Publish RDS/Aurora logs to Cloudwatch Logs (#34)

* Update copyright year in LICENSE file. * Support to publish RDS/Aurora logs to Cloudwatch Logs * Update Aurora example with `enabled_cloudwatch_logs_exports` functionality. * Updated the description of the `enabled_cloudwatch_logs_exports` variable in all modules.
skyscrapers · Mar 13, 2019 · 03dd912 · 03dd912
1 parent 7245a42
commit 03dd912
Show file tree

Hide file tree

Showing 8 changed files with 76 additions and 49 deletions.
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2016 Skyscrapers
+Copyright (c) 2019 Skyscrapers
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ Creates a RDS instance, security_group, subnet_group and parameter_group
 | availability\_zone | The availability zone where you want to launch your instance in | string | `""` | no |
 | backup\_retention\_period | How long do you want to keep RDS backups | string | `"14"` | no |
 | default\_parameter\_group\_family | Parameter group family for the default parameter group, according to the chosen engine and engine version. Defaults to mysql5.7 | string | `"mysql5.7"` | no |
+| enabled\_cloudwatch\_logs\_exports | List of log types to enable for exporting to CloudWatch logs. You can check the available log types per engine in the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch). Defaults to nothing. | list | `[]` | no |
 | engine | RDS engine: mysql, oracle, postgres. Defaults to mysql | string | `"mysql"` | no |
 | engine\_version | Engine version to use, according to the chosen engine. You can check the available engine versions using the [AWS CLI](http://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-engine-versions.html). Defaults to 5.7.17 for MySQL. | string | `"5.7.17"` | no |
 | environment | How do you want to call your environment, this is helpful if you have more than 1 VPC. | string | `"production"` | no |
@@ -55,16 +56,17 @@ Creates a RDS instance, security_group, subnet_group and parameter_group
 
 ```tf
 module "rds" {
-  source                = "github.com/skyscrapers/terraform-rds//rds"
-  vpc_id                = "vpc-e123bc45"
-  subnets               = ["subnet-12345d67", "subnet-12345d68", "subnet-12345d69"]
-  project               = "myproject"
-  environment           = "production"
-  size                  = "db.t2.small"
-  security_groups       = ["sg-12be345678905ebf1", "sg-1234567890aef"]
-  security_groups_count = 2
-  rds_password          = "supersecurepassword"
-  multi_az              = "false"
+  source                          = "github.com/skyscrapers/terraform-rds//rds"
+  vpc_id                          = "vpc-e123bc45"
+  subnets                         = ["subnet-12345d67", "subnet-12345d68", "subnet-12345d69"]
+  project                         = "myproject"
+  environment                     = "production"
+  size                            = "db.t2.small"
+  security_groups                 = ["sg-12be345678905ebf1", "sg-1234567890aef"]
+  enabled_cloudwatch_logs_exports = ["audit", "error", "slowquery"]
+  security_groups_count           = 2
+  rds_password                    = "supersecurepassword"
+  multi_az                        = "false"
 }
 ```
 
@@ -93,6 +95,7 @@ Creates a Aurora cluster + instances, security_group, subnet_group and parameter
 * [`engine_version`]: String(optional) Engine version to use, according to the chosen engine. You can check the available engine versions using the AWS CLI (http://docs.aws.amazon.com/cli/latest/reference/rds/describe-db-engine-versions.html) (default: `5.6.10a` - for MySQL)
 * [`family`]: String(optional) Parameter group family for the default parameter group, according to the chosen engine and engine version. (default: `aurora5.6` - for MySQL)
 * [`default_ports`]: Map(optional) The default ports for aurora and aurora-postgresql. (default: `3306` and `5432`)
+* [`enabled_cloudwatch_logs_exports`]: List(optional) List of log types to enable for exporting to CloudWatch logs. You can check the available log types per engine in the [AWS Aurora documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch). (default: `[]`)
 
