Secondary
################################################################################
@@ -225,3 +231,9 @@ output "mysql_security_group_id" {
description = "The security group ID of the cluster"
value = module.aurora_secondary.security_group_id
}
+
+# Cloudwatch log group
+output "mysql_cluster_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = module.aurora_secondary.db_cluster_cloudwatch_log_groups
+}
diff --git a/examples/multi-az/README.md b/examples/multi-az/README.md
index 541139c..c52f724 100644
--- a/examples/multi-az/README.md
+++ b/examples/multi-az/README.md
@@ -60,6 +60,7 @@ No inputs.
| [cluster\_reader\_endpoint](#output\_cluster\_reader\_endpoint) | A read-only endpoint for the cluster, automatically load-balanced across replicas |
| [cluster\_resource\_id](#output\_cluster\_resource\_id) | The RDS Cluster Resource ID |
| [cluster\_role\_associations](#output\_cluster\_role\_associations) | A map of IAM roles associated with the cluster and their attributes |
+| [db\_cluster\_cloudwatch\_log\_groups](#output\_db\_cluster\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
| [db\_cluster\_parameter\_group\_arn](#output\_db\_cluster\_parameter\_group\_arn) | The ARN of the DB cluster parameter group created |
| [db\_cluster\_parameter\_group\_id](#output\_db\_cluster\_parameter\_group\_id) | The ID of the DB cluster parameter group created |
| [db\_parameter\_group\_arn](#output\_db\_parameter\_group\_arn) | The ARN of the DB parameter group created |
diff --git a/examples/multi-az/outputs.tf b/examples/multi-az/outputs.tf
index 8c69dac..a3304c6 100644
--- a/examples/multi-az/outputs.tf
+++ b/examples/multi-az/outputs.tf
@@ -131,3 +131,12 @@ output "db_parameter_group_id" {
description = "The ID of the DB parameter group created"
value = module.aurora.db_parameter_group_id
}
+
+################################################################################
+# Cloudwatch Log Group
+################################################################################
+
+output "db_cluster_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = module.aurora.db_cluster_cloudwatch_log_groups
+}
diff --git a/examples/mysql/README.md b/examples/mysql/README.md
index 764e14e..ce05e50 100644
--- a/examples/mysql/README.md
+++ b/examples/mysql/README.md
@@ -65,6 +65,7 @@ No inputs.
| [cluster\_reader\_endpoint](#output\_cluster\_reader\_endpoint) | A read-only endpoint for the cluster, automatically load-balanced across replicas |
| [cluster\_resource\_id](#output\_cluster\_resource\_id) | The RDS Cluster Resource ID |
| [cluster\_role\_associations](#output\_cluster\_role\_associations) | A map of IAM roles associated with the cluster and their attributes |
+| [db\_cluster\_cloudwatch\_log\_groups](#output\_db\_cluster\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
| [db\_cluster\_parameter\_group\_arn](#output\_db\_cluster\_parameter\_group\_arn) | The ARN of the DB cluster parameter group created |
| [db\_cluster\_parameter\_group\_id](#output\_db\_cluster\_parameter\_group\_id) | The ID of the DB cluster parameter group created |
| [db\_parameter\_group\_arn](#output\_db\_parameter\_group\_arn) | The ARN of the DB parameter group created |
diff --git a/examples/mysql/outputs.tf b/examples/mysql/outputs.tf
index 8c69dac..a3304c6 100644
--- a/examples/mysql/outputs.tf
+++ b/examples/mysql/outputs.tf
@@ -131,3 +131,12 @@ output "db_parameter_group_id" {
description = "The ID of the DB parameter group created"
value = module.aurora.db_parameter_group_id
}
+
+################################################################################
+# Cloudwatch Log Group
+################################################################################
+
+output "db_cluster_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = module.aurora.db_cluster_cloudwatch_log_groups
+}
diff --git a/examples/postgresql/README.md b/examples/postgresql/README.md
index 12cefab..4dd61af 100644
--- a/examples/postgresql/README.md
+++ b/examples/postgresql/README.md
@@ -65,6 +65,7 @@ No inputs.
