feat(logging): add log_class parameter to runner log files configuration (#5036)

This pull request updates the logging configuration by introducing
support for the `log_class` property, allowing log groups to be created
with either the `STANDARD` or `INFREQUENT_ACCESS` class. The change is
applied throughout the configuration to ensure log groups and log files
can specify their class, defaulting to `STANDARD` if not set.

**Logging configuration enhancements:**

* Added a `log_class` property (defaulting to `"STANDARD"`) to the
`runner_log_files` and `multi_runner_config` variables in
`variables.tf`, `modules/runners/variables.tf`, and
`modules/multi-runner/variables.tf` to allow specifying the log group
class.
[[1]](diffhunk://#diff-05b5a57c136b6ff596500bcbfdcff145ef6cddea2a0e86d184d9daa9a65a288eR494)
[[2]](diffhunk://#diff-23e8f44c0f21971190244acdb8a35eaa21af7578ed5f1b97bef83f1a566d979cL398-R404)
[[3]](diffhunk://#diff-52d0673ff466b6445542e17038ea73a1cf41b8112f49ee57da4cebf8f0cb99c5R155)
* Updated the local log file definitions in `modules/runners/logging.tf`
to include the `log_class` property for each log file, defaulting to
`"STANDARD"`.
* Modified the CloudWatch log group resource in
`modules/runners/logging.tf` to use the specified `log_class` when
creating log groups, and refactored the logic to group log files by both
name and class.

**Documentation improvements:**

* Enhanced the description of the `runner_log_files` variable to
document the new `log_class` property and its valid values.

---------

Signed-off-by: Brend Smits <brend.smits@philips.com>
Co-authored-by: github-aws-runners-pr|bot <github-aws-runners-pr[bot]@users.noreply.github.com>

Author: Brend-Smits

README.md

@@ -158,6 +158,7 @@ Join our discord community via [this invite link](https://discord.gg/bxgXW8jJGh)
 | <a name="input_lambda_security_group_ids"></a> [lambda\_security\_group\_ids](#input\_lambda\_security\_group\_ids) | List of security group IDs associated with the Lambda function. | `list(string)` | `[]` | no |
 | <a name="input_lambda_subnet_ids"></a> [lambda\_subnet\_ids](#input\_lambda\_subnet\_ids) | List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`. | `list(string)` | `[]` | no |
 | <a name="input_lambda_tags"></a> [lambda\_tags](#input\_lambda\_tags) | Map of tags that will be added to all the lambda function resources. Note these are additional tags to the default tags. | `map(string)` | `{}` | no |
+| <a name="input_log_class"></a> [log\_class](#input\_log\_class) | The log class of the CloudWatch log groups. Valid values are `STANDARD` or `INFREQUENT_ACCESS`. | `string` | `"STANDARD"` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | `string` | `"info"` | no |
 | <a name="input_logging_kms_key_id"></a> [logging\_kms\_key\_id](#input\_logging\_kms\_key\_id) | Specifies the kms key id to encrypt the logs with. | `string` | `null` | no |
 | <a name="input_logging_retention_in_days"></a> [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `180` | no |
@@ -198,7 +199,7 @@ Join our discord community via [this invite link](https://discord.gg/bxgXW8jJGh)
 | <a name="input_runner_hook_job_completed"></a> [runner\_hook\_job\_completed](#input\_runner\_hook\_job\_completed) | Script to be ran in the runner environment at the end of every job | `string` | `""` | no |
 | <a name="input_runner_hook_job_started"></a> [runner\_hook\_job\_started](#input\_runner\_hook\_job\_started) | Script to be ran in the runner environment at the beginning of every job | `string` | `""` | no |
 | <a name="input_runner_iam_role_managed_policy_arns"></a> [runner\_iam\_role\_managed\_policy\_arns](#input\_runner\_iam\_role\_managed\_policy\_arns) | Attach AWS or customer-managed IAM policies (by ARN) to the runner IAM role | `list(string)` | `[]` | no |
-| <a name="input_runner_log_files"></a> [runner\_log\_files](#input\_runner\_log\_files) | (optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details. | <pre>list(object({<br/>    log_group_name   = string<br/>    prefix_log_group = bool<br/>    file_path        = string<br/>    log_stream_name  = string<br/>  }))</pre> | `null` | no |
+| <a name="input_runner_log_files"></a> [runner\_log\_files](#input\_runner\_log\_files) | (optional) List of logfiles to send to CloudWatch, will only be used if `enable_cloudwatch_agent` is set to true. Object description: `log_group_name`: Name of the log group, `prefix_log_group`: If true, the log group name will be prefixed with `/github-self-hosted-runners/<var.prefix>`, `file_path`: path to the log file, `log_stream_name`: name of the log stream, `log_class`: The log class of the log group. Valid values are `STANDARD` or `INFREQUENT_ACCESS`. Defaults to `STANDARD`. | <pre>list(object({<br/>    log_group_name   = string<br/>    prefix_log_group = bool<br/>    file_path        = string<br/>    log_stream_name  = string<br/>    log_class        = optional(string, "STANDARD")<br/>  }))</pre> | `null` | no |
 | <a name="input_runner_metadata_options"></a> [runner\_metadata\_options](#input\_runner\_metadata\_options) | Metadata options for the ec2 runner instances. By default, the module uses metadata tags for bootstrapping the runner, only disable `instance_metadata_tags` when using custom scripts for starting the runner. | `map(any)` | <pre>{<br/>  "http_endpoint": "enabled",<br/>  "http_put_response_hop_limit": 1,<br/>  "http_tokens": "required",<br/>  "instance_metadata_tags": "enabled"<br/>}</pre> | no |
 | <a name="input_runner_name_prefix"></a> [runner\_name\_prefix](#input\_runner\_name\_prefix) | The prefix used for the GitHub runner name. The prefix will be used in the default start script to prefix the instance name when register the runner in GitHub. The value is available via an EC2 tag 'ghr:runner\_name\_prefix'. | `string` | `""` | no |
 | <a name="input_runner_os"></a> [runner\_os](#input\_runner\_os) | The EC2 Operating System type to use for action runner instances (linux,windows). | `string` | `"linux"` | no |

examples/multi-runner/main.tf

@@ -139,6 +139,9 @@ module "runners" {
   # Enable debug logging for the lambda functions
   # log_level = "debug"
 
+  # Set log class to INFREQUENT_ACCESS for cost savings
+  log_class = "STANDARD"
+
   # Enable to track the spot instance termination warning
   # instance_termination_watcher = {
   #   enable         = true

main.tf

@@ -137,6 +137,7 @@ module "webhook" {
   tracing_config                                = var.tracing_config
   logging_retention_in_days                     = var.logging_retention_in_days
   logging_kms_key_id                            = var.logging_kms_key_id
+  log_class                                     = var.log_class
 
   role_path                 = var.role_path
   role_permissions_boundary = var.role_permissions_boundary
@@ -228,6 +229,7 @@ module "runners" {
   tracing_config                                                 = var.tracing_config
   logging_retention_in_days                                      = var.logging_retention_in_days
   logging_kms_key_id                                             = var.logging_kms_key_id
+  log_class                                                      = var.log_class
   enable_cloudwatch_agent                                        = var.enable_cloudwatch_agent
   cloudwatch_config                                              = var.cloudwatch_config
   runner_log_files                                               = var.runner_log_files
@@ -307,6 +309,7 @@ module "runner_binaries" {
   tracing_config                  = var.tracing_config
   logging_retention_in_days       = var.logging_retention_in_days
   logging_kms_key_id              = var.logging_kms_key_id
+  log_class                       = var.log_class
 
   state_event_rule_binaries_syncer     = var.state_event_rule_binaries_syncer
   server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration
@@ -349,6 +352,7 @@ module "ami_housekeeper" {
 
   logging_retention_in_days = var.logging_retention_in_days
   logging_kms_key_id        = var.logging_kms_key_id
+  log_class                 = var.log_class
   log_level                 = var.log_level
 
   role_path                 = var.role_path
@@ -370,6 +374,7 @@ locals {
     subnet_ids                = var.lambda_subnet_ids
     lambda_tags               = var.lambda_tags
     log_level                 = var.log_level
+    log_class                 = var.log_class
     logging_kms_key_id        = var.logging_kms_key_id
     logging_retention_in_days = var.logging_retention_in_days
     role_path                 = var.role_path

modules/ami-housekeeper/README.md

@@ -115,6 +115,7 @@ No modules.
 | <a name="input_lambda_tags"></a> [lambda\_tags](#input\_lambda\_tags) | Map of tags that will be added to all the lambda function resources. Note these are additional tags to the default tags. | `map(string)` | `{}` | no |
 | <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Time out of the lambda in seconds. | `number` | `60` | no |
 | <a name="input_lambda_zip"></a> [lambda\_zip](#input\_lambda\_zip) | File location of the lambda zip file. | `string` | `null` | no |
+| <a name="input_log_class"></a> [log\_class](#input\_log\_class) | The log class of the CloudWatch log group. Valid values are `STANDARD` or `INFREQUENT_ACCESS`. | `string` | `"STANDARD"` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'. | `string` | `"info"` | no |
 | <a name="input_logging_kms_key_id"></a> [logging\_kms\_key\_id](#input\_logging\_kms\_key\_id) | Specifies the kms key id to encrypt the logs with | `string` | `null` | no |
 | <a name="input_logging_retention_in_days"></a> [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. | `number` | `180` | no |

