Merge pull request #12 from trussworks/add-encryption-to-cloudwatch-logs

NT: ability to encrypt cloudwatch log group
trussworks · Dec 29, 2021 · 890552e · 890552e
2 parents 620c212 + 5ac6abe
commit 890552e
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 3 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -4,7 +4,7 @@ jobs:
     - auth:
         password: $DOCKER_PASSWORD
         username: $DOCKER_USERNAME
-      image: trussworks/circleci:efb1042e31538677779971798e0912390f699e72
+      image: trussworks/circleci:29ab89fdada1f85c5d8fb685a2c71660f0c5f60c
     steps:
     - checkout
     - restore_cache:

diff --git a/.markdownlintrc b/.markdownlintrc
@@ -3,5 +3,6 @@
   "first-header-h1": false,
   "first-line-h1": false,
   "line_length": false,
-  "no-multiple-blanks": false
+  "no-multiple-blanks": false,
+  "no-inline-html": false
 }
diff --git a/README.md b/README.md
@@ -55,6 +55,7 @@ module "rds-snapshot-cleaner" {
 | cleaner\_dry\_run | Don't make any changes and log what would have happened. | `string` | n/a | yes |
 | cleaner\_max\_db\_snapshot\_count | The maximum number of manual snapshots allowed. This takes precedence over -retention-days. | `string` | `""` | no |
 | cleaner\_retention\_days | The maximum retention age in days. | `string` | n/a | yes |
+| cloudwatch\_kms\_key\_arn | ARN of the Cloudwatch KMS key used for encrypting Cloudwatch log groups. | `string` | `""` | no |
 | cloudwatch\_logs\_retention\_days | Number of days to keep logs in AWS CloudWatch. | `string` | `90` | no |
 | environment | Environment tag, e.g prod. | `any` | n/a | yes |
 | interval\_minutes | How often to run the Lambda function in minutes. | `string` | `5` | no |
@@ -66,4 +67,4 @@ module "rds-snapshot-cleaner" {
 
 No output.
 
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/main.tf b/main.tf
@@ -107,6 +107,7 @@ resource "aws_cloudwatch_log_group" "main" {
   # This name must match the lambda function name and should not be changed
   name              = "/aws/lambda/${local.name}-${var.cleaner_db_instance_identifier}"
   retention_in_days = var.cloudwatch_logs_retention_days
+  kms_key_id        = var.cloudwatch_kms_key_arn
 
   tags = {
     Name        = "${local.name}-${var.cleaner_db_instance_identifier}"

diff --git a/variables.tf b/variables.tf
@@ -41,6 +41,12 @@ variable "kms_key_arn" {
   default     = ""
 }
 
+variable "cloudwatch_kms_key_arn" {
+  description = "ARN of the Cloudwatch KMS key used for encrypting Cloudwatch log groups."
+  type        = string
+  default     = ""
+}
+
 variable "s3_bucket" {
   description = "The name of the S3 bucket used to store the Lambda builds."
   type        = string