From 761fb7f5b8d7bb8ae99c54d8fa143c40d0772c0a Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Thu, 17 Feb 2022 10:02:57 -0500
Subject: [PATCH] feat: Add support for managing CloudWatch log groups (#380)

---
 README.md                                     |  5 +++-
 examples/complete-mssql/README.md             |  1 +
 examples/complete-mssql/main.tf               |  1 +
 examples/complete-mssql/outputs.tf            |  5 ++++
 examples/complete-mysql/README.md             |  2 ++
 examples/complete-mysql/main.tf               |  5 ++--
 examples/complete-mysql/outputs.tf            | 10 +++++++
 examples/complete-oracle/README.md            |  1 +
 examples/complete-oracle/main.tf              |  1 +
 examples/complete-oracle/outputs.tf           |  5 ++++
 examples/complete-postgres/README.md          |  2 ++
 examples/complete-postgres/main.tf            |  8 ++++--
 examples/complete-postgres/outputs.tf         | 10 +++++++
 .../cross-region-replica-postgres/README.md   |  2 ++
 .../cross-region-replica-postgres/main.tf     |  5 ++--
 .../cross-region-replica-postgres/outputs.tf  | 10 +++++++
 examples/enhanced-monitoring/README.md        |  1 +
 examples/enhanced-monitoring/main.tf          |  2 +-
 examples/enhanced-monitoring/outputs.tf       |  5 ++++
 examples/groups/main.tf                       | 10 +++----
 examples/replica-mysql/README.md              |  2 ++
 examples/replica-mysql/main.tf                |  2 +-
 examples/replica-mysql/outputs.tf             | 10 +++++++
 examples/replica-postgres/README.md           |  2 ++
 examples/replica-postgres/main.tf             |  2 +-
 examples/replica-postgres/outputs.tf          | 10 +++++++
 examples/s3-import-mysql/README.md            |  1 +
 examples/s3-import-mysql/main.tf              |  2 +-
 examples/s3-import-mysql/outputs.tf           |  5 ++++
 main.tf                                       | 12 +++++---
 modules/db_instance/README.md                 |  5 ++++
 modules/db_instance/main.tf                   | 14 ++++++++++
 modules/db_instance/outputs.tf                |  9 ++++++
 modules/db_instance/variables.tf              | 22 +++++++++++++++
 outputs.tf                                    |  9 ++++++
 variables.tf                                  | 28 +++++++++++++++----
 36 files changed, 198 insertions(+), 28 deletions(-)