modules/ami-housekeeper/main.tf

@@ -51,6 +51,7 @@ resource "aws_cloudwatch_log_group" "ami_housekeeper" {
   name              = "/aws/lambda/${aws_lambda_function.ami_housekeeper.function_name}"
   retention_in_days = var.logging_retention_in_days
   kms_key_id        = var.logging_kms_key_id
+  log_group_class   = var.log_class
   tags              = var.tags
 }
 

modules/ami-housekeeper/variables.tf

@@ -54,6 +54,17 @@ variable "logging_kms_key_id" {
   default     = null
 }
 
+variable "log_class" {
+  description = "The log class of the CloudWatch log group. Valid values are `STANDARD` or `INFREQUENT_ACCESS`."
+  type        = string
+  default     = "STANDARD"
+
+  validation {
+    condition     = contains(["STANDARD", "INFREQUENT_ACCESS"], var.log_class)
+    error_message = "`log_class` must be either `STANDARD` or `INFREQUENT_ACCESS`."
+  }
+}
+
 variable "lambda_subnet_ids" {
   description = "List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`."
   type        = list(string)

modules/lambda/README.md

@@ -39,7 +39,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_lambda"></a> [lambda](#input\_lambda) | Configuration for the lambda function.<br/><br/>`aws_partition`: Partition for the base arn if not 'aws'<br/>`architecture`: AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions.<br/>`environment_variables`: Environment variables for the lambda.<br/>`handler`: The entrypoint for the lambda.<br/>`principals`: Add extra principals to the role created for execution of the lambda, e.g. for local testing.<br/>`lambda_tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.<br/>`log_level`: Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'.<br/>`logging_kms_key_id`: Specifies the kms key id to encrypt the logs with<br/>`logging_retention_in_days`: Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.<br/>`memory_size`: Memory size limit in MB of the lambda.<br/>`metrics_namespace`: Namespace for the metrics emitted by the lambda.<br/>`name`: The name of the lambda function.<br/>`prefix`: The prefix used for naming resources.<br/>`role_path`: The path that will be added to the role, if not set the environment name will be used.<br/>`role_permissions_boundary`: Permissions boundary that will be added to the created role for the lambda.<br/>`runtime`: AWS Lambda runtime.<br/>`s3_bucket`: S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly.<br/>`s3_key`: S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas.<br/>`s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.<br/>`security_group_ids`: List of security group IDs associated with the Lambda function.<br/>`subnet_ids`: List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`.<br/>`tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.<br/>`timeout`: Time out of the lambda in seconds.<br/>`tracing_config`: Configuration for lambda tracing.<br/>`zip`: File location of the lambda zip file. | <pre>object({<br/>    aws_partition             = optional(string, "aws")<br/>    architecture              = optional(string, "arm64")<br/>    environment_variables     = optional(map(string), {})<br/>    handler                   = string<br/>    lambda_tags               = optional(map(string), {})<br/>    log_level                 = optional(string, "info")<br/>    logging_kms_key_id        = optional(string, null)<br/>    logging_retention_in_days = optional(number, 180)<br/>    memory_size               = optional(number, 256)<br/>    metrics_namespace         = optional(string, "GitHub Runners")<br/>    name                      = string<br/>    prefix                    = optional(string, null)<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })), [])<br/>    role_path                 = optional(string, null)<br/>    role_permissions_boundary = optional(string, null)<br/>    runtime                   = optional(string, "nodejs24.x")<br/>    s3_bucket                 = optional(string, null)<br/>    s3_key                    = optional(string, null)<br/>    s3_object_version         = optional(string, null)<br/>    security_group_ids        = optional(list(string), [])<br/>    subnet_ids                = optional(list(string), [])<br/>    tags                      = optional(map(string), {})<br/>    timeout                   = optional(number, 60)<br/>    tracing_config = optional(object({<br/>      mode                  = optional(string, null)<br/>      capture_http_requests = optional(bool, false)<br/>      capture_error         = optional(bool, false)<br/>    }), {})<br/>    zip = optional(string, null)<br/>  })</pre> | n/a | yes |
