fix: option to disable index slow logs

abhinavkumarsph · abhinavkumarsph · commit 208a62470b14 · 2024-05-21T10:31:41.000+08:00
diff --git a/README.md b/README.md
@@ -1,6 +1,5 @@
 # Opensearch
 
-<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
@@ -75,7 +74,7 @@ No modules.
 | <a name="input_instance_count"></a> [instance\_count](#input\_instance\_count) | The number of dedicated hot nodes in the cluster. | `number` | `3` | no |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | The type of EC2 instances to run for each hot node. A list of available instance types can you find at https://aws.amazon.com/en/opensearch-service/pricing/#On-Demand_instance_pricing | `string` | `"t3.small.search"` | no |
 | <a name="input_internal_user_database_enabled"></a> [internal\_user\_database\_enabled](#input\_internal\_user\_database\_enabled) | Whether the internal user database is enabled | `bool` | `false` | no |
-| <a name="input_log_publishing_options"></a> [log\_publishing\_options](#input\_log\_publishing\_options) | Configuration block for publishing slow and application logs to CloudWatch Logs. | <pre>map(object({<br>    enabled                  = optional(bool, true)<br>    cloudwatch_log_group_arn = optional(string, "")<br>  }))</pre> | `{}` | no |
+| <a name="input_log_publishing_options"></a> [log\_publishing\_options](#input\_log\_publishing\_options) | Configuration block for publishing slow and application logs to CloudWatch Logs. | <pre>map(object({<br>    enabled                  = optional(bool, true)<br>    cloudwatch_log_group_arn = optional(string, "")<br>  }))</pre> | <pre>{<br>  "audit_logs": {<br>    "enabled": false<br>  },<br>  "index_slow_logs": {<br>    "enabled": true<br>  }<br>}</pre> | no |
 | <a name="input_maintenance_schedule"></a> [maintenance\_schedule](#input\_maintenance\_schedule) | configuration for auto tune maintenance schedule | `map(any)` | `{}` | no |
 | <a name="input_master_instance_count"></a> [master\_instance\_count](#input\_master\_instance\_count) | The number of dedicated master nodes in the cluster. | `number` | `3` | no |
 | <a name="input_master_instance_enabled"></a> [master\_instance\_enabled](#input\_master\_instance\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster. | `bool` | `true` | no |
@@ -120,4 +119,3 @@ No modules.
 | <a name="output_vpc_endpoint_dns_names"></a> [vpc\_endpoint\_dns\_names](#output\_vpc\_endpoint\_dns\_names) | VPC endpoint DNS names |
 | <a name="output_vpc_endpoint_endpoint"></a> [vpc\_endpoint\_endpoint](#output\_vpc\_endpoint\_endpoint) | The connection endpoint ID for connecting to the domain |
 | <a name="output_vpc_endpoint_id"></a> [vpc\_endpoint\_id](#output\_vpc\_endpoint\_id) | The unique identifier of the endpoint |
-<!-- END_TF_DOCS -->
diff --git a/cloudwatch.tf b/cloudwatch.tf
@@ -5,7 +5,7 @@ locals {
 resource "aws_cloudwatch_log_group" "aos" {
   #checkov:skip=CKV_AWS_158:rely on aws default encryption
   #checkov:skip=CKV_AWS_338:Ensure CloudWatch log groups retains logs for at least 1 year
-  for_each = { for k, v in local.log_publishing_options : k => v if v.enabled }
+  for_each = { for k, v in var.log_publishing_options : k => v if v.enabled && v.cloudwatch_log_group_arn == "" }
 
   name              = "${local.log_prefix}/${each.key}"
   retention_in_days = var.cloudwatch_log_group_retention_days
diff --git a/examples/opensearch/main.tf b/examples/opensearch/main.tf
@@ -57,6 +57,15 @@ module "opensearch" {
   encrypt_at_rest_enabled         = true
   encrypt_kms_key_id              = aws_kms_key.objects.id
 
+  log_publishing_options = {
+    audit_logs = {
+      enabled = true
+    }
+    index_slow_logs = {
+      enabled = false
+    }
+  }
+
   tags = {
     Domain = "TestDomain"
     Name   = var.domain_name
diff --git a/locals.tf b/locals.tf
diff --git a/main.tf b/main.tf
@@ -91,7 +91,7 @@ resource "aws_opensearch_domain" "this" {
   }
 
   dynamic "log_publishing_options" {
-    for_each = { for k, v in local.log_publishing_options : k => v if v.enabled }
+    for_each = { for k, v in var.log_publishing_options : k => v if v.enabled }
     content {
       log_type                 = upper(log_publishing_options.key)
       enabled                  = log_publishing_options.value.enabled
diff --git a/variables.tf b/variables.tf
@@ -369,7 +369,15 @@ variable "log_publishing_options" {
     enabled                  = optional(bool, true)
     cloudwatch_log_group_arn = optional(string, "")
   }))
-  default = {}
+
+  default = {
+    audit_logs = {
+      enabled = false
+    }
+    index_slow_logs = {
+      enabled = true
+    }
+  }
 }
 
 variable "cloudwatch_log_group_retention_days" {

Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ resource "aws_opensearch_domain" "this" {`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	`dynamic "log_publishing_options" {`
`94`		`- for_each = { for k, v in local.log_publishing_options : k => v if v.enabled }`
	`94`	`+ for_each = { for k, v in var.log_publishing_options : k => v if v.enabled }`
`95`	`95`	`content {`
`96`	`96`	`log_type = upper(log_publishing_options.key)`
`97`	`97`	`enabled = log_publishing_options.value.enabled`