diff --git a/README.md b/README.md
index 3fa471f9..9679490c 100644
--- a/README.md
+++ b/README.md
@@ -243,14 +243,16 @@ Users have the ability to:
 | <a name="input_backup_window"></a> [backup\_window](#input\_backup\_window) | The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance\_window | `string` | `null` | no |
 | <a name="input_ca_cert_identifier"></a> [ca\_cert\_identifier](#input\_ca\_cert\_identifier) | Specifies the identifier of the CA certificate for the DB instance | `string` | `null` | no |
 | <a name="input_character_set_name"></a> [character\_set\_name](#input\_character\_set\_name) | The character set name to use for DB encoding in Oracle instances. This can't be changed. See Oracle Character Sets Supported in Amazon RDS and Collations and Character Sets for Microsoft SQL Server for more information. This can only be set on creation | `string` | `null` | no |
+| <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
+| <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no |
 | <a name="input_copy_tags_to_snapshot"></a> [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | On delete, copy all Instance tags to the final snapshot | `bool` | `false` | no |
+| <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports` | `bool` | `false` | no |
 | <a name="input_create_db_instance"></a> [create\_db\_instance](#input\_create\_db\_instance) | Whether to create a database instance | `bool` | `true` | no |
 | <a name="input_create_db_option_group"></a> [create\_db\_option\_group](#input\_create\_db\_option\_group) | Create a database option group | `bool` | `true` | no |
 | <a name="input_create_db_parameter_group"></a> [create\_db\_parameter\_group](#input\_create\_db\_parameter\_group) | Whether to create a database parameter group | `bool` | `true` | no |
 | <a name="input_create_db_subnet_group"></a> [create\_db\_subnet\_group](#input\_create\_db\_subnet\_group) | Whether to create a database subnet group | `bool` | `false` | no |
 | <a name="input_create_monitoring_role"></a> [create\_monitoring\_role](#input\_create\_monitoring\_role) | Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs | `bool` | `false` | no |
 | <a name="input_create_random_password"></a> [create\_random\_password](#input\_create\_random\_password) | Whether to create random password for RDS primary cluster | `bool` | `true` | no |
-| <a name="input_cross_region_replica"></a> [cross\_region\_replica](#input\_cross\_region\_replica) | Specifies if the replica should be cross region. It allows the use of a subnet group in a region different than the master instance | `bool` | `false` | no |
 | <a name="input_db_instance_tags"></a> [db\_instance\_tags](#input\_db\_instance\_tags) | Additional tags for the DB instance | `map(string)` | `{}` | no |
 | <a name="input_db_name"></a> [db\_name](#input\_db\_name) | The DB name to create. If omitted, no database is created initially | `string` | `null` | no |
 | <a name="input_db_option_group_tags"></a> [db\_option\_group\_tags](#input\_db\_option\_group\_tags) | Additional tags for the DB option group | `map(string)` | `{}` | no |
@@ -321,6 +323,7 @@ Users have the ability to:
 | <a name="output_db_instance_arn"></a> [db\_instance\_arn](#output\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_db_instance_availability_zone"></a> [db\_instance\_availability\_zone](#output\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
 | <a name="output_db_instance_ca_cert_identifier"></a> [db\_instance\_ca\_cert\_identifier](#output\_db\_instance\_ca\_cert\_identifier) | Specifies the identifier of the CA certificate for the DB instance |
+| <a name="output_db_instance_cloudwatch_log_groups"></a> [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_db_instance_domain"></a> [db\_instance\_domain](#output\_db\_instance\_domain) | The ID of the Directory Service Active Directory domain the instance is joined to |
 | <a name="output_db_instance_domain_iam_role_name"></a> [db\_instance\_domain\_iam\_role\_name](#output\_db\_instance\_domain\_iam\_role\_name) | The name of the IAM role to be used when making API calls to the Directory Service. |
 | <a name="output_db_instance_endpoint"></a> [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint |
diff --git a/examples/complete-mssql/README.md b/examples/complete-mssql/README.md
index 221bc868..342899fd 100644
--- a/examples/complete-mssql/README.md
+++ b/examples/complete-mssql/README.md
@@ -58,6 +58,7 @@ No inputs.
 | <a name="output_db_instance_address"></a> [db\_instance\_address](#output\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_db_instance_arn"></a> [db\_instance\_arn](#output\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_db_instance_availability_zone"></a> [db\_instance\_availability\_zone](#output\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_db_instance_cloudwatch_log_groups"></a> [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_db_instance_domain"></a> [db\_instance\_domain](#output\_db\_instance\_domain) | The ID of the Directory Service Active Directory domain the instance is joined to |
 | <a name="output_db_instance_domain_iam_role_name"></a> [db\_instance\_domain\_iam\_role\_name](#output\_db\_instance\_domain\_iam\_role\_name) | The name of the IAM role to be used when making API calls to the Directory Service. |
 | <a name="output_db_instance_endpoint"></a> [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint |
diff --git a/examples/complete-mssql/main.tf b/examples/complete-mssql/main.tf
index d71e373c..722fbd27 100644
--- a/examples/complete-mssql/main.tf
+++ b/examples/complete-mssql/main.tf
@@ -137,6 +137,7 @@ module "db" {
   maintenance_window              = "Mon:00:00-Mon:03:00"
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["error"]
+  create_cloudwatch_log_group     = true
 
   backup_retention_period = 0
   skip_final_snapshot     = true
diff --git a/examples/complete-mssql/outputs.tf b/examples/complete-mssql/outputs.tf
index 86adeea9..f93cb18f 100644
--- a/examples/complete-mssql/outputs.tf
+++ b/examples/complete-mssql/outputs.tf
@@ -94,3 +94,8 @@ output "db_enhanced_monitoring_iam_role_arn" {
   description = "The Amazon Resource Name (ARN) specifying the monitoring role"
   value       = module.db.enhanced_monitoring_iam_role_arn
 }
+
+output "db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.db.db_instance_cloudwatch_log_groups
+}
diff --git a/examples/complete-mysql/README.md b/examples/complete-mysql/README.md
index 7f85e4e3..5337410b 100644
--- a/examples/complete-mysql/README.md
+++ b/examples/complete-mysql/README.md
@@ -48,6 +48,7 @@ No inputs.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_db_default_cloudwatch_log_groups"></a> [db\_default\_cloudwatch\_log\_groups](#output\_db\_default\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_db_default_instance_address"></a> [db\_default\_instance\_address](#output\_db\_default\_instance\_address) | The address of the RDS instance |
 | <a name="output_db_default_instance_arn"></a> [db\_default\_instance\_arn](#output\_db\_default\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_db_default_instance_availability_zone"></a> [db\_default\_instance\_availability\_zone](#output\_db\_default\_instance\_availability\_zone) | The availability zone of the RDS instance |
@@ -68,6 +69,7 @@ No inputs.
 | <a name="output_db_instance_address"></a> [db\_instance\_address](#output\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_db_instance_arn"></a> [db\_instance\_arn](#output\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_db_instance_availability_zone"></a> [db\_instance\_availability\_zone](#output\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_db_instance_cloudwatch_log_groups"></a> [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_db_instance_endpoint"></a> [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_db_instance_hosted_zone_id"></a> [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_db_instance_id"></a> [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID |
diff --git a/examples/complete-mysql/main.tf b/examples/complete-mysql/main.tf
index 7f78f946..583e0d3c 100644
--- a/examples/complete-mysql/main.tf
+++ b/examples/complete-mysql/main.tf
@@ -68,7 +68,7 @@ module "db" {
   engine_version       = "8.0.27"
   family               = "mysql8.0" # DB parameter group
   major_engine_version = "8.0"      # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage     = 20
   max_allocated_storage = 100
@@ -84,6 +84,7 @@ module "db" {
   maintenance_window              = "Mon:00:00-Mon:03:00"
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["general"]
+  create_cloudwatch_log_group     = true
 
   backup_retention_period = 0
   skip_final_snapshot     = true
@@ -133,7 +134,7 @@ module "db_default" {
   engine_version       = "8.0.27"
   family               = "mysql8.0" # DB parameter group
   major_engine_version = "8.0"      # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage = 20
 
diff --git a/examples/complete-mysql/outputs.tf b/examples/complete-mysql/outputs.tf
index 50dae1f7..7190f111 100644
--- a/examples/complete-mysql/outputs.tf
+++ b/examples/complete-mysql/outputs.tf
@@ -85,6 +85,11 @@ output "db_enhanced_monitoring_iam_role_arn" {
   value       = module.db.enhanced_monitoring_iam_role_arn
 }
 
+output "db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.db.db_instance_cloudwatch_log_groups
+}
+
 # Default
 output "db_default_instance_address" {
   description = "The address of the RDS instance"
@@ -167,3 +172,8 @@ output "db_default_parameter_group_arn" {
   description = "The ARN of the db parameter group"
   value       = module.db_default.db_parameter_group_arn
 }
+
+output "db_default_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.db_default.db_instance_cloudwatch_log_groups
+}
diff --git a/examples/complete-oracle/README.md b/examples/complete-oracle/README.md
index 8392470c..fe11d4f9 100644
--- a/examples/complete-oracle/README.md
+++ b/examples/complete-oracle/README.md
@@ -50,6 +50,7 @@ No inputs.
 | <a name="output_db_instance_address"></a> [db\_instance\_address](#output\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_db_instance_arn"></a> [db\_instance\_arn](#output\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_db_instance_availability_zone"></a> [db\_instance\_availability\_zone](#output\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_db_instance_cloudwatch_log_groups"></a> [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_db_instance_endpoint"></a> [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_db_instance_hosted_zone_id"></a> [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_db_instance_id"></a> [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID |
diff --git a/examples/complete-oracle/main.tf b/examples/complete-oracle/main.tf
index 753d4b18..6767fa86 100644
--- a/examples/complete-oracle/main.tf
+++ b/examples/complete-oracle/main.tf
@@ -85,6 +85,7 @@ module "db" {
   maintenance_window              = "Mon:00:00-Mon:03:00"
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["alert", "audit"]
+  create_cloudwatch_log_group     = true
 
