From e32c21dec76cffdb9656f6bd8ba03756bb992bdf Mon Sep 17 00:00:00 2001
From: jasonBirchall <jason.birchall@digital.justice.gov.uk>
Date: Wed, 25 Aug 2021 11:47:24 +0100
Subject: [PATCH] Enable cluster log types and retention period

This commit connects to
https://github.com/ministryofjustice/cloud-platform/issues/2860 and
relates to the requrement to log all available control plane actions to
cloudwatch.

This commit takes advantage of the AWS EKS Terraform module's option to
enable cluster logging and sets the default values to all available
options.
---
 .../cloud-platform-aws/vpc/eks/cluster.tf          | 14 ++++++++------
 .../cloud-platform-aws/vpc/eks/variables.tf        | 14 +++++++++++++-
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/cluster.tf b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/cluster.tf
index 4bfbff92b..71839b419 100644
--- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/cluster.tf
+++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/cluster.tf
@@ -21,12 +21,14 @@ module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "v17.1.0"
 
-  cluster_name     = terraform.workspace
-  subnets          = concat(tolist(data.aws_subnet_ids.private.ids), tolist(data.aws_subnet_ids.public.ids))
-  vpc_id           = data.aws_vpc.selected.id
-  write_kubeconfig = false
-  cluster_version  = "1.19"
-  enable_irsa      = true
+  cluster_name                  = terraform.workspace
+  subnets                       = concat(tolist(data.aws_subnet_ids.private.ids), tolist(data.aws_subnet_ids.public.ids))
+  vpc_id                        = data.aws_vpc.selected.id
+  write_kubeconfig              = false
+  cluster_version               = "1.19"
+  enable_irsa                   = true
+  cluster_enabled_log_types     = var.cluster_enabled_log_types
+  cluster_log_retention_in_days = var.cluster_log_retention_in_days
 
   node_groups = {
     default_ng = {
diff --git a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf
index 3690b287c..9011451db 100644
--- a/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf
+++ b/terraform/aws-accounts/cloud-platform-aws/vpc/eks/variables.tf
@@ -20,4 +20,16 @@ variable "check_associate" {
   type        = string
   default     = "true"
   description = "Check for active association during cluster creation. This is required for kuberos to authenticate to the cluster."
-}
\ No newline at end of file
+}
+
+variable "cluster_enabled_log_types" {
+  default     = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
+  description = "A list of the desired control plane logging to enable."
+  type        = list(string)
+}
+
+variable "cluster_log_retention_in_days" {
+  default     = 90
+  description = "Number of days to retain log events. Default retention - 90 days."
+  type        = number
+}