From 65506378304ee71f2b24f50acf53b972352c1476 Mon Sep 17 00:00:00 2001
From: Nick Clyde <nick@clyde.tech>
Date: Fri, 3 Apr 2026 15:16:25 -0700
Subject: [PATCH] Enable OpenSearch error logging to CloudWatch

---
 terraform/main.tf | 53 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 52 insertions(+), 1 deletion(-)

diff --git a/terraform/main.tf b/terraform/main.tf
index d613d5e1..16268b4c 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -143,7 +143,6 @@ data "aws_iam_policy_document" "opensearch_access_policy" {
   }
 }
 
-# TODO: Ensure that OpenSearch error logs (at a minimum) are sent to CloudWatch Logs
 resource "aws_opensearch_domain" "os" {
   domain_name    = var.opensearch_domain_name
   engine_version = var.opensearch_engine_version
@@ -186,6 +185,21 @@ resource "aws_opensearch_domain" "os" {
   }
   access_policies = data.aws_iam_policy_document.opensearch_access_policy.json
 
+  log_publishing_options {
+    cloudwatch_log_group_arn = aws_cloudwatch_log_group.opensearch_app_logs.arn
+    log_type                 = "ES_APPLICATION_LOGS"
+  }
+
+  log_publishing_options {
+    cloudwatch_log_group_arn = aws_cloudwatch_log_group.opensearch_index_slow_logs.arn
+    log_type                 = "INDEX_SLOW_LOGS"
+  }
+
+  log_publishing_options {
+    cloudwatch_log_group_arn = aws_cloudwatch_log_group.opensearch_search_slow_logs.arn
+    log_type                 = "SEARCH_SLOW_LOGS"
+  }
+
   tags = { Name = var.opensearch_domain_name }
 }
 
@@ -197,6 +211,43 @@ resource "aws_opensearch_vpc_endpoint" "os_vpc_endpoint" {
   }
 }
 
+#############
+# OpenSearch CloudWatch Logging
+#############
+resource "aws_cloudwatch_log_group" "opensearch_app_logs" {
+  name              = "/aws/opensearch/domains/${var.opensearch_domain_name}/application-logs"
+  retention_in_days = 14
+}
+
+resource "aws_cloudwatch_log_group" "opensearch_index_slow_logs" {
+  name              = "/aws/opensearch/domains/${var.opensearch_domain_name}/index-slow-logs"
+  retention_in_days = 14
+}
+
+resource "aws_cloudwatch_log_group" "opensearch_search_slow_logs" {
+  name              = "/aws/opensearch/domains/${var.opensearch_domain_name}/search-slow-logs"
+  retention_in_days = 14
+}
+
+data "aws_iam_policy_document" "opensearch_log_publishing" {
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+    resources = ["arn:aws:logs:*:*:log-group:/aws/opensearch/domains/${var.opensearch_domain_name}/*"]
+    principals {
+      type        = "Service"
+      identifiers = ["es.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_cloudwatch_log_resource_policy" "opensearch_log_publishing" {
+  policy_document = data.aws_iam_policy_document.opensearch_log_publishing.json
+  policy_name     = "opensearch-${var.opensearch_domain_name}-log-publishing"
+}
+
 #############
 # IAM Role for Lambda
 #############