 ### Output
 
@@ -105,14 +108,15 @@ Creates a Aurora cluster + instances, security_group, subnet_group and parameter
 
 ```tf
 module "aurora" {
-  source              = "github.com/skyscrapers/terraform-rds//aurora"
-  project             = "myproject"
-  environment         = "production"
-  size                = "db.t2.small"
-  password            = "supersecurepassword"
-  subnets             = ["subnet-12345d67", "subnet-12345d68", "subnet-12345d69"]
-  amount_of_instances = 1
-  security_groups     = ["sg-12be345678905ebf1", "sg-1234567890aef"]
+  source                          = "github.com/skyscrapers/terraform-rds//aurora"
+  project                         = "myproject"
+  environment                     = "production"
+  size                            = "db.t2.small"
+  password                        = "supersecurepassword"
+  subnets                         = ["subnet-12345d67", "subnet-12345d68", "subnet-12345d69"]
+  amount_of_instances             = 1
+  security_groups                 = ["sg-12be345678905ebf1", "sg-1234567890aef"]
+  enabled_cloudwatch_logs_exports = ["audit", "error", "slowquery"]
 }
 ```
 
@@ -136,6 +140,8 @@ Creates an RDS read replica instance, the replica `security_group` and a `subnet
 * [`name`]: string(optional) name of the resources (default to <project>-<environment><tag>-rds<number>-replica)
 * [`storage_encrypted`]: bool(optional) whether you want to Encrypt RDS storage (default: true)
 * [`custom_parameter_group_name`]: String(optional) A custom parameter group name to attach to the RDS instance. If not provided it will use the default from the master instance
+* [`enabled_cloudwatch_logs_exports`]: List(optional) List of log types to enable for exporting to CloudWatch logs. You can check the available log types per engine in the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch). (default: `[]`)
+
 
 ### Output
 

diff --git a/aurora/main.tf b/aurora/main.tf
@@ -58,6 +58,7 @@ resource "aws_rds_cluster" "aurora" {
   db_cluster_parameter_group_name = "${var.cluster_parameter_group_name}"
   engine                          = "${var.engine}"
   engine_version                  = "${var.engine_version}"
+  enabled_cloudwatch_logs_exports = ["${var.enabled_cloudwatch_logs_exports}"]
 
   tags {
     Name        = "${var.project}-${var.environment}${var.tag}-aurora"

diff --git a/aurora/variables.tf b/aurora/variables.tf
@@ -92,3 +92,9 @@ variable "default_ports" {
     aurora-postgresql = "5432"
   }
 }
+
+variable "enabled_cloudwatch_logs_exports" {
+  description = "List of log types to enable for exporting to CloudWatch logs. You can check the available log types per engine in the [AWS Aurora documentation](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch)."
+  type        = "list"
+  default     = []
+}
diff --git a/rds-replica/main.tf b/rds-replica/main.tf
@@ -10,15 +10,16 @@ data "aws_db_instance" "master" {
 }
 
 resource "aws_db_instance" "rds" {
-  count                  = "${var.number_of_replicas}"
-  identifier             = "${length(var.name) == 0 ? "${var.project}-${var.environment}${var.tag}-rds${count.index+1}-replica" : var.name}"
-  engine                 = "${var.engine}"
-  instance_class         = "${var.size}"
-  vpc_security_group_ids = ["${aws_security_group.sg_rds.0.id}"]
-  replicate_source_db    = "${var.replicate_source_db}"
-  db_subnet_group_name   = "${aws_db_subnet_group.rds.0.id}"
-  storage_encrypted      = "${var.storage_encrypted}"
-  parameter_group_name   = "${var.custom_parameter_group_name == "" ? data.aws_db_instance.master.db_parameter_groups[0] : var.custom_parameter_group_name}"
+  count                           = "${var.number_of_replicas}"
+  identifier                      = "${length(var.name) == 0 ? "${var.project}-${var.environment}${var.tag}-rds${count.index+1}-replica" : var.name}"
+  engine                          = "${var.engine}"
+  instance_class                  = "${var.size}"
+  vpc_security_group_ids          = ["${aws_security_group.sg_rds.0.id}"]
+  replicate_source_db             = "${var.replicate_source_db}"
+  db_subnet_group_name            = "${aws_db_subnet_group.rds.0.id}"
+  storage_encrypted               = "${var.storage_encrypted}"
+  parameter_group_name            = "${var.custom_parameter_group_name == "" ? data.aws_db_instance.master.db_parameter_groups[0] : var.custom_parameter_group_name}"
+  enabled_cloudwatch_logs_exports = ["${var.enabled_cloudwatch_logs_exports}"]
 
   tags {
     Name        = "${length(var.name) == 0 ? "${var.project}-${var.environment}${var.tag}-rds${count.index+1}-replica" : var.name}"

