Skip to content

Feature request: expose deletion_protection_enabled in log-group module #82

New issue
New issue
Open
#83
Open
Feature request: expose deletion_protection_enabled in log-group module#82
#83
@ak2-lucky

Description

@ak2-lucky
ak2-lucky
opened on Feb 5, 2026

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

  • Yes ✅: please list the AWS provider version which introduced this functionality

Is your request related to a problem? Please describe.

The modules/log-group module does not expose the deletion_protection_enabled attribute, even though it is supported by the underlying aws_cloudwatch_log_group resource.

This makes it impossible to enable CloudWatch Logs deletion protection when using this module, which is problematic for production environments where accidental log group deletion must be prevented.

As a result, users have to either:

  • Fork the module, or
  • Avoid using the module and define aws_cloudwatch_log_group directly

Both options reduce the benefit of using this otherwise well-maintained module.

Describe the solution you'd like.

Expose deletion_protection_enabled as an optional variable in the modules/log-group module and pass it through to the aws_cloudwatch_log_group resource.

Example:

variable "deletion_protection_enabled" {
  type    = bool
  default = null
}

And in the resource:

deletion_protection_enabled = var.deletion_protection_enabled

This would keep backward compatibility while allowing users to opt in.

Describe alternatives you've considered.

  • Defining aws_cloudwatch_log_group directly instead of using the module
  • Forking and maintaining a custom version of the module

Both approaches increase maintenance cost and reduce consistency with the upstream module.

Additional context

According to the AWS provider documentation, deletion_protection_enabled is an officially supported attribute:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#deletion_protection_enabled

Adding support for this attribute would improve safety for production workloads without breaking existing users.

If this feature request is acceptable, I’d be happy to submit a pull request to add this support.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions