Add cloudwatch logging options for runCommand patch manager tasks (#48)

README.md

@@ -144,6 +144,8 @@ Available targets:
 | <a name="input_approved_patches_compliance_level"></a> [approved\_patches\_compliance\_level](#input\_approved\_patches\_compliance\_level) | Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED. | `string` | `"HIGH"` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_bucket_id"></a> [bucket\_id](#input\_bucket\_id) | The bucket ID to use for the patch log. If no bucket ID is provided, the module will create a new one. This is of type `list(string)` to work around #41 / https://github.com/hashicorp/terraform/issues/28962. | `list(string)` | `[]` | no |
+| <a name="input_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | The name of the CloudWatch log group where you want to send command output. If you don't specify a group name, Systems Manager automatically creates a log group for you. The log group uses the following naming format: aws/ssm/SystemsManagerDocumentName. | `string` | `null` | no |
+| <a name="input_cloudwatch_log_output_enabled"></a> [cloudwatch\_log\_output\_enabled](#input\_cloudwatch\_log\_output\_enabled) | Enables Systems Manager to send command output to CloudWatch Logs. | `bool` | `false` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
@@ -174,6 +176,7 @@ Available targets:
 | <a name="input_rejected_patches"></a> [rejected\_patches](#input\_rejected\_patches) | A list of rejected patches | `list(string)` | `[]` | no |
 | <a name="input_s3_bucket_prefix_install_logs"></a> [s3\_bucket\_prefix\_install\_logs](#input\_s3\_bucket\_prefix\_install\_logs) | The Amazon S3 bucket subfolder for install logs | `string` | `"install"` | no |
 | <a name="input_s3_bucket_prefix_scan_logs"></a> [s3\_bucket\_prefix\_scan\_logs](#input\_s3\_bucket\_prefix\_scan\_logs) | The Amazon S3 bucket subfolder for scan logs | `string` | `"scanning"` | no |
+| <a name="input_s3_log_output_enabled"></a> [s3\_log\_output\_enabled](#input\_s3\_log\_output\_enabled) | To enable or disable s3 bucket output for the runCommand logs | `bool` | `true` | no |
 | <a name="input_scan_maintenance_window_cutoff"></a> [scan\_maintenance\_window\_cutoff](#input\_scan\_maintenance\_window\_cutoff) | The number of hours before the end of the Maintenance Window that Systems Manager stops scheduling new tasks for execution | `number` | `1` | no |
 | <a name="input_scan_maintenance_window_duration"></a> [scan\_maintenance\_window\_duration](#input\_scan\_maintenance\_window\_duration) | The duration of the maintenence windows (hours) | `number` | `3` | no |
 | <a name="input_scan_maintenance_window_schedule"></a> [scan\_maintenance\_window\_schedule](#input\_scan\_maintenance\_window\_schedule) | The schedule of the Maintenance Window in the form of a cron or rate expression. | `string` | `"cron(0 0 18 ? * WED *)"` | no |

docs/terraform.md

@@ -47,6 +47,8 @@
 | <a name="input_approved_patches_compliance_level"></a> [approved\_patches\_compliance\_level](#input\_approved\_patches\_compliance\_level) | Defines the compliance level for approved patches. This means that if an approved patch is reported as missing, this is the severity of the compliance violation. Valid compliance levels include the following: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value is UNSPECIFIED. | `string` | `"HIGH"` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br>in the order they appear in the list. New attributes are appended to the<br>end of the list. The elements of the list are joined by the `delimiter`<br>and treated as a single ID element. | `list(string)` | `[]` | no |
 | <a name="input_bucket_id"></a> [bucket\_id](#input\_bucket\_id) | The bucket ID to use for the patch log. If no bucket ID is provided, the module will create a new one. This is of type `list(string)` to work around #41 / https://github.com/hashicorp/terraform/issues/28962. | `list(string)` | `[]` | no |
+| <a name="input_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | The name of the CloudWatch log group where you want to send command output. If you don't specify a group name, Systems Manager automatically creates a log group for you. The log group uses the following naming format: aws/ssm/SystemsManagerDocumentName. | `string` | `null` | no |
+| <a name="input_cloudwatch_log_output_enabled"></a> [cloudwatch\_log\_output\_enabled](#input\_cloudwatch\_log\_output\_enabled) | Enables Systems Manager to send command output to CloudWatch Logs. | `bool` | `false` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
@@ -77,6 +79,7 @@
 | <a name="input_rejected_patches"></a> [rejected\_patches](#input\_rejected\_patches) | A list of rejected patches | `list(string)` | `[]` | no |
 | <a name="input_s3_bucket_prefix_install_logs"></a> [s3\_bucket\_prefix\_install\_logs](#input\_s3\_bucket\_prefix\_install\_logs) | The Amazon S3 bucket subfolder for install logs | `string` | `"install"` | no |
 | <a name="input_s3_bucket_prefix_scan_logs"></a> [s3\_bucket\_prefix\_scan\_logs](#input\_s3\_bucket\_prefix\_scan\_logs) | The Amazon S3 bucket subfolder for scan logs | `string` | `"scanning"` | no |
+| <a name="input_s3_log_output_enabled"></a> [s3\_log\_output\_enabled](#input\_s3\_log\_output\_enabled) | To enable or disable s3 bucket output for the runCommand logs | `bool` | `true` | no |
 | <a name="input_scan_maintenance_window_cutoff"></a> [scan\_maintenance\_window\_cutoff](#input\_scan\_maintenance\_window\_cutoff) | The number of hours before the end of the Maintenance Window that Systems Manager stops scheduling new tasks for execution | `number` | `1` | no |
 | <a name="input_scan_maintenance_window_duration"></a> [scan\_maintenance\_window\_duration](#input\_scan\_maintenance\_window\_duration) | The duration of the maintenence windows (hours) | `number` | `3` | no |
 | <a name="input_scan_maintenance_window_schedule"></a> [scan\_maintenance\_window\_schedule](#input\_scan\_maintenance\_window\_schedule) | The schedule of the Maintenance Window in the form of a cron or rate expression. | `string` | `"cron(0 0 18 ? * WED *)"` | no |