| [cluster\_reader\_endpoint](#output\_cluster\_reader\_endpoint) | A read-only endpoint for the cluster, automatically load-balanced across replicas |
| [cluster\_resource\_id](#output\_cluster\_resource\_id) | The RDS Cluster Resource ID |
| [cluster\_role\_associations](#output\_cluster\_role\_associations) | A map of IAM roles associated with the cluster and their attributes |
+| [db\_cluster\_cloudwatch\_log\_groups](#output\_db\_cluster\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
| [db\_cluster\_parameter\_group\_arn](#output\_db\_cluster\_parameter\_group\_arn) | The ARN of the DB cluster parameter group created |
| [db\_cluster\_parameter\_group\_id](#output\_db\_cluster\_parameter\_group\_id) | The ID of the DB cluster parameter group created |
| [db\_parameter\_group\_arn](#output\_db\_parameter\_group\_arn) | The ARN of the DB parameter group created |
diff --git a/examples/postgresql/main.tf b/examples/postgresql/main.tf
index 18c0c22..7658bb2 100644
--- a/examples/postgresql/main.tf
+++ b/examples/postgresql/main.tf
@@ -102,6 +102,7 @@ module "aurora" {
]
enabled_cloudwatch_logs_exports = ["postgresql"]
+ create_cloudwatch_log_group = true
tags = local.tags
}
diff --git a/examples/postgresql/outputs.tf b/examples/postgresql/outputs.tf
index 8c69dac..a3304c6 100644
--- a/examples/postgresql/outputs.tf
+++ b/examples/postgresql/outputs.tf
@@ -131,3 +131,12 @@ output "db_parameter_group_id" {
description = "The ID of the DB parameter group created"
value = module.aurora.db_parameter_group_id
}
+
+################################################################################
+# Cloudwatch Log Group
+################################################################################
+
+output "db_cluster_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = module.aurora.db_cluster_cloudwatch_log_groups
+}
diff --git a/examples/s3-import/README.md b/examples/s3-import/README.md
index 98b2c0f..d0691ef 100644
--- a/examples/s3-import/README.md
+++ b/examples/s3-import/README.md
@@ -102,6 +102,7 @@ No inputs.
| [cluster\_reader\_endpoint](#output\_cluster\_reader\_endpoint) | A read-only endpoint for the cluster, automatically load-balanced across replicas |
| [cluster\_resource\_id](#output\_cluster\_resource\_id) | The RDS Cluster Resource ID |
| [cluster\_role\_associations](#output\_cluster\_role\_associations) | A map of IAM roles associated with the cluster and their attributes |
+| [db\_cluster\_cloudwatch\_log\_groups](#output\_db\_cluster\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
| [db\_subnet\_group\_name](#output\_db\_subnet\_group\_name) | The db subnet group name |
| [enhanced\_monitoring\_iam\_role\_arn](#output\_enhanced\_monitoring\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the enhanced monitoring role |
| [enhanced\_monitoring\_iam\_role\_name](#output\_enhanced\_monitoring\_iam\_role\_name) | The name of the enhanced monitoring role |
diff --git a/examples/s3-import/outputs.tf b/examples/s3-import/outputs.tf
index 2ba2da7..a06f22c 100644
--- a/examples/s3-import/outputs.tf
+++ b/examples/s3-import/outputs.tf
@@ -107,3 +107,9 @@ output "security_group_id" {
description = "The security group ID of the cluster"
value = module.aurora.security_group_id
}
+
+# Cloudwatch Log Groups
+output "db_cluster_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = module.aurora.db_cluster_cloudwatch_log_groups
+}
diff --git a/examples/serverless/README.md b/examples/serverless/README.md
index 913ebbf..ec8ecd8 100644
--- a/examples/serverless/README.md
+++ b/examples/serverless/README.md
@@ -100,6 +100,7 @@ No inputs.
