Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudwatch_log_group_retention_in_days doesn't work - logs never expire #484

Open
martinrw opened this issue Jan 30, 2025 · 1 comment
Open

cloudwatch_log_group_retention_in_days doesn't work - logs never expire #484

martinrw opened this issue Jan 30, 2025 · 1 comment

Comments

@martinrw
Copy link

martinrw commented Jan 30, 2025
edited
Loading

Description

Setting cloudwatch_log_group_retention_in_days makes no difference.
I have just tried to add these 3 settings to an existing RDS Aurora postgres instance:

enabled_cloudwatch_logs_exports        = ["postgresql"]
cloudwatch_log_group_class             = "standard"
cloudwatch_log_group_retention_in_days = 7

It has created the cloudwatch log group and I can see the logs in it but it has a retention of "Never Expire"

If I try to change the value of cloudwatch_log_group_retention_in_days, then plan shows no differences and no change is made when applied.

I have checked the code here:

terraform-aws-rds-aurora/main.tf

Line 425 in 685b01b

resource "aws_cloudwatch_log_group" "this" {

and can confirm that We're not using "cluster_use_name_prefix" so I don't think there should be a problem here

  • [ x ] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]: 9.11.0

  • Terraform version: 1.3.4

  • Provider version(s):
    "hashicorp/aws" - 5.84.0

Reproduction Code [Required]

module "rds-aurora-shared-postgres" {
  source  = "terraform-aws-modules/rds-aurora/aws"
  version = "9.11.0"

  name           = "my-database""
  engine         = "aurora-postgresql"
  engine_version = "14.9"

  instance_class = "db.t3.medium"
  auto_minor_version_upgrade      = true
  apply_immediately               = true
  db_parameter_group_name         = aws_db_parameter_group.my_postgres.id
  db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.my_postgres.id

  enabled_cloudwatch_logs_exports        = ["postgresql"]
  cloudwatch_log_group_class             = "standard"
  cloudwatch_log_group_retention_in_days = 7

  instances = {
    1 = {
      promotion_tier = 1
    }
  }

  backup_retention_period = 1

  security_group_rules = {
    access_to_db = {
      cidr_blocks = ["10.0.0.0/24"]
    }
  }
  subnets                = ["10.0.0.0/24"]
  create_db_subnet_group = true
  vpc_id                 = "myvpcid"
  create_security_group  = true

  deletion_protection = true

  storage_encrypted = true
  
  iam_database_authentication_enabled = true
  master_username        = "masterusername"
  manage_master_user_password = true

  publicly_accessible = false

  autoscaling_enabled      = true
  autoscaling_max_capacity = 2
  autoscaling_min_capacity = 1

  security_group_description = "Managed by Terraform"

}

resource "aws_db_parameter_group" "my_postgres" {
  name        = "my-aurora-db-postgres14-parameter-group"
  family      = "aurora-postgresql14"
  description = "my-aurora-db-postgres14-parameter-group"
}

resource "aws_rds_cluster_parameter_group" "my_postgres" {
  name        = "my-aurora-postgres14-cluster-parameter-group"
  family      = "aurora-postgresql14"
  description = "my-aurora-postgres14-cluster-parameter-group"
}

Steps to reproduce the behavior:

Comment out these lines:

enabled_cloudwatch_logs_exports        = ["postgresql"]
cloudwatch_log_group_class             = "standard"
cloudwatch_log_group_retention_in_days = 7

And run the code to build the instance
uncomment them and do a terraform apply again

Expected behavior

Cloudwatch log group created with an expiration of 7 days (or whatever you set for cloudwatch_log_group_retention_in_days)

Actual behavior

The cloudwatch log group is created buthas no expiration and any change to cloudwatch_log_group_retention_in_days makes no difference
@martinrw
Copy link
Author

martinrw commented Jan 30, 2025
edited
Loading

So it turns out I missed a setting:

create_cloudwatch_log_group            = true

If I include that then everything works as expected, but as I had already created the log group I had to remove it first from cloudwatch, then I could apply it with this extra line, so in the end it looks like this:

enabled_cloudwatch_logs_exports        = ["postgresql"]
cloudwatch_log_group_class             = "standard"
cloudwatch_log_group_retention_in_days = 7
create_cloudwatch_log_group            = true

I would argue that if you set enabled_cloudwatch_logs_exports then either that should also cause create_cloudwatch_log_group to be set to true, or it gives an error and forces you to set it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@martinrw