diff --git a/rds-replica/variables.tf b/rds-replica/variables.tf
@@ -65,3 +65,9 @@ variable "custom_parameter_group_name" {
   description = "A custom parameter group name to attach to the RDS instance. If not provided it will use the default from the master instance"
   default     = ""
 }
+
+variable "enabled_cloudwatch_logs_exports" {
+  description = "List of log types to enable for exporting to CloudWatch logs. You can check the available log types per engine in the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch)."
+  type        = "list"
+  default     = []
+}
diff --git a/rds/main.tf b/rds/main.tf
@@ -50,27 +50,28 @@ resource "aws_db_parameter_group" "rds" {
 }
 
 resource "aws_db_instance" "rds" {
-  identifier                 = "${length(var.name) == 0 ? "${var.project}-${var.environment}${var.tag}-rds${var.number}" : var.name}"
-  allocated_storage          = "${var.storage}"
-  engine                     = "${var.engine}"
-  engine_version             = "${var.engine_version}"
-  instance_class             = "${var.size}"
-  storage_type               = "${var.storage_type}"
-  username                   = "${var.rds_username}"
-  password                   = "${var.rds_password}"
-  vpc_security_group_ids     = ["${aws_security_group.sg_rds.id}"]
-  db_subnet_group_name       = "${aws_db_subnet_group.rds.id}"
-  parameter_group_name       = "${var.rds_custom_parameter_group_name == "" ? aws_db_parameter_group.rds.id : var.rds_custom_parameter_group_name}"
-  multi_az                   = "${var.multi_az}"
-  backup_retention_period    = "${var.backup_retention_period}"
-  storage_encrypted          = "${var.storage_encrypted}"
-  apply_immediately          = "${var.apply_immediately}"
-  skip_final_snapshot        = "${var.skip_final_snapshot}"
-  final_snapshot_identifier  = "${length(var.name) == 0 ? "${var.project}-${var.environment}${var.tag}-rds${var.number}" : var.name}-final-${md5(timestamp())}"
-  availability_zone          = "${var.availability_zone}"
-  snapshot_identifier        = "${var.snapshot_identifier}"
-  monitoring_interval        = "${var.monitoring_interval}"
-  auto_minor_version_upgrade = "${var.auto_minor_version_upgrade}"
+  identifier                      = "${length(var.name) == 0 ? "${var.project}-${var.environment}${var.tag}-rds${var.number}" : var.name}"
+  allocated_storage               = "${var.storage}"
+  engine                          = "${var.engine}"
+  engine_version                  = "${var.engine_version}"
+  instance_class                  = "${var.size}"
+  storage_type                    = "${var.storage_type}"
+  username                        = "${var.rds_username}"
+  password                        = "${var.rds_password}"
+  vpc_security_group_ids          = ["${aws_security_group.sg_rds.id}"]
+  db_subnet_group_name            = "${aws_db_subnet_group.rds.id}"
+  parameter_group_name            = "${var.rds_custom_parameter_group_name == "" ? aws_db_parameter_group.rds.id : var.rds_custom_parameter_group_name}"
+  multi_az                        = "${var.multi_az}"
+  backup_retention_period         = "${var.backup_retention_period}"
+  storage_encrypted               = "${var.storage_encrypted}"
+  apply_immediately               = "${var.apply_immediately}"
+  skip_final_snapshot             = "${var.skip_final_snapshot}"
+  final_snapshot_identifier       = "${length(var.name) == 0 ? "${var.project}-${var.environment}${var.tag}-rds${var.number}" : var.name}-final-${md5(timestamp())}"
+  availability_zone               = "${var.availability_zone}"
+  snapshot_identifier             = "${var.snapshot_identifier}"
+  monitoring_interval             = "${var.monitoring_interval}"
+  auto_minor_version_upgrade      = "${var.auto_minor_version_upgrade}"
+  enabled_cloudwatch_logs_exports = ["${var.enabled_cloudwatch_logs_exports}"]
 
   tags {
     Name        = "${length(var.name) == 0 ? "${var.project}-${var.environment}${var.tag}-rds${var.number}" : var.name}"

diff --git a/rds/variables.tf b/rds/variables.tf
@@ -140,3 +140,9 @@ variable "maintenance_window" {
   description = "The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. See RDS Maintenance Window docs for more information."
   default     = "Mon:00:00-Mon:01:00"
 }
+
+variable "enabled_cloudwatch_logs_exports" {
+  description = "List of log types to enable for exporting to CloudWatch logs. You can check the available log types per engine in the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html#USER_LogAccess.Procedural.UploadtoCloudWatch)."
+  type        = "list"
+  default     = []
+}