From a2f9930af23549fb29ebe6d8a0a6ca6480aa1661 Mon Sep 17 00:00:00 2001
From: Alexei Mikhailov <amikhailov83@gmail.com>
Date: Mon, 14 Oct 2024 11:21:55 +0300
Subject: [PATCH] feat: Support `cloudwatch_log_group_tags` parameter

Similar to `db_parameter_group_tags`, sometimes it is necessary to
configure additional tags on CloudWatch log groups only.
---
 README.md                          | 1 +
 examples/complete-mysql/main.tf    | 3 +++
 examples/complete-postgres/main.tf | 3 +++
 main.tf                            | 1 +
 modules/db_instance/README.md      | 1 +
 modules/db_instance/main.tf        | 2 +-
 modules/db_instance/variables.tf   | 6 ++++++
 variables.tf                       | 6 ++++++
 8 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 0f1367f7..45047f34 100644
--- a/README.md
+++ b/README.md
@@ -248,6 +248,7 @@ No resources.
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no |
 | <a name="input_cloudwatch_log_group_skip_destroy"></a> [cloudwatch\_log\_group\_skip\_destroy](#input\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `null` | no |
+| <a name="input_cloudwatch_log_group_tags"></a> [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | Additional tags for the CloudWatch log group(s) | `map(string)` | `{}` | no |
 | <a name="input_copy_tags_to_snapshot"></a> [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | On delete, copy all Instance tags to the final snapshot | `bool` | `false` | no |
 | <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports` | `bool` | `false` | no |
 | <a name="input_create_db_instance"></a> [create\_db\_instance](#input\_create\_db\_instance) | Whether to create a database instance | `bool` | `true` | no |
diff --git a/examples/complete-mysql/main.tf b/examples/complete-mysql/main.tf
index 6f916470..41a02c8f 100644
--- a/examples/complete-mysql/main.tf
+++ b/examples/complete-mysql/main.tf
@@ -82,6 +82,9 @@ module "db" {
   db_subnet_group_tags = {
     "Sensitive" = "high"
   }
+  cloudwatch_log_group_tags = {
+    "Sensitive" = "high"
+  }
 }
 
 module "db_default" {
diff --git a/examples/complete-postgres/main.tf b/examples/complete-postgres/main.tf
index 6974601f..bd712492 100644
--- a/examples/complete-postgres/main.tf
+++ b/examples/complete-postgres/main.tf
@@ -97,6 +97,9 @@ module "db" {
   db_parameter_group_tags = {
     "Sensitive" = "low"
   }
+  cloudwatch_log_group_tags = {
+    "Sensitive" = "high"
+  }
 }
 
 module "db_default" {
diff --git a/main.tf b/main.tf
index b9897a98..44249211 100644
--- a/main.tf
+++ b/main.tf
@@ -149,6 +149,7 @@ module "db_instance" {
   cloudwatch_log_group_kms_key_id        = var.cloudwatch_log_group_kms_key_id
   cloudwatch_log_group_skip_destroy      = var.cloudwatch_log_group_skip_destroy
   cloudwatch_log_group_class             = var.cloudwatch_log_group_class
+  cloudwatch_log_group_tags              = var.cloudwatch_log_group_tags
 
   timeouts = var.timeouts
 
diff --git a/modules/db_instance/README.md b/modules/db_instance/README.md
index 9c851dae..b48683d3 100644
--- a/modules/db_instance/README.md
+++ b/modules/db_instance/README.md
@@ -51,6 +51,7 @@ No modules.
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no |
 | <a name="input_cloudwatch_log_group_skip_destroy"></a> [cloudwatch\_log\_group\_skip\_destroy](#input\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `null` | no |
+| <a name="input_cloudwatch_log_group_tags"></a> [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | Additional tags for the CloudWatch log group(s) | `map(string)` | `{}` | no |
 | <a name="input_copy_tags_to_snapshot"></a> [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | On delete, copy all Instance tags to the final snapshot | `bool` | `false` | no |
 | <a name="input_create"></a> [create](#input\_create) | Whether to create this resource or not? | `bool` | `true` | no |
 | <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports` | `bool` | `false` | no |
diff --git a/modules/db_instance/main.tf b/modules/db_instance/main.tf
index e503722d..2fbe7138 100644
--- a/modules/db_instance/main.tf
+++ b/modules/db_instance/main.tf
@@ -163,7 +163,7 @@ resource "aws_cloudwatch_log_group" "this" {
   skip_destroy      = var.cloudwatch_log_group_skip_destroy
   log_group_class   = var.cloudwatch_log_group_class
 
-  tags = var.tags
+  tags = merge(var.tags, var.cloudwatch_log_group_tags)
 }
 
 ################################################################################
diff --git a/modules/db_instance/variables.tf b/modules/db_instance/variables.tf
index 9975bad1..4c854c1c 100644
--- a/modules/db_instance/variables.tf
+++ b/modules/db_instance/variables.tf
@@ -478,6 +478,12 @@ variable "cloudwatch_log_group_class" {
   default     = null
 }
 
+variable "cloudwatch_log_group_tags" {
+  description = "Additional tags for the CloudWatch log group(s)"
+  type        = map(string)
+  default     = {}
+}
+
 ################################################################################
 # Managed Secret Rotation
 ################################################################################
diff --git a/variables.tf b/variables.tf
index 76475c31..4f202732 100644
--- a/variables.tf
+++ b/variables.tf
@@ -605,6 +605,12 @@ variable "cloudwatch_log_group_class" {
   default     = null
 }
 
+variable "cloudwatch_log_group_tags" {
+  description = "Additional tags for the CloudWatch log group(s)"
+  type        = map(string)
+  default     = {}
+}
+
 variable "putin_khuylo" {
   description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!"
   type        = bool