+| <a name="input_lambda"></a> [lambda](#input\_lambda) | Configuration for the lambda function.<br/><br/>`aws_partition`: Partition for the base arn if not 'aws'<br/>`architecture`: AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86\_64' functions.<br/>`environment_variables`: Environment variables for the lambda.<br/>`handler`: The entrypoint for the lambda.<br/>`principals`: Add extra principals to the role created for execution of the lambda, e.g. for local testing.<br/>`lambda_tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.<br/>`log_level`: Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'.<br/>`logging_kms_key_id`: Specifies the kms key id to encrypt the logs with<br/>`logging_retention_in_days`: Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.<br/>`log_class`: The log class of the CloudWatch log group. Valid values are `STANDARD` or `INFREQUENT_ACCESS`.<br/>`memory_size`: Memory size limit in MB of the lambda.<br/>`metrics_namespace`: Namespace for the metrics emitted by the lambda.<br/>`name`: The name of the lambda function.<br/>`prefix`: The prefix used for naming resources.<br/>`role_path`: The path that will be added to the role, if not set the environment name will be used.<br/>`role_permissions_boundary`: Permissions boundary that will be added to the created role for the lambda.<br/>`runtime`: AWS Lambda runtime.<br/>`s3_bucket`: S3 bucket from which to specify lambda functions. This is an alternative to providing local files directly.<br/>`s3_key`: S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas.<br/>`s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.<br/>`security_group_ids`: List of security group IDs associated with the Lambda function.<br/>`subnet_ids`: List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`.<br/>`tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.<br/>`timeout`: Time out of the lambda in seconds.<br/>`tracing_config`: Configuration for lambda tracing.<br/>`zip`: File location of the lambda zip file. | <pre>object({<br/>    aws_partition             = optional(string, "aws")<br/>    architecture              = optional(string, "arm64")<br/>    environment_variables     = optional(map(string), {})<br/>    handler                   = string<br/>    lambda_tags               = optional(map(string), {})<br/>    log_level                 = optional(string, "info")<br/>    log_class                 = optional(string, "STANDARD")<br/>    logging_kms_key_id        = optional(string, null)<br/>    logging_retention_in_days = optional(number, 180)<br/>    memory_size               = optional(number, 256)<br/>    metrics_namespace         = optional(string, "GitHub Runners")<br/>    name                      = string<br/>    prefix                    = optional(string, null)<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })), [])<br/>    role_path                 = optional(string, null)<br/>    role_permissions_boundary = optional(string, null)<br/>    runtime                   = optional(string, "nodejs24.x")<br/>    s3_bucket                 = optional(string, null)<br/>    s3_key                    = optional(string, null)<br/>    s3_object_version         = optional(string, null)<br/>    security_group_ids        = optional(list(string), [])<br/>    subnet_ids                = optional(list(string), [])<br/>    tags                      = optional(map(string), {})<br/>    timeout                   = optional(number, 60)<br/>    tracing_config = optional(object({<br/>      mode                  = optional(string, null)<br/>      capture_http_requests = optional(bool, false)<br/>      capture_error         = optional(bool, false)<br/>    }), {})<br/>    zip = optional(string, null)<br/>  })</pre> | n/a | yes |
 
 ## Outputs
 

modules/lambda/main.tf

@@ -56,6 +56,7 @@ resource "aws_cloudwatch_log_group" "main" {
   name              = "/aws/lambda/${aws_lambda_function.main.function_name}"
   retention_in_days = var.lambda.logging_retention_in_days
   kms_key_id        = var.lambda.logging_kms_key_id
+  log_group_class   = var.lambda.log_class
   tags              = var.lambda.tags
 }
 

modules/lambda/variables.tf

@@ -11,6 +11,7 @@ variable "lambda" {
     `log_level`: Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'.
     `logging_kms_key_id`: Specifies the kms key id to encrypt the logs with
     `logging_retention_in_days`: Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.
+    `log_class`: The log class of the CloudWatch log group. Valid values are `STANDARD` or `INFREQUENT_ACCESS`.
     `memory_size`: Memory size limit in MB of the lambda.
     `metrics_namespace`: Namespace for the metrics emitted by the lambda.
     `name`: The name of the lambda function.
@@ -35,6 +36,7 @@ variable "lambda" {
     handler                   = string
     lambda_tags               = optional(map(string), {})
     log_level                 = optional(string, "info")
+    log_class                 = optional(string, "STANDARD")
     logging_kms_key_id        = optional(string, null)
     logging_retention_in_days = optional(number, 180)
     memory_size               = optional(number, 256)