From 9f622aa1077eb9f3ca35297e329f5426e7232d51 Mon Sep 17 00:00:00 2001
From: Alexei Mikhailov <amikhailov83@gmail.com>
Date: Tue, 15 Oct 2024 10:07:17 +0300
Subject: [PATCH] feat: Support `cloudwatch_log_group_tags` parameter

Similar to `security_group_tags`, sometimes it is necessary to
configure additional tags on CloudWatch log groups only.
---
 README.md                   | 1 +
 examples/postgresql/main.tf | 4 ++++
 main.tf                     | 2 +-
 variables.tf                | 6 ++++++
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 866829b..8320160 100644
--- a/README.md
+++ b/README.md
@@ -283,6 +283,7 @@ No modules.
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no |
 | <a name="input_cloudwatch_log_group_skip_destroy"></a> [cloudwatch\_log\_group\_skip\_destroy](#input\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `null` | no |
+| <a name="input_cloudwatch_log_group_tags"></a> [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | Additional tags for the CloudWatch log group(s) | `map(string)` | `{}` | no |
 | <a name="input_cluster_ca_cert_identifier"></a> [cluster\_ca\_cert\_identifier](#input\_cluster\_ca\_cert\_identifier) | The CA certificate identifier to use for the DB cluster's server certificate. Currently only supported for multi-az DB clusters | `string` | `null` | no |
 | <a name="input_cluster_members"></a> [cluster\_members](#input\_cluster\_members) | List of RDS Instances that are a part of this cluster | `list(string)` | `null` | no |
 | <a name="input_cluster_performance_insights_enabled"></a> [cluster\_performance\_insights\_enabled](#input\_cluster\_performance\_insights\_enabled) | Valid only for Non-Aurora Multi-AZ DB Clusters. Enables Performance Insights for the RDS Cluster | `bool` | `null` | no |
diff --git a/examples/postgresql/main.tf b/examples/postgresql/main.tf
index 64673db..e97d935 100644
--- a/examples/postgresql/main.tf
+++ b/examples/postgresql/main.tf
@@ -111,6 +111,10 @@ module "aurora" {
   enabled_cloudwatch_logs_exports = ["postgresql"]
   create_cloudwatch_log_group     = true
 
+  cloudwatch_log_group_tags = {
+    Sensitivity = "high"
+  }
+
   create_db_cluster_activity_stream     = true
   db_cluster_activity_stream_kms_key_id = module.kms.key_id
   db_cluster_activity_stream_mode       = "async"
diff --git a/main.tf b/main.tf
index 9c8b756..364e1dc 100644
--- a/main.tf
+++ b/main.tf
@@ -430,7 +430,7 @@ resource "aws_cloudwatch_log_group" "this" {
   skip_destroy      = var.cloudwatch_log_group_skip_destroy
   log_group_class   = var.cloudwatch_log_group_class
 
-  tags = var.tags
+  tags = merge(var.tags, var.cloudwatch_log_group_tags)
 }
 
 ################################################################################
diff --git a/variables.tf b/variables.tf
index c17c5e4..8b49969 100644
--- a/variables.tf
+++ b/variables.tf
@@ -750,6 +750,12 @@ variable "cloudwatch_log_group_class" {
   default     = null
 }
 
+variable "cloudwatch_log_group_tags" {
+  description = "Additional tags for the CloudWatch log group(s)"
+  type        = map(string)
+  default     = {}
+}
+
 ################################################################################
 # Cluster Activity Stream
 ################################################################################