| [aurora\_postgresql\_v2\_enhanced\_monitoring\_iam\_role\_name](#output\_aurora\_postgresql\_v2\_enhanced\_monitoring\_iam\_role\_name) | The name of the enhanced monitoring role |
| [aurora\_postgresql\_v2\_enhanced\_monitoring\_iam\_role\_unique\_id](#output\_aurora\_postgresql\_v2\_enhanced\_monitoring\_iam\_role\_unique\_id) | Stable and unique string identifying the enhanced monitoring role |
| [aurora\_postgresql\_v2\_security\_group\_id](#output\_aurora\_postgresql\_v2\_security\_group\_id) | The security group ID of the cluster |
+| [aurora\_postresql\_v2\_cloudwatch\_log\_groups](#output\_aurora\_postresql\_v2\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
| [mysql\_additional\_cluster\_endpoints](#output\_mysql\_additional\_cluster\_endpoints) | A map of additional cluster endpoints and their attributes |
| [mysql\_cluster\_arn](#output\_mysql\_cluster\_arn) | Amazon Resource Name (ARN) of cluster |
| [mysql\_cluster\_database\_name](#output\_mysql\_cluster\_database\_name) | Name for an automatically created database on cluster creation |
diff --git a/examples/serverless/outputs.tf b/examples/serverless/outputs.tf
index 5d3f0bb..34eed05 100644
--- a/examples/serverless/outputs.tf
+++ b/examples/serverless/outputs.tf
@@ -454,3 +454,9 @@ output "aurora_postgresql_v2_security_group_id" {
description = "The security group ID of the cluster"
value = module.aurora_postgresql_v2.security_group_id
}
+
+# Cloudwatch Log groups
+output "aurora_postresql_v2_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = module.aurora_postgresql_v2.db_cluster_cloudwatch_log_groups
+}
diff --git a/main.tf b/main.tf
index e4793b5..08b01e6 100644
--- a/main.tf
+++ b/main.tf
@@ -164,6 +164,8 @@ resource "aws_rds_cluster" "this" {
global_cluster_identifier,
]
}
+
+ depends_on = [aws_cloudwatch_log_group.this]
}
################################################################################
@@ -434,3 +436,18 @@ resource "aws_db_parameter_group" "this" {
tags = var.tags
}
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+# Log groups will not be created if using a cluster identifier prefix
+resource "aws_cloudwatch_log_group" "this" {
+ for_each = toset([for log in var.enabled_cloudwatch_logs_exports : log if local.create_cluster && var.create_cloudwatch_log_group && !var.cluster_use_name_prefix])
+
+ name = "/aws/rds/cluster/${var.name}/${each.value}"
+ retention_in_days = var.cloudwatch_log_group_retention_in_days
+ kms_key_id = var.cloudwatch_log_group_kms_key_id
+
+ tags = var.tags
+}
diff --git a/outputs.tf b/outputs.tf
index 52ab031..2a9fe2b 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -156,3 +156,12 @@ output "db_parameter_group_id" {
description = "The ID of the DB parameter group created"
value = try(aws_db_parameter_group.this[0].id, "")
}
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+output "db_cluster_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = aws_cloudwatch_log_group.this
+}
diff --git a/variables.tf b/variables.tf
index 7086a0f..ea19448 100644
--- a/variables.tf
+++ b/variables.tf
@@ -672,3 +672,25 @@ variable "putin_khuylo" {
type = bool
default = true
}
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+variable "create_cloudwatch_log_group" {
+ description = "Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports`"
+ type = bool
+ default = false
+}
+
+variable "cloudwatch_log_group_retention_in_days" {
+ description = "The number of days to retain CloudWatch logs for the DB instance"
+ type = number
+ default = 7
+}
+
+variable "cloudwatch_log_group_kms_key_id" {
+ description = "The ARN of the KMS Key to use when encrypting log data"
+ type = string
+ default = null
+}