feat(logging): add ECR logging configuration with CloudWatch integration (#30)

lgallard · web-flow · commit 97dab314b933 · 2025-04-19T01:49:15.000+02:00
diff --git a/README.md b/README.md
@@ -10,9 +10,8 @@ Check the [examples](examples/) for the  **simple** and the **complete** snippet
 ### Simple example
 This example creates an ECR registry using few parameters
 
-```
+```hcl
 module "ecr" {
-
   source = "lgallard/ecr/aws"
 
   name         = "ecr-repo-dev"
@@ -23,10 +22,56 @@ module "ecr" {
     Environment = "dev"
     Terraform   = true
   }
+}
+```
+
+### Complete example with logging
+In this example, the registry is defined in detail including CloudWatch logging:
+
+```hcl
+module "ecr" {
+  source = "lgallard/ecr/aws"
+
+  name                 = "ecr-repo-dev"
+  scan_on_push        = true
+  timeouts_delete     = "60m"
+  image_tag_mutability = "IMMUTABLE"
+  encryption_type     = "KMS"
+  
+  # Enable CloudWatch logging
+  enable_logging     = true
+  log_retention_days = 14
+
+  // ...rest of configuration...
+}
+```
+
+### CloudWatch Logging
+
+The module supports sending ECR API actions and image push/pull events to CloudWatch Logs. When enabled:
+
+- Creates a CloudWatch Log Group `/aws/ecr/{repository-name}`
+- Sets up necessary IAM roles and policies for ECR to write logs
+- Configurable log retention period (default: 30 days)
 
