diff --git a/config/README.md b/config/README.md
index 3b298a4..552aebe 100644
--- a/config/README.md
+++ b/config/README.md
@@ -29,6 +29,7 @@
| Name | Type |
|------|------|
+| [aws_cloudwatch_log_group.msk_broker](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_db_instance.radar_postgres](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource |
| [aws_db_subnet_group.rds_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
| [aws_eip.cluster_loadbalancer_eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
@@ -96,6 +97,7 @@
| [enable\_karpenter](#input\_enable\_karpenter) | Do you need Karpenter? [true, false] | `bool` | n/a | yes |
| [enable\_metrics](#input\_enable\_metrics) | Do you need Metrics Server? [true, false] | `bool` | n/a | yes |
| [enable\_msk](#input\_enable\_msk) | Do you need MSK? [true, false] | `bool` | n/a | yes |
+| [enable\_msk\_logging](#input\_enable\_msk\_logging) | Do you need logging on MSK brokers? [true, false] | `bool` | n/a | yes |
| [enable\_rds](#input\_enable\_rds) | Do you need RDS? [true, false] | `bool` | n/a | yes |
| [enable\_route53](#input\_enable\_route53) | Do you need Route53? [true, false] | `bool` | n/a | yes |
| [enable\_s3](#input\_enable\_s3) | Do you need S3? [true, false] | `bool` | n/a | yes |
diff --git a/config/msk.tf b/config/msk.tf
index a3d6dcc..5acb283 100644
--- a/config/msk.tf
+++ b/config/msk.tf
@@ -74,8 +74,13 @@ zookeeper.session.timeout.ms=18000
PROPERTIES
}
-#trivy:ignore:AVD-AWS-0074 Temporarly skip these checks
-#trivy:ignore:AVD-AWS-0179 Temporarly skip these checks
+resource "aws_cloudwatch_log_group" "msk_broker" {
+ count = var.enable_msk_logging ? 1 : 0
+ name = "${var.eks_cluster_name}-msk-broker-logs"
+}
+
+#trivy:ignore:AVD-AWS-0074 Logging on MSK brokers can be enabled by setting var.enable_msk_logging to true
+#trivy:ignore:AVD-AWS-0179 By default an AWS-managed KMS key is used to encrypt MSK data at rest
resource "aws_msk_cluster" "msk_cluster" {
count = var.enable_msk ? 1 : 0
@@ -99,6 +104,7 @@ resource "aws_msk_cluster" "msk_cluster" {
encryption_info {
encryption_in_transit {
client_broker = "TLS"
+ in_cluster = true
}
}
@@ -125,6 +131,18 @@ resource "aws_msk_cluster" "msk_cluster" {
arn = aws_msk_configuration.msk_configuration[0].arn
revision = 1
}
+
+ dynamic "logging_info" {
+ for_each = var.enable_msk_logging ? [1] : []
+ content {
+ broker_logs {
+ cloudwatch_logs {
+ enabled = var.enable_msk_logging
+ log_group = aws_cloudwatch_log_group.msk_broker.name
+ }
+ }
+ }
+ }
}
output "radar_base_msk_bootstrap_brokers" {
diff --git a/config/rds.tf b/config/rds.tf
index 0f91691..bac0d79 100644
--- a/config/rds.tf
+++ b/config/rds.tf
@@ -36,29 +36,29 @@ resource "aws_security_group" "rds_access" {
}
-#trivy:ignore:AVD-AWS-0077 Temporarly skip these checks
-#trivy:ignore:AVD-AWS-0177 Temporarly skip these checks
-#trivy:ignore:AVD-AWS-0176 Temporarly skip these checks
resource "aws_db_instance" "radar_postgres" {
count = var.enable_rds ? 1 : 0
- identifier = "${var.eks_cluster_name}-postgres"
- db_name = "radarbase"
- engine = "postgres"
- engine_version = var.postgres_version
- instance_class = "db.t4g.micro"
- username = "postgres"
- password = var.radar_postgres_password
- allocated_storage = 5
- storage_type = "standard"
- storage_encrypted = true
- skip_final_snapshot = true
- publicly_accessible = false
- multi_az = false
- db_subnet_group_name = aws_db_subnet_group.rds_subnet[0].name
- vpc_security_group_ids = [aws_security_group.rds_access[0].id]
- performance_insights_enabled = true
- copy_tags_to_snapshot = true
+ identifier = "${var.eks_cluster_name}-postgres"
+ db_name = "radarbase"
+ engine = "postgres"
+ engine_version = var.postgres_version
+ instance_class = "db.t4g.micro"
+ username = "postgres"
+ password = var.radar_postgres_password
+ allocated_storage = 5
+ storage_type = "standard"
+ storage_encrypted = true
+ skip_final_snapshot = true
+ publicly_accessible = false
+ multi_az = false
+ db_subnet_group_name = aws_db_subnet_group.rds_subnet[0].name
+ vpc_security_group_ids = [aws_security_group.rds_access[0].id]
+ performance_insights_enabled = true
+ copy_tags_to_snapshot = true
+ backup_retention_period = 7
+ iam_database_authentication_enabled = true
+ deletion_protection = true # This needs to be set to false before you really want to delete the database with "terraform destroy"
tags = merge(tomap({ "Name" : "${var.eks_cluster_name}-postgres" }), var.common_tags)
diff --git a/config/terraform.tfvars b/config/terraform.tfvars
index c895eaa..90b22da 100644
--- a/config/terraform.tfvars
+++ b/config/terraform.tfvars
@@ -1,12 +1,13 @@
-AWS_REGION = "eu-west-2"
-environment = "dev"
-domain_name = {} # Pair of top level domain and hosted zone ID for deployed applications, e.g., { "radar-base.org" : "ZABCDEFGHIJKLMNOPQRST" }
-with_dmz_pods = false
-enable_metrics = false
-enable_karpenter = false
-enable_msk = false
-enable_rds = false
-enable_route53 = false
-enable_ses = false
-enable_s3 = false
-enable_eip = false
+AWS_REGION = "eu-west-2"
+environment = "dev"
+domain_name = {} # Pair of top level domain and hosted zone ID for deployed applications, e.g., { "radar-base.org" : "ZABCDEFGHIJKLMNOPQRST" }
+with_dmz_pods = false
+enable_metrics = false
+enable_karpenter = false
+enable_msk = false
+enable_msk_logging = false
+enable_rds = false
+enable_route53 = false
+enable_ses = false
+enable_s3 = false
+enable_eip = false
diff --git a/config/variables.tf b/config/variables.tf
index 857764f..20653ba 100644
--- a/config/variables.tf
+++ b/config/variables.tf
@@ -131,6 +131,11 @@ variable "enable_msk" {
description = "Do you need MSK? [true, false]"
}
+variable "enable_msk_logging" {
+ type = bool
+ description = "Do you need logging on MSK brokers? [true, false]"
+}
+
variable "enable_rds" {
type = bool
description = "Do you need RDS? [true, false]"