Allow enabling database logs for RDS

[markdboyd]

In order to provide useful debugging and security information, we want to allow enabling database logs on brokered RDS plans.

A second, related piece of work after this is complete will be to give customers some self-service access to logs to improve their visibility into their brokered services, likely by ingesting them into OpenSearch

---

Security considerations

Adding database logs should improve our platform and customer awareness of issues and improve our ability to respond to them

Proposed implementation

One option would be to support the creation of a custom Cloudwatch group per log type per customer. That way, we can provision Cloudwatch groups that are only accessible for the IAM user of the brokered RDS. Furthermore, then we ensure that the Cloudwatch group only contains logs for that customer.

Questions

• What should the retention period on these Cloudwatch logs be? 7 days?

To do

• Write an ADR of proposed implementation
• Figure out necessary changes to support MySQL
• Figure out necessary changes to support PostgreSQL
• Implement the necessary changes