Merge pull request #6 from geekcell/kms-optional

feat: Make customer KMS encryption optional

Author: Ic3w0lf

README.md

@@ -42,6 +42,9 @@ providing default values that should make sense for most use cases.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_enable_customer_managed_kms"></a> [enable\_customer\_managed\_kms](#input\_enable\_customer\_managed\_kms) | Whether to enable customer managed KMS encryption for the log group. | `bool` | `false` | no |
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data. | `string` | `null` | no |
+| <a name="input_log_streams"></a> [log\_streams](#input\_log\_streams) | A list of log streams to create within the log group. | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the log group. | `string` | n/a | yes |
 | <a name="input_retention_in_days"></a> [retention\_in\_days](#input\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. | `number` | `30` | no |
 | <a name="input_skip_destroy"></a> [skip\_destroy](#input\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state. | `bool` | `false` | no |
@@ -52,6 +55,7 @@ providing default values that should make sense for most use cases.
 | Name | Description |
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | The cloudwatch log group ARN |
+| <a name="output_customer_managed_key_arn"></a> [customer\_managed\_key\_arn](#output\_customer\_managed\_key\_arn) | The ARN of the customer KMS key used to encrypt log data if enabled. |
 | <a name="output_name"></a> [name](#output\_name) | The cloudwatch log group name |
 
 ## Providers

main.tf

@@ -9,18 +9,21 @@ resource "aws_cloudwatch_log_group" "main" {
 
   retention_in_days = var.retention_in_days
   skip_destroy      = var.skip_destroy
-  kms_key_id        = module.kms.key_arn
+  kms_key_id        = var.enable_customer_managed_kms ? module.kms[0].key_arn : var.kms_key_id
 
   tags = var.tags
 }
 
 resource "aws_cloudwatch_log_stream" "main" {
-  name = var.name
+  for_each = toset(var.log_streams)
 
+  name           = each.value
   log_group_name = aws_cloudwatch_log_group.main.name
 }
 
 module "kms" {
+  count = var.enable_customer_managed_kms ? 1 : 0
+
   source  = "geekcell/kms/aws"
   version = ">= 1.0.0, < 2.0.0"
 

outputs.tf

@@ -7,3 +7,8 @@ output "name" {
   description = "The cloudwatch log group name"
   value       = aws_cloudwatch_log_group.main.name
 }
+
+output "customer_managed_key_arn" {
+  description = "The ARN of the customer KMS key used to encrypt log data if enabled."
+  value       = var.enable_customer_managed_kms ? module.kms[0].key_arn : null
+}

variables.tf

@@ -5,7 +5,7 @@ variable "tags" {
   type        = map(any)
 }
 
-# AWS Cloudwatch log groups
+# AWS Cloudwatch Log Group
 variable "name" {
   description = "The name of the log group."
   type        = string
@@ -22,3 +22,23 @@ variable "skip_destroy" {
   default     = false
   type        = bool
 }
+
+# Log Streams
+variable "log_streams" {
+  description = "A list of log streams to create within the log group."
+  default     = []
+  type        = list(string)
+}
+
+# KMS Encryption
+variable "kms_key_id" {
+  description = "The ARN of the KMS Key to use when encrypting log data."
+  default     = null
+  type        = string
+}
+
+variable "enable_customer_managed_kms" {
+  description = "Whether to enable customer managed KMS encryption for the log group."
+  default     = false
+  type        = bool
+}