diff --git a/common/versions.tf b/common/versions.tf
index 74b46e5..a43df27 100644
--- a/common/versions.tf
+++ b/common/versions.tf
@@ -1,5 +1,5 @@
terraform {
- experiments = [module_variable_optional_attrs]
+ # experiments = [module_variable_optional_attrs]
required_providers {
aws = {
source = "hashicorp/aws"
diff --git a/vpn-transit-gateway/README.md b/vpn-transit-gateway/README.md
index 661ba16..c11dc9f 100644
--- a/vpn-transit-gateway/README.md
+++ b/vpn-transit-gateway/README.md
@@ -68,6 +68,7 @@ No modules.
| Name | Type |
|------|------|
+| [aws_cloudwatch_log_group.log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_customer_gateway.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) | resource |
| [aws_ec2_tag.vpn_tag_created_by](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
| [aws_ec2_tag.vpn_tag_environment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
@@ -91,6 +92,7 @@ No modules.
| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
| [create](#input\_create) | Flag to indicate whether to create the resources or not (default: true) | `bool` | `true` | no |
+| [enable\_cloudwatch\_logging](#input\_enable\_cloudwatch\_logging) | Flag to enable or disable VPN tunnel logging to CloudWatch. If Enabled, it will create the cloudwatch log groups | `bool` | `false` | no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [profile](#input\_profile) | AWS Profile Name, used for makign AWS call to download VPN configurations | `string` | `"default"` | no |
| [route\_table\_ids](#input\_route\_table\_ids) | List of created route table IDs for privating routing to be used for VPN route propagation | `list(string)` | `[]` | no |
diff --git a/vpn-transit-gateway/cloudwatch.tf b/vpn-transit-gateway/cloudwatch.tf
new file mode 100644
index 0000000..ee5c0dd
--- /dev/null
+++ b/vpn-transit-gateway/cloudwatch.tf
@@ -0,0 +1,17 @@
+resource "aws_cloudwatch_log_group" "log" {
+ for_each = var.enable_cloudwatch_logging ? local.vpn_tunnel_outputs : {}
+ name = format("vpn/tgw/%v/%v", var.tgw_environment, each.key)
+ # kms_key_id = var.kms_key_arn
+ retention_in_days = 60
+
+ tags = merge(
+ local.base_tags,
+ var.tags,
+ {
+ Name = self.name
+ "boc:tgw_environment" = var.tgw_environment
+ "boc:vpn:connection_id" = each.value.vpn_connection_id
+ },
+ v.tunnel1_interface_number != "" ? { "boc:vpn:tunnel_interfaces" = join(" ", [v.tunnel1_interface_number, v.tunnel2_interface_number]) } : {},
+ )
+}
diff --git a/vpn-transit-gateway/tf-settings.tf b/vpn-transit-gateway/tf-settings.tf
new file mode 100644
index 0000000..f2151f3
--- /dev/null
+++ b/vpn-transit-gateway/tf-settings.tf
@@ -0,0 +1,3 @@
+terraform {
+ experiments = [module_variable_optional_attrs]
+}
diff --git a/vpn-transit-gateway/variables.tf b/vpn-transit-gateway/variables.tf
index 53e0b34..116957d 100644
--- a/vpn-transit-gateway/variables.tf
+++ b/vpn-transit-gateway/variables.tf
@@ -60,3 +60,9 @@ variable "tgw_environment" {
type = string
default = null
}
+
+variable "enable_cloudwatch_logging" {
+ description = "Flag to enable or disable VPN tunnel logging to CloudWatch. If Enabled, it will create the cloudwatch log groups"
+ type = bool
+ default = false
+}