From 3f1a67ff2135880b2fe217bf3403170012c304a2 Mon Sep 17 00:00:00 2001
From: Julius Adamek <9818404+julada@users.noreply.github.com>
Date: Thu, 10 Mar 2022 13:54:36 +0100
Subject: [PATCH] feat: Add option for KMS encryption for cloudwatch log groups
 (#1833)

* feat: added kms encryption to cloudwatch log groups

* chore: added documentation for log kms encryption
---
 README.md                                                | 1 +
 main.tf                                                  | 3 +++
 modules/runner-binaries-syncer/runner-binaries-syncer.tf | 1 +
 modules/runner-binaries-syncer/variables.tf              | 6 ++++++
 modules/runners/logging.tf                               | 1 +
 modules/runners/pool.tf                                  | 1 +
 modules/runners/pool/main.tf                             | 1 +
 modules/runners/pool/variables.tf                        | 1 +
 modules/runners/scale-down.tf                            | 1 +
 modules/runners/scale-up.tf                              | 1 +
 modules/runners/variables.tf                             | 6 ++++++
 modules/webhook/variables.tf                             | 6 ++++++
 modules/webhook/webhook.tf                               | 1 +
 variables.tf                                             | 6 ++++++
 14 files changed, 36 insertions(+)

diff --git a/README.md b/README.md
index 1588b30d6e..03d32f23d1 100644
--- a/README.md
+++ b/README.md
@@ -430,6 +430,7 @@ In case the setup does not work as intended follow the trace of events:
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | `string` | `"info"` | no |
 | <a name="input_log_type"></a> [log\_type](#input\_log\_type) | Logging format for lambda logging. Valid values are 'json', 'pretty', 'hidden'. | `string` | `"pretty"` | no |
 | <a name="input_logging_retention_in_days"></a> [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `180` | no |
+| <a name="input_logging_kms_key_id"></a> [logging\_retention\_in\_days](#input\_kms\_key\_id) | Specifies the kms key id to encrypt the cloudwatch logs with. | `string` | `null` | no |
 | <a name="input_market_options"></a> [market\_options](#input\_market\_options) | DEPCRECATED: Replaced by `instance_target_capacity_type`. | `string` | `null` | no |
 | <a name="input_minimum_running_time_in_minutes"></a> [minimum\_running\_time\_in\_minutes](#input\_minimum\_running\_time\_in\_minutes) | The time an ec2 action runner should be running at minimum before terminated if not busy. | `number` | `null` | no |
 | <a name="input_pool_config"></a> [pool\_config](#input\_pool\_config) | The configuration for updating the pool. The `pool_size` to adjust to by the events triggered by the the `schedule_expression. For example you can configure a cron expression for week days to adjust the pool to 10 and another expression for the weekend to adjust the pool to 1.` | <pre>list(object({<br>    schedule_expression = string<br>    size                = number<br>  }))</pre> | `[]` | no |
diff --git a/main.tf b/main.tf
index bcbca23e49..2ca1f40420 100644
--- a/main.tf
+++ b/main.tf
@@ -67,6 +67,7 @@ module "webhook" {
   lambda_zip                       = var.webhook_lambda_zip
   lambda_timeout                   = var.webhook_lambda_timeout
   logging_retention_in_days        = var.logging_retention_in_days
+  logging_kms_key_id               = var.logging_kms_key_id
 
   # labels
   enable_workflow_job_labels_check = var.runner_enable_workflow_job_labels_check
@@ -133,6 +134,7 @@ module "runners" {
   lambda_subnet_ids                = var.lambda_subnet_ids
   lambda_security_group_ids        = var.lambda_security_group_ids
   logging_retention_in_days        = var.logging_retention_in_days
+  logging_kms_key_id               = var.logging_kms_key_id
   enable_cloudwatch_agent          = var.enable_cloudwatch_agent
   cloudwatch_config                = var.cloudwatch_config
   runner_log_files                 = var.runner_log_files
@@ -188,6 +190,7 @@ module "runner_binaries" {
   lambda_zip                      = var.runner_binaries_syncer_lambda_zip
   lambda_timeout                  = var.runner_binaries_syncer_lambda_timeout
   logging_retention_in_days       = var.logging_retention_in_days
+  logging_kms_key_id              = var.logging_kms_key_id
 
   server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration
 
diff --git a/modules/runner-binaries-syncer/runner-binaries-syncer.tf b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
index 0020066264..564027de7f 100644
--- a/modules/runner-binaries-syncer/runner-binaries-syncer.tf
+++ b/modules/runner-binaries-syncer/runner-binaries-syncer.tf
@@ -45,6 +45,7 @@ resource "aws_lambda_function" "syncer" {
 resource "aws_cloudwatch_log_group" "syncer" {
   name              = "/aws/lambda/${aws_lambda_function.syncer.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 
diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf
index 26da8fff03..37023b0486 100644
--- a/modules/runner-binaries-syncer/variables.tf
+++ b/modules/runner-binaries-syncer/variables.tf
@@ -84,6 +84,12 @@ variable "logging_retention_in_days" {
   default     = 7
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "runner_allow_prerelease_binaries" {
   description = "Allow the runners to update to prerelease binaries."
   type        = bool
diff --git a/modules/runners/logging.tf b/modules/runners/logging.tf
index 6bd0843fdb..9f4ab3ee90 100644
--- a/modules/runners/logging.tf
+++ b/modules/runners/logging.tf
@@ -54,6 +54,7 @@ resource "aws_cloudwatch_log_group" "gh_runners" {
   count             = length(local.loggroups_names)
   name              = local.loggroups_names[count.index]
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = local.tags
 }
 
