tfstack · jajera · Feb 11, 2026 · Feb 11, 2026
diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@ A Terraform module for creating and managing Amazon EKS (Elastic Kubernetes Serv
 - **EKS Capabilities**: Support for ACK, KRO, and ArgoCD capabilities
 - **AWS Load Balancer Controller**: Optional IAM role creation for AWS Load Balancer Controller (IRSA)
 - **Security**: KMS encryption, IMDSv2 enforcement, security groups
+- **CloudWatch Log Group**: Optional log group for EKS control plane logs; set `cloudwatch_log_group_force_destroy = true` to allow the log group to be deleted on `terraform destroy` (default is to protect it).
 
 ## Prerequisites
 

diff --git a/main.tf b/main.tf
@@ -21,8 +21,8 @@ data "aws_caller_identity" "current" {}
 # CloudWatch Log Group
 ################################################################################
 
-resource "aws_cloudwatch_log_group" "this" {
-  count = var.create_cloudwatch_log_group ? 1 : 0
+resource "aws_cloudwatch_log_group" "this_allow_destroy" {
+  count = var.create_cloudwatch_log_group && var.cloudwatch_log_group_force_destroy ? 1 : 0
 
   region = var.region
 
@@ -38,6 +38,27 @@ resource "aws_cloudwatch_log_group" "this" {
   )
 }
 
+resource "aws_cloudwatch_log_group" "this_prevent_destroy" {
+  count = var.create_cloudwatch_log_group && !var.cloudwatch_log_group_force_destroy ? 1 : 0
+
+  region = var.region
+
+  name              = "/aws/eks/${var.name}/cluster"
+  retention_in_days = var.cloudwatch_log_group_retention_in_days
+  kms_key_id        = var.cloudwatch_log_group_kms_key_id
+  log_group_class   = var.cloudwatch_log_group_class
+
+  tags = merge(
+    var.tags,
+    var.cloudwatch_log_group_tags,
+    { Name = "/aws/eks/${var.name}/cluster" }
+  )
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
 ################################################################################
 # KMS Key for EKS Cluster Encryption
 ################################################################################

diff --git a/outputs.tf b/outputs.tf
@@ -159,12 +159,12 @@ output "access_policy_associations" {
 
 output "cloudwatch_log_group_name" {
   description = "Name of cloudwatch log group created"
-  value       = try(aws_cloudwatch_log_group.this[0].name, null)
+  value       = coalesce(try(aws_cloudwatch_log_group.this_allow_destroy[0].name, null), try(aws_cloudwatch_log_group.this_prevent_destroy[0].name, null))
 }
 
 output "cloudwatch_log_group_arn" {
   description = "Arn of cloudwatch log group created"
-  value       = try(aws_cloudwatch_log_group.this[0].arn, null)
+  value       = coalesce(try(aws_cloudwatch_log_group.this_allow_destroy[0].arn, null), try(aws_cloudwatch_log_group.this_prevent_destroy[0].arn, null))
 }
 
 ################################################################################

diff --git a/variables.tf b/variables.tf
@@ -101,6 +101,12 @@ variable "cloudwatch_log_group_tags" {
   default     = {}
 }
 
+variable "cloudwatch_log_group_force_destroy" {
+  description = "When true, allow the CloudWatch log group to be deleted on terraform destroy. When false, protect it with lifecycle { prevent_destroy = true }."
+  type        = bool
+  default     = false
+}
+
 variable "region" {
   description = "AWS region for CloudWatch log group"
   type        = string