From 42497a334b378952555099498f5bcd8a55feafc2 Mon Sep 17 00:00:00 2001
From: jasonBirchall <jason.birchall@digital.justice.gov.uk>
Date: Wed, 25 Aug 2021 12:11:04 +0100
Subject: [PATCH] Change default log retention for control plane logs

This commit connects to
https://github.com/ministryofjustice/cloud-platform/issues/2860 and
relates to the requirement to keep API log data for 13 months as per
security requirements.

The default value has to be either 365 or 400, nothing in between. I've
chosen 400 as it's only 5 days over 13 months.

src:
https://security-guidance.service.justice.gov.uk/logging-and-monitoring/#log-retention
---
 terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf
index 9011451d..e5b65439 100644
--- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf
+++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf
@@ -29,7 +29,7 @@ variable "cluster_enabled_log_types" {
 }
 
 variable "cluster_log_retention_in_days" {
-  default     = 90
+  default     = 400 # Slightly over three months as per security advice https://security-guidance.service.justice.gov.uk/logging-and-monitoring/#log-retention
   description = "Number of days to retain log events. Default retention - 90 days."
   type        = number
 }