From 88932db750d357d15d3feeb3d3aea3fdce7a3ad5 Mon Sep 17 00:00:00 2001
From: John Ajera <j.ajera@gns.cri.nz>
Date: Wed, 11 Feb 2026 20:14:37 +1300
Subject: [PATCH] chore: allow cloudwatch force destroy

adds the variable to support
---
 README.md    |  1 +
 main.tf      | 25 +++++++++++++++++++++++--
 outputs.tf   |  4 ++--
 variables.tf |  6 ++++++
 4 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index ffcd87c..8701bf1 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,7 @@ A Terraform module for creating and managing Amazon EKS (Elastic Kubernetes Serv
 - **EKS Capabilities**: Support for ACK, KRO, and ArgoCD capabilities
 - **AWS Load Balancer Controller**: Optional IAM role creation for AWS Load Balancer Controller (IRSA)
 - **Security**: KMS encryption, IMDSv2 enforcement, security groups
+- **CloudWatch Log Group**: Optional log group for EKS control plane logs; set `cloudwatch_log_group_force_destroy = true` to allow the log group to be deleted on `terraform destroy` (default is to protect it).
 
 ## Prerequisites
 
diff --git a/main.tf b/main.tf
index 8e0f16c..8276a0f 100644
--- a/main.tf
+++ b/main.tf
@@ -21,8 +21,8 @@ data "aws_caller_identity" "current" {}
 # CloudWatch Log Group
 ################################################################################
 
-resource "aws_cloudwatch_log_group" "this" {
-  count = var.create_cloudwatch_log_group ? 1 : 0
+resource "aws_cloudwatch_log_group" "this_allow_destroy" {
+  count = var.create_cloudwatch_log_group && var.cloudwatch_log_group_force_destroy ? 1 : 0
 
   region = var.region
 
@@ -38,6 +38,27 @@ resource "aws_cloudwatch_log_group" "this" {
   )
 }
 
+resource "aws_cloudwatch_log_group" "this_prevent_destroy" {
+  count = var.create_cloudwatch_log_group && !var.cloudwatch_log_group_force_destroy ? 1 : 0
+
+  region = var.region
+
+  name              = "/aws/eks/${var.name}/cluster"
+  retention_in_days = var.cloudwatch_log_group_retention_in_days
+  kms_key_id        = var.cloudwatch_log_group_kms_key_id
+  log_group_class   = var.cloudwatch_log_group_class
+
+  tags = merge(
+    var.tags,
+    var.cloudwatch_log_group_tags,
+    { Name = "/aws/eks/${var.name}/cluster" }
+  )
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
 ################################################################################
 # KMS Key for EKS Cluster Encryption
 ################################################################################
diff --git a/outputs.tf b/outputs.tf
index 6b7c9b1..46dbbef 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -159,12 +159,12 @@ output "access_policy_associations" {
 
 output "cloudwatch_log_group_name" {
   description = "Name of cloudwatch log group created"
-  value       = try(aws_cloudwatch_log_group.this[0].name, null)
+  value       = coalesce(try(aws_cloudwatch_log_group.this_allow_destroy[0].name, null), try(aws_cloudwatch_log_group.this_prevent_destroy[0].name, null))
 }
 
 output "cloudwatch_log_group_arn" {
   description = "Arn of cloudwatch log group created"
-  value       = try(aws_cloudwatch_log_group.this[0].arn, null)
+  value       = coalesce(try(aws_cloudwatch_log_group.this_allow_destroy[0].arn, null), try(aws_cloudwatch_log_group.this_prevent_destroy[0].arn, null))
 }
 
 ################################################################################
diff --git a/variables.tf b/variables.tf
index 95cb174..46408ae 100644
--- a/variables.tf
+++ b/variables.tf
@@ -101,6 +101,12 @@ variable "cloudwatch_log_group_tags" {
   default     = {}
 }
 
+variable "cloudwatch_log_group_force_destroy" {
+  description = "When true, allow the CloudWatch log group to be deleted on terraform destroy. When false, protect it with lifecycle { prevent_destroy = true }."
+  type        = bool
+  default     = false
+}
+
 variable "region" {
   description = "AWS region for CloudWatch log group"
   type        = string