diff --git a/modules/runners/pool.tf b/modules/runners/pool.tf
index 87b551ffb0..67c165bb9e 100644
--- a/modules/runners/pool.tf
+++ b/modules/runners/pool.tf
@@ -19,6 +19,7 @@ module "pool" {
       log_level                      = var.log_level
       log_type                       = var.log_type
       logging_retention_in_days      = var.logging_retention_in_days
+      logging_kms_key_id             = var.logging_retention_in_days
       reserved_concurrent_executions = var.pool_lambda_reserved_concurrent_executions
       s3_bucket                      = var.lambda_s3_bucket
       s3_key                         = var.runners_lambda_s3_key
diff --git a/modules/runners/pool/main.tf b/modules/runners/pool/main.tf
index 41c60dc17b..3a4b1e7fd4 100644
--- a/modules/runners/pool/main.tf
+++ b/modules/runners/pool/main.tf
@@ -49,6 +49,7 @@ resource "aws_lambda_function" "pool" {
 resource "aws_cloudwatch_log_group" "pool" {
   name              = "/aws/lambda/${aws_lambda_function.pool.function_name}"
   retention_in_days = var.config.lambda.logging_retention_in_days
+  kms_key_id        = var.config.lambda.logging_kms_key_id
   tags              = var.config.tags
 }
 
diff --git a/modules/runners/pool/variables.tf b/modules/runners/pool/variables.tf
index bc44a91b49..579a37f904 100644
--- a/modules/runners/pool/variables.tf
+++ b/modules/runners/pool/variables.tf
@@ -4,6 +4,7 @@ variable "config" {
       log_level                      = string
       log_type                       = string
       logging_retention_in_days      = number
+      logging_kms_key_id             = string
       reserved_concurrent_executions = number
       s3_bucket                      = string
       s3_key                         = string
diff --git a/modules/runners/scale-down.tf b/modules/runners/scale-down.tf
index 49475fc244..a1c30fcf9b 100644
--- a/modules/runners/scale-down.tf
+++ b/modules/runners/scale-down.tf
@@ -46,6 +46,7 @@ resource "aws_lambda_function" "scale_down" {
 resource "aws_cloudwatch_log_group" "scale_down" {
   name              = "/aws/lambda/${aws_lambda_function.scale_down.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 
diff --git a/modules/runners/scale-up.tf b/modules/runners/scale-up.tf
index c38e81fbce..0a4bde8f6b 100644
--- a/modules/runners/scale-up.tf
+++ b/modules/runners/scale-up.tf
@@ -49,6 +49,7 @@ resource "aws_lambda_function" "scale_up" {
 resource "aws_cloudwatch_log_group" "scale_up" {
   name              = "/aws/lambda/${aws_lambda_function.scale_up.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
index ad04031f4f..8252f3c715 100644
--- a/modules/runners/variables.tf
+++ b/modules/runners/variables.tf
@@ -280,6 +280,12 @@ variable "logging_retention_in_days" {
   default     = 180
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "enable_ssm_on_runners" {
   description = "Enable to allow access to the runner instances for debugging purposes via SSM. Note that this adds additional permissions to the runner instances."
   type        = bool
diff --git a/modules/webhook/variables.tf b/modules/webhook/variables.tf
index aa7b777397..d719ad45d9 100644
--- a/modules/webhook/variables.tf
+++ b/modules/webhook/variables.tf
@@ -56,6 +56,12 @@ variable "logging_retention_in_days" {
   default     = 7
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "lambda_s3_bucket" {
   description = "S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly."
   default     = null
diff --git a/modules/webhook/webhook.tf b/modules/webhook/webhook.tf
index bd2ae54cda..25e9c4d60a 100644
--- a/modules/webhook/webhook.tf
+++ b/modules/webhook/webhook.tf
@@ -29,6 +29,7 @@ resource "aws_lambda_function" "webhook" {
 resource "aws_cloudwatch_log_group" "webhook" {
   name              = "/aws/lambda/${aws_lambda_function.webhook.function_name}"
   retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
   tags              = var.tags
 }
 
diff --git a/variables.tf b/variables.tf
index f242649dbd..b2f65d5a51 100644
--- a/variables.tf
+++ b/variables.tf
@@ -211,6 +211,12 @@ variable "logging_retention_in_days" {
   default     = 180
 }
 
+variable "logging_kms_key_id" {
+  description = "Specifies the kms key id to encrypt the logs with"
+  type        = string
+  default     = null
+}
+
 variable "runner_allow_prerelease_binaries" {
   description = "Allow the runners to update to prerelease binaries."
   type        = bool