   backup_retention_period = 0
   skip_final_snapshot     = true
diff --git a/examples/complete-oracle/outputs.tf b/examples/complete-oracle/outputs.tf
index 3dddc423..e4806fff 100644
--- a/examples/complete-oracle/outputs.tf
+++ b/examples/complete-oracle/outputs.tf
@@ -79,3 +79,8 @@ output "db_parameter_group_arn" {
   description = "The ARN of the db parameter group"
   value       = module.db.db_parameter_group_arn
 }
+
+output "db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.db.db_instance_cloudwatch_log_groups
+}
diff --git a/examples/complete-postgres/README.md b/examples/complete-postgres/README.md
index 6984ee4d..d6d9b97b 100644
--- a/examples/complete-postgres/README.md
+++ b/examples/complete-postgres/README.md
@@ -51,6 +51,7 @@ No inputs.
 | <a name="output_db_default_instance_address"></a> [db\_default\_instance\_address](#output\_db\_default\_instance\_address) | The address of the RDS instance |
 | <a name="output_db_default_instance_arn"></a> [db\_default\_instance\_arn](#output\_db\_default\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_db_default_instance_availability_zone"></a> [db\_default\_instance\_availability\_zone](#output\_db\_default\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_db_default_instance_cloudwatch_log_groups"></a> [db\_default\_instance\_cloudwatch\_log\_groups](#output\_db\_default\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_db_default_instance_endpoint"></a> [db\_default\_instance\_endpoint](#output\_db\_default\_instance\_endpoint) | The connection endpoint |
 | <a name="output_db_default_instance_hosted_zone_id"></a> [db\_default\_instance\_hosted\_zone\_id](#output\_db\_default\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_db_default_instance_id"></a> [db\_default\_instance\_id](#output\_db\_default\_instance\_id) | The RDS instance ID |
@@ -68,6 +69,7 @@ No inputs.
 | <a name="output_db_instance_address"></a> [db\_instance\_address](#output\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_db_instance_arn"></a> [db\_instance\_arn](#output\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_db_instance_availability_zone"></a> [db\_instance\_availability\_zone](#output\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_db_instance_cloudwatch_log_groups"></a> [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_db_instance_endpoint"></a> [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_db_instance_hosted_zone_id"></a> [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_db_instance_id"></a> [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID |
diff --git a/examples/complete-postgres/main.tf b/examples/complete-postgres/main.tf
index 6e0edf94..a757dc36 100644
--- a/examples/complete-postgres/main.tf
+++ b/examples/complete-postgres/main.tf
@@ -27,7 +27,8 @@ module "vpc" {
   private_subnets  = ["10.99.3.0/24", "10.99.4.0/24", "10.99.5.0/24"]
   database_subnets = ["10.99.7.0/24", "10.99.8.0/24", "10.99.9.0/24"]
 