main.tf

@@ -52,8 +52,8 @@ resource "aws_ssm_maintenance_window_task" "task_scan_patches" {
         name   = "RebootOption"
         values = ["NoReboot"]
       }
-      output_s3_bucket     = local.bucket_id
-      output_s3_key_prefix = var.s3_bucket_prefix_scan_logs
+      output_s3_bucket     = var.s3_log_output_enabled ? local.bucket_id : null
+      output_s3_key_prefix = var.s3_log_output_enabled ? var.s3_bucket_prefix_scan_logs : null
       service_role_arn     = var.sns_notification_role_arn
 
       dynamic "notification_config" {
@@ -64,6 +64,14 @@ resource "aws_ssm_maintenance_window_task" "task_scan_patches" {
           notification_type   = var.notification_type
         }
       }
+
+      dynamic "cloudwatch_config" {
+        for_each = var.cloudwatch_log_output_enabled ? [1] : []
+        content {
+          cloudwatch_output_enabled = var.cloudwatch_log_output_enabled
+          cloudwatch_log_group_name = var.cloudwatch_log_group_name
+        }
+      }
     }
   }
 }
@@ -134,8 +142,8 @@ resource "aws_ssm_maintenance_window_task" "task_install_patches" {
         name   = "RebootOption"
         values = [var.reboot_option]
       }
-      output_s3_bucket     = local.bucket_id
-      output_s3_key_prefix = var.s3_bucket_prefix_install_logs
+      output_s3_bucket     = var.s3_log_output_enabled ? local.bucket_id : null
+      output_s3_key_prefix = var.s3_log_output_enabled ? var.s3_bucket_prefix_scan_logs : null
       service_role_arn     = var.sns_notification_role_arn
 
       dynamic "notification_config" {
@@ -146,6 +154,14 @@ resource "aws_ssm_maintenance_window_task" "task_install_patches" {
           notification_type   = var.notification_type
         }
       }
+
+      dynamic "cloudwatch_config" {
+        for_each = var.cloudwatch_log_output_enabled ? [1] : []
+        content {
+          cloudwatch_output_enabled = var.cloudwatch_log_output_enabled
+          cloudwatch_log_group_name = var.cloudwatch_log_group_name
+        }
+      }
     }
   }
 }

variables.tf

@@ -234,3 +234,21 @@ variable "ssm_bucket_versioning_enable" {
   description = "To enable or disable S3 bucket versioning for the log bucket."
   default     = true
 }
+
+variable "s3_log_output_enabled" {
+  type        = bool
+  description = "To enable or disable s3 bucket output for the runCommand logs"
+  default     = true
+}
+
+variable "cloudwatch_log_output_enabled" {
+  type        = bool
+  description = "Enables Systems Manager to send command output to CloudWatch Logs."
+  default     = false
+}
+
+variable "cloudwatch_log_group_name" {
+  type        = string
+  description = "The name of the CloudWatch log group where you want to send command output. If you don't specify a group name, Systems Manager automatically creates a log group for you. The log group uses the following naming format: aws/ssm/SystemsManagerDocumentName."
+  default     = null
+}