make cloudwatch_logs disabled

terraform-modules · Sep 6, 2023 · 3f01e45 · 3f01e45
1 parent 70a9e92
commit 3f01e45
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/cloudtrail/README.md b/cloudtrail/README.md
@@ -207,6 +207,7 @@ No modules.
 | <a name="input_additional_sqs_names"></a> [additional\_sqs\_names](#input\_additional\_sqs\_names) | List of additional SQS queues to create and subscribe to the SNS topic (if enabled) | `list(string)` | `[]` | no |
 | <a name="input_cloudtrail_bucket_prefix"></a> [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_enable_cloudwatch_logs"></a> [enable\_cloudwatch\_logs](#input\_enable\_cloudwatch\_logs) | Enable CloudWatch Logs for this CloudTrail | `bool` | `false` | no |
 | <a name="input_enable_organization"></a> [enable\_organization](#input\_enable\_organization) | Enable CloudTrail as an organization trail. This will only work in the organization master account | `bool` | `false` | no |
 | <a name="input_enable_s3_sns"></a> [enable\_s3\_sns](#input\_enable\_s3\_sns) | Flag to enable or disable the creation of SNS for the Cloudtrail S3 bucket | `bool` | `false` | no |
 | <a name="input_enable_s3_sqs"></a> [enable\_s3\_sqs](#input\_enable\_s3\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail S3 bucket | `bool` | `false` | no |

diff --git a/cloudtrail/cloudtrail.tf b/cloudtrail/cloudtrail.tf
@@ -8,8 +8,8 @@ resource "aws_cloudtrail" "this" {
   enable_logging                = true
   kms_key_id                    = var.kms_key_arn
   sns_topic_name                = var.enable_sns ? aws_sns_topic.cloudtrail[0].arn : null
-  cloud_watch_logs_group_arn    = format("%v:*", aws_cloudwatch_log_group.this.arn)
-  cloud_watch_logs_role_arn     = aws_iam_role.cloudtrail.arn
+  cloud_watch_logs_group_arn    = var.enable_cloudwatch_logs ? format("%v:*", aws_cloudwatch_log_group.this[0].arn) : null
+  cloud_watch_logs_role_arn     = var.enable_cloudwatch_logs ? aws_iam_role.cloudtrail.arn : null
   is_organization_trail         = var.enable_organization
 
   tags = merge(

diff --git a/cloudtrail/cloudwatch.tf b/cloudtrail/cloudwatch.tf
@@ -8,6 +8,7 @@ locals {
 }
 
 resource "aws_cloudwatch_log_group" "this" {
+  count             = var.enable_cloudwatch_logs ? 1 : 0
   name              = local.name
   kms_key_id        = var.kms_key_arn
   retention_in_days = lookup(local._defaults["cloudwatch"], "retention_in_days", 7)

diff --git a/cloudtrail/variables.tf b/cloudtrail/variables.tf
@@ -107,3 +107,9 @@ variable "additional_s3_sqs_names" {
   type        = list(string)
   default     = []
 }
+
+variable "enable_cloudwatch_logs" {
+  description = "Enable CloudWatch Logs for this CloudTrail"
+  type        = bool
+  default     = false
+}