From 5d323f02fefdc27bfac35c16f673d971db25b32d Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Wed, 7 Jun 2023 16:09:56 -0400
Subject: [PATCH] add cw log group with retenton

---
 examples/full-cluster-tf-upgrade/1.24/main.tf | 14 ++++++++++++++
 examples/full-cluster-tf-upgrade/1.25/main.tf | 14 ++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/examples/full-cluster-tf-upgrade/1.24/main.tf b/examples/full-cluster-tf-upgrade/1.24/main.tf
index 7489367..9026bc6 100644
--- a/examples/full-cluster-tf-upgrade/1.24/main.tf
+++ b/examples/full-cluster-tf-upgrade/1.24/main.tf
@@ -48,6 +48,20 @@ locals {
 
 }
 
+# The log group name format is /aws/eks/<cluster-name>/cluster
+# Reference: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+resource "aws_cloudwatch_log_group" "eks_cluster" {
+  name              = format("/aws/eks/%v/cluster", var.cluster_name)
+  retention_in_days = 180
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.tags,
+    var.application_tags,
+  )
+}
+
 # we changed endpoint_public_access to false by default. This is so we can reach the EKS API through private IPs
 # from on-prem and from the cloud.  Otherwise, another account outside of where this is created will be unable to 
 # access teh API. This also requires a SG change in securitygroup.tf
diff --git a/examples/full-cluster-tf-upgrade/1.25/main.tf b/examples/full-cluster-tf-upgrade/1.25/main.tf
index 7489367..9026bc6 100644
--- a/examples/full-cluster-tf-upgrade/1.25/main.tf
+++ b/examples/full-cluster-tf-upgrade/1.25/main.tf
@@ -48,6 +48,20 @@ locals {
 
 }
 
+# The log group name format is /aws/eks/<cluster-name>/cluster
+# Reference: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html
+resource "aws_cloudwatch_log_group" "eks_cluster" {
+  name              = format("/aws/eks/%v/cluster", var.cluster_name)
+  retention_in_days = 180
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.tags,
+    var.application_tags,
+  )
+}
+
 # we changed endpoint_public_access to false by default. This is so we can reach the EKS API through private IPs
 # from on-prem and from the cloud.  Otherwise, another account outside of where this is created will be unable to 
 # access teh API. This also requires a SG change in securitygroup.tf