feat: Add option for KMS encryption for cloudwatch log groups

README.md

@@ -429,6 +429,7 @@ In case the setup does not work as intended follow the trace of events:
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | `string` | `"info"` | no |
 | <a name="input_log_type"></a> [log\_type](#input\_log\_type) | Logging format for lambda logging. Valid values are 'json', 'pretty', 'hidden'. | `string` | `"pretty"` | no |
 | <a name="input_logging_retention_in_days"></a> [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `180` | no |
+| <a name="input_logging_kms_key_id"></a> [logging\_retention\_in\_days](#input\_kms\_key\_id) | Specifies the kms key id to encrypt the cloudwatch logs with. | `string` | `null` | no |
 | <a name="input_market_options"></a> [market\_options](#input\_market\_options) | DEPCRECATED: Replaced by `instance_target_capacity_type`. | `string` | `null` | no |
 | <a name="input_minimum_running_time_in_minutes"></a> [minimum\_running\_time\_in\_minutes](#input\_minimum\_running\_time\_in\_minutes) | The time an ec2 action runner should be running at minimum before terminated if not busy. | `number` | `null` | no |
 | <a name="input_pool_config"></a> [pool\_config](#input\_pool\_config) | The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the the `schedule_expression. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1.` | <pre>list(object({<br>    schedule_expression = string<br>    size                = number<br>  }))</pre> | `[]` | no |

main.tf

@@ -67,6 +67,7 @@ module "webhook" {
   lambda_zip                       = var.webhook_lambda_zip
   lambda_timeout                   = var.webhook_lambda_timeout
   logging_retention_in_days        = var.logging_retention_in_days
+  logging_kms_key_id               = var.logging_kms_key_id
 
   # labels
   enable_workflow_job_labels_check = var.runner_enable_workflow_job_labels_check
@@ -132,6 +133,7 @@ module "runners" {
   lambda_subnet_ids                = var.lambda_subnet_ids
   lambda_security_group_ids        = var.lambda_security_group_ids
   logging_retention_in_days        = var.logging_retention_in_days
+  logging_kms_key_id               = var.logging_kms_key_id
   enable_cloudwatch_agent          = var.enable_cloudwatch_agent
   cloudwatch_config                = var.cloudwatch_config
   runner_log_files                 = var.runner_log_files
@@ -187,6 +189,7 @@ module "runner_binaries" {
   lambda_zip                      = var.runner_binaries_syncer_lambda_zip
   lambda_timeout                  = var.runner_binaries_syncer_lambda_timeout
   logging_retention_in_days       = var.logging_retention_in_days
+  logging_kms_key_id              = var.logging_kms_key_id
 
   server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration
 

modules/runner-binaries-syncer/runner-binaries-syncer.tf

@@ -45,6 +45,7 @@ resource "aws_lambda_function" "syncer" {
 resource "aws_cloudwatch_log_group" "syncer" {
   name              = "/aws/lambda/${aws_lambda_function.syncer.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 

modules/runner-binaries-syncer/variables.tf

@@ -84,6 +84,12 @@ variable "logging_retention_in_days" {
   default     = 7
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "runner_allow_prerelease_binaries" {
   description = "Allow the runners to update to prerelease binaries."
   type        = bool

modules/runners/logging.tf

@@ -54,6 +54,7 @@ resource "aws_cloudwatch_log_group" "gh_runners" {
   count             = length(local.loggroups_names)
   name              = local.loggroups_names[count.index]
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = local.tags
 }
 

modules/runners/pool.tf

@@ -19,6 +19,7 @@ module "pool" {
       log_level                      = var.log_level
       log_type                       = var.log_type
       logging_retention_in_days      = var.logging_retention_in_days
+      logging_kms_key_id             = var.logging_retention_in_days
       reserved_concurrent_executions = var.pool_lambda_reserved_concurrent_executions
       s3_bucket                      = var.lambda_s3_bucket
       s3_key                         = var.runners_lambda_s3_key

modules/runners/pool/main.tf

@@ -49,6 +49,7 @@ resource "aws_lambda_function" "pool" {
 resource "aws_cloudwatch_log_group" "pool" {
   name              = "/aws/lambda/${aws_lambda_function.pool.function_name}"
   retention_in_days = var.config.lambda.logging_retention_in_days
+  kms_key_id        = var.config.lambda.logging_kms_key_id
   tags              = var.config.tags
 }
 

modules/runners/pool/variables.tf

@@ -4,6 +4,7 @@ variable "config" {
       log_level                      = string
       log_type                       = string
       logging_retention_in_days      = number
+      logging_kms_key_id             = string
       reserved_concurrent_executions = number
       s3_bucket                      = string
       s3_key                         = string

modules/runners/scale-down.tf

@@ -46,6 +46,7 @@ resource "aws_lambda_function" "scale_down" {
 resource "aws_cloudwatch_log_group" "scale_down" {
   name              = "/aws/lambda/${aws_lambda_function.scale_down.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 

modules/runners/scale-up.tf

@@ -49,6 +49,7 @@ resource "aws_lambda_function" "scale_up" {
 resource "aws_cloudwatch_log_group" "scale_up" {
   name              = "/aws/lambda/${aws_lambda_function.scale_up.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 

modules/runners/variables.tf

@@ -280,6 +280,12 @@ variable "logging_retention_in_days" {
   default     = 180
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "enable_ssm_on_runners" {
   description = "Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
   type        = bool

modules/webhook/variables.tf

@@ -56,6 +56,12 @@ variable "logging_retention_in_days" {
   default     = 7
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "lambda_s3_bucket" {
   description = "S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly."
   default     = null

modules/webhook/webhook.tf

@@ -29,6 +29,7 @@ resource "aws_lambda_function" "webhook" {
 resource "aws_cloudwatch_log_group" "webhook" {
   name              = "/aws/lambda/${aws_lambda_function.webhook.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 

variables.tf

@@ -211,6 +211,12 @@ variable "logging_retention_in_days" {
   default     = 180
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "runner_allow_prerelease_binaries" {
   description = "Allow the runners to update to prerelease binaries."
   type        = bool