+To enable logging:
+
+```hcl
+module "ecr" {
+  source = "lgallard/ecr/aws"
+  
+  name           = "ecr-repo-dev"
+  enable_logging = true
+  
+  # Optional: customize retention period (in days)
+  log_retention_days = 14  # Valid values: 0,1,3,5,7,14,30,60,90,120,150,180,365,400,545,731,1827,3653
 }
 ```
 
+The module outputs logging-related ARNs:
+- `cloudwatch_log_group_arn` - The ARN of the CloudWatch Log Group
+- `logging_role_arn` - The ARN of the IAM role used for logging
+
 ### Complete example
 In this example the register is defined in detailed.
 
@@ -192,6 +237,8 @@ No modules.
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to all resources created by this module.<br/>Tags are key-value pairs that help you manage, identify, organize, search for and filter resources.<br/>Example: { Environment = "Production", Owner = "Team" } | `map(string)` | `{}` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | Timeout configuration for repository operations.<br/>Specify as an object with a 'delete' key containing a duration string (e.g. "20m").<br/>Example: { delete = "20m" } | <pre>object({<br/>    delete = optional(string)<br/>  })</pre> | `{}` | no |
 | <a name="input_timeouts_delete"></a> [timeouts\_delete](#input\_timeouts\_delete) | Deprecated: Use timeouts = { delete = "duration" } instead.<br/>How long to wait for a repository to be deleted.<br/>Specify as a duration string, e.g. "20m" for 20 minutes. | `string` | `null` | no |
+| <a name="input_enable_logging"></a> [enable\_logging](#input\_enable\_logging) | Whether to enable CloudWatch logging for the repository.<br/>When set to true, logs for ECR API actions and image push/pull events will be sent to CloudWatch Logs.<br/>Defaults to false to disable logging. | `bool` | `false` | no |
+| <a name="input_log_retention_days"></a> [log\_retention\_days](#input\_log\_retention\_days) | The number of days to retain logs in the CloudWatch Log Group.<br/>Valid values: 0,1,3,5,7,14,30,60,90,120,150,180,365,400,545,731,1827,3653.<br/>Defaults to 30 days. | `number` | `30` | no |
 
 ## Outputs
 
@@ -202,4 +249,6 @@ No modules.
 | <a name="output_repository_arn"></a> [repository\_arn](#output\_repository\_arn) | ARN of the ECR repository |
 | <a name="output_repository_name"></a> [repository\_name](#output\_repository\_name) | Name of the ECR repository |
 | <a name="output_repository_url"></a> [repository\_url](#output\_repository\_url) | URL of the ECR repository |
+| <a name="output_cloudwatch_log_group_arn"></a> [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | The ARN of the CloudWatch Log Group created for logging. |
+| <a name="output_logging_role_arn"></a> [logging\_role\_arn](#output\_logging\_role\_arn) | The ARN of the IAM role used for logging. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -9,6 +9,10 @@ module "ecr" {
   image_tag_mutability = "IMMUTABLE"
   force_delete         = true
   encryption_type      = "KMS"
+  
+  # Enable logging configuration
+  enable_logging     = true
+  log_retention_days = 14
 
   image_scanning_configuration = {
     scan_on_push = true
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -19,6 +19,17 @@ output "registry_id" {
   value       = module.ecr.registry_id
 }
 
+# Logging outputs
+output "ecr_log_group_arn" {
+  description = "ARN of the CloudWatch Log Group for ECR logs"
+  value       = module.ecr.cloudwatch_log_group_arn
+}
+
+output "ecr_logging_role_arn" {
+  description = "ARN of the IAM role used for ECR logging"
+  value       = module.ecr.logging_role_arn
+}
+
 # Protected repository outputs
 output "protected_repository_url" {
   description = "URL of the protected ECR repository"
diff --git a/main.tf b/main.tf
@@ -207,6 +207,72 @@ resource "aws_kms_alias" "kms_key_alias" {
   }
 }
 
+# CloudWatch Log Group for ECR logs
+resource "aws_cloudwatch_log_group" "ecr_logs" {
+  count             = var.enable_logging ? 1 : 0
+  name              = "/aws/ecr/${var.name}"
+  retention_in_days = var.log_retention_days
+
+  tags = merge(
+    {
+      Name      = "${var.name}-logs"
+      ManagedBy = "Terraform"
+    },
+    var.tags
+  )
+}
+
+# IAM Role for ECR logging
+resource "aws_iam_role" "ecr_logging" {
+  count = var.enable_logging ? 1 : 0
+  name  = "ecr-logging-${var.name}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecr.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = merge(
+    {
+      Name      = "${var.name}-logging-role"
+      ManagedBy = "Terraform"
+    },
+    var.tags
+  )
+}
+
+# IAM Policy for ECR logging
+resource "aws_iam_role_policy" "ecr_logging" {
+  count = var.enable_logging ? 1 : 0
+  name  = "ecr-logging-${var.name}"
+  role  = aws_iam_role.ecr_logging[0].id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "logs:CreateLogGroup"
+        ]
+        Resource = [
+          "${aws_cloudwatch_log_group.ecr_logs[0].arn}:*"
+        ]
+      }
+    ]
+  })
+}
+
 locals {
   # Determine if we need to create a new KMS key
   should_create_kms_key = var.encryption_type == "KMS" && var.kms_key == null
@@ -235,4 +301,10 @@ locals {
       }] : []
     )
   )
+
+  # Logging configuration
+  logging_configuration = var.enable_logging ? {
+    log_group_arn = aws_cloudwatch_log_group.ecr_logs[0].arn
+    role_arn      = aws_iam_role.ecr_logging[0].arn
+  } : null
 }
diff --git a/outputs.tf b/outputs.tf
@@ -23,3 +23,14 @@ output "kms_key_arn" {
   value       = local.should_create_kms_key ? aws_kms_key.kms_key[0].arn : var.kms_key
   description = "The ARN of the KMS key used for repository encryption."
 }
+
+# Logging outputs
+output "cloudwatch_log_group_arn" {
+  description = "The ARN of the CloudWatch Log Group used for ECR logs (if logging is enabled)"
+  value       = try(aws_cloudwatch_log_group.ecr_logs[0].arn, null)
+}
+
+output "logging_role_arn" {
+  description = "The ARN of the IAM role used for ECR logging (if logging is enabled)"
+  value       = try(aws_iam_role.ecr_logging[0].arn, null)
+}
diff --git a/variables.tf b/variables.tf
@@ -181,3 +181,31 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+# ----------------------------------------------------------
+# Logging Configuration
+# ----------------------------------------------------------
+
+variable "enable_logging" {
+  description = <<-EOT
+    Whether to enable CloudWatch logging for the repository.
+    When enabled, ECR API actions and image push/pull events will be logged to CloudWatch.
+    Defaults to false.
+  EOT
+  type        = bool
+  default     = false
+}
+
+variable "log_retention_days" {
+  description = <<-EOT
+    Number of days to retain ECR logs in CloudWatch.
+    Only applicable when enable_logging is true.
+    Defaults to 30 days.
+  EOT
+  type        = number
+  default     = 30
+  validation {
+    condition     = contains([0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653], var.log_retention_days)
+    error_message = "Log retention days must be one of: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653."
+  }
+}
