amazon-cloudwatch-logs-for-fluent-bit icon indicating copy to clipboard operation
amazon-cloudwatch-logs-for-fluent-bit copied to clipboard

Published 20 hours ago verified publisher icon aws

[Feature Request] Allow to create log-groups with kms encryption

Open markussiebert opened this issue 5 years ago • 6 comments
trafficstars

At the moment I can't find an option for creating kms encrypted log groups, but I think it would be an excellent feature.

It should be possible via golang to create an encrypted log group: https://docs.aws.amazon.com/sdk-for-go/api/service/cloudwatchlogs/#CreateLogGroupInput

markussiebert avatar Nov 01 '20 22:11 markussiebert

Typically a best practice is to create log groups with infrastructure as code (CloudFormation or TerraForm or CDK or etc). This makes it easy to set centralized policies for your teams on retention, and also encryption. It also makes it easy to delete log groups. Whereas, if you have Fluent Bit create them, there is nothing tracking all of the log groups it creates.

However, we do understand that some folks want to create the log groups with Fluent Bit, and so we have added this request to our backlog. I am uncertain as to when we would pick it up though.

This request is an ideal one for a new/novice contributor who wants to add an option. You can see the past commit where log retention setting was added, this feature is similar.

PettitWesley avatar Nov 03 '22 19:11 PettitWesley

FWIW ... for our use case, we're using this via an addon in terraform-aws-eks-blueprints. We need the LogGroups that ultimately get created by it dynamically to be encrypted with KMS.

etoews avatar Nov 04 '22 03:11 etoews

@etoews I see this in their docs (which is just a wrapper around the AWS for Fluent Bit helm chart from what I can tell https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit): https://aws-ia.github.io/terraform-aws-eks-blueprints/v4.14.0/add-ons/aws-for-fluent-bit/#externally-created-cloudwatch-log-groups

Why does that not allow you to accomplish what you want?

PettitWesley avatar Nov 04 '22 20:11 PettitWesley

@PettitWesley That's for externally created LogGroups. Like the OP, we are not externally creating LogGroups. FluentBit is creating the LogGroups for us and hence the need to allow to create LogGroups with KMS encryption.

etoews avatar Nov 09 '22 20:11 etoews

@etoews I understand the request. And we have this on our long term backlog. I understand that your existing workflow is to have Fluent Bit create the log groups, and that you would like to enable KMS encryption without modifying your existing workflow.

However, I want to note that a workaround exists that is compatible with the helm chart. And IMO, creating the log group externally via infra as code is generally the best practice.

Let me know if I have incorrectly summarized the status of this use case.

PettitWesley avatar Nov 09 '22 21:11 PettitWesley

@PettitWesley That correctly summarises it.

etoews avatar Nov 11 '22 00:11 etoews