fix(logging): preserve count-based log groups to avoid breaking change

Brend-Smits · Brend-Smits · commit 0326c6d919e5 · 2026-03-11T15:31:38.000+01:00
BREAKING CHANGE AVOIDED: The previous implementation changed
aws_cloudwatch_log_group.gh_runners from count to for_each, which would
cause Terraform to destroy and recreate all existing CloudWatch log
groups on upgrade. This could result in loss of log data.

This commit reverts to the count-based approach using parallel
loggroups_names and loggroups_classes lists, preserving the existing
Terraform state addresses (e.g. aws_cloudwatch_log_group.gh_runners[0])
while still supporting the new log_class parameter.

Changes:
- logging.tf: Use loggroups_names + loggroups_classes parallel lists
  instead of a for_each on objects, keeping count-based resource indexing
- logging.tf: Remove redundant try() around l.log_class since the
  variable type already defaults it to "STANDARD"
- job-retry.tf: Add missing log_class propagation to job-retry config
- variables.tf: Update runner_log_files description to document log_class
- examples/multi-runner: Add log_class parameter to example

Signed-off-by: Brend Smits &lt;brend.smits@philips.com&gt;
diff --git a/examples/multi-runner/main.tf b/examples/multi-runner/main.tf
@@ -139,6 +139,9 @@ module "runners" {
   # Enable debug logging for the lambda functions
   # log_level = "debug"
 
+  # Set log class to INFREQUENT_ACCESS for cost savings
+  log_class = "STANDARD"
+
   # Enable to track the spot instance termination warning
   # instance_termination_watcher = {
   #   enable         = true
diff --git a/modules/runners/job-retry.tf b/modules/runners/job-retry.tf
@@ -13,6 +13,7 @@ locals {
     kms_key_arn                                                    = var.kms_key_arn
     lambda_tags                                                    = var.lambda_tags
     log_level                                                      = var.log_level
+    log_class                                                      = var.log_class
     logging_kms_key_id                                             = var.logging_kms_key_id
     logging_retention_in_days                                      = var.logging_retention_in_days
     metrics                                                        = var.metrics
diff --git a/modules/runners/logging.tf b/modules/runners/logging.tf
@@ -37,10 +37,18 @@ locals {
     "log_group_name" : l.prefix_log_group ? "/github-self-hosted-runners/${var.prefix}/${l.log_group_name}" : "/${l.log_group_name}"
     "log_stream_name" : l.log_stream_name
     "file_path" : l.file_path
-    "log_class" : try(l.log_class, "STANDARD")
+    "log_class" : l.log_class
   }] : []
 
-  loggroups = distinct([for l in local.logfiles : { name = l.log_group_name, log_class = l.log_class }])
+  loggroups_names = distinct([for l in local.logfiles : l.log_group_name])
+  # Create a list of unique log classes corresponding to each log group name
+  # This maintains the same order as loggroups_names for use with count
+  loggroups_classes = [
+    for name in local.loggroups_names : [
+      for l in local.logfiles : l.log_class
+      if l.log_group_name == name
+    ][0]
+  ]
 
 }
 
@@ -56,11 +64,11 @@ resource "aws_ssm_parameter" "cloudwatch_agent_config_runner" {
 }
 
 resource "aws_cloudwatch_log_group" "gh_runners" {
-  for_each          = { for lg in local.loggroups : lg.name => lg }
-  name              = each.value.name
+  count             = length(local.loggroups_names)
+  name              = local.loggroups_names[count.index]
   retention_in_days = var.logging_retention_in_days
   kms_key_id        = var.logging_kms_key_id
-  log_group_class   = each.value.log_class
+  log_group_class   = local.loggroups_classes[count.index]
   tags              = local.tags
 }
 
diff --git a/variables.tf b/variables.tf
@@ -496,7 +496,7 @@ variable "cloudwatch_config" {
 }
 
 variable "runner_log_files" {
-  description = "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
+  description = "(optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/<var.prefix>`, `file_path`: path to the log file, `log_stream_name`: name of the log stream, `log_class`: The log class of the log group. Valid values are `STANDARD` or `INFREQUENT_ACCESS`. Defaults to `STANDARD`."
   type = list(object({
     log_group_name   = string
     prefix_log_group = bool

Original file line number	Diff line number	Diff line change
`@@ -496,7 +496,7 @@ variable "cloudwatch_config" {`
`496`	`496`	`}`
`497`	`497`
`498`	`498`	`variable "runner_log_files" {`
`499`		`- description = "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."`
	`499`	+ description = "(optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/<var.prefix>`, `file_path`: path to the log file, `log_stream_name`: name of the log stream, `log_class`: The log class of the log group. Valid values are `STANDARD` or `INFREQUENT_ACCESS`. Defaults to `STANDARD`."
`500`	`500`	`type = list(object({`
`501`	`501`	`log_group_name = string`
`502`	`502`	`prefix_log_group = bool`