-  create_database_subnet_group = true
+  create_database_subnet_group       = true
+  create_database_subnet_route_table = true
 
   tags = local.tags
 }
@@ -68,7 +69,7 @@ module "db" {
   engine_version       = "14.1"
   family               = "postgres14" # DB parameter group
   major_engine_version = "14"         # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage     = 20
   max_allocated_storage = 100
@@ -87,6 +88,7 @@ module "db" {
   maintenance_window              = "Mon:00:00-Mon:03:00"
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
+  create_cloudwatch_log_group     = true
 
   backup_retention_period = 0
   skip_final_snapshot     = true
@@ -132,7 +134,7 @@ module "db_default" {
   engine_version       = "14.1"
   family               = "postgres14" # DB parameter group
   major_engine_version = "14"         # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage = 20
 
diff --git a/examples/complete-postgres/outputs.tf b/examples/complete-postgres/outputs.tf
index 50dae1f7..9f670010 100644
--- a/examples/complete-postgres/outputs.tf
+++ b/examples/complete-postgres/outputs.tf
@@ -85,6 +85,11 @@ output "db_enhanced_monitoring_iam_role_arn" {
   value       = module.db.enhanced_monitoring_iam_role_arn
 }
 
+output "db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.db.db_instance_cloudwatch_log_groups
+}
+
 # Default
 output "db_default_instance_address" {
   description = "The address of the RDS instance"
@@ -167,3 +172,8 @@ output "db_default_parameter_group_arn" {
   description = "The ARN of the db parameter group"
   value       = module.db_default.db_parameter_group_arn
 }
+
+output "db_default_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.db_default.db_instance_cloudwatch_log_groups
+}
diff --git a/examples/cross-region-replica-postgres/README.md b/examples/cross-region-replica-postgres/README.md
index 321c28b4..e338764c 100644
--- a/examples/cross-region-replica-postgres/README.md
+++ b/examples/cross-region-replica-postgres/README.md
@@ -52,6 +52,7 @@ No inputs.
 | <a name="output_master_db_instance_address"></a> [master\_db\_instance\_address](#output\_master\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_master_db_instance_arn"></a> [master\_db\_instance\_arn](#output\_master\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_master_db_instance_availability_zone"></a> [master\_db\_instance\_availability\_zone](#output\_master\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_master_db_instance_cloudwatch_log_groups"></a> [master\_db\_instance\_cloudwatch\_log\_groups](#output\_master\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_master_db_instance_endpoint"></a> [master\_db\_instance\_endpoint](#output\_master\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_master_db_instance_hosted_zone_id"></a> [master\_db\_instance\_hosted\_zone\_id](#output\_master\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_master_db_instance_id"></a> [master\_db\_instance\_id](#output\_master\_db\_instance\_id) | The RDS instance ID |
@@ -66,6 +67,7 @@ No inputs.
 | <a name="output_replica_db_instance_address"></a> [replica\_db\_instance\_address](#output\_replica\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_replica_db_instance_arn"></a> [replica\_db\_instance\_arn](#output\_replica\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_replica_db_instance_availability_zone"></a> [replica\_db\_instance\_availability\_zone](#output\_replica\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_replica_db_instance_cloudwatch_log_groups"></a> [replica\_db\_instance\_cloudwatch\_log\_groups](#output\_replica\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_replica_db_instance_endpoint"></a> [replica\_db\_instance\_endpoint](#output\_replica\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_replica_db_instance_hosted_zone_id"></a> [replica\_db\_instance\_hosted\_zone\_id](#output\_replica\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_replica_db_instance_id"></a> [replica\_db\_instance\_id](#output\_replica\_db\_instance\_id) | The RDS instance ID |
diff --git a/examples/cross-region-replica-postgres/main.tf b/examples/cross-region-replica-postgres/main.tf
index 1f604fee..65e6aaf5 100644
--- a/examples/cross-region-replica-postgres/main.tf
+++ b/examples/cross-region-replica-postgres/main.tf
@@ -20,7 +20,7 @@ locals {
   engine_version        = "14.1"
   family                = "postgres14" # DB parameter group
   major_engine_version  = "14"         # DB option group
-  instance_class        = "db.t3a.large"
+  instance_class        = "db.t4g.large"
   allocated_storage     = 20
   max_allocated_storage = 100
   port                  = 5432
@@ -170,7 +170,6 @@ module "replica" {
 
   # Source database. For cross-region use db_instance_arn
   replicate_source_db    = module.master.db_instance_arn
-  cross_region_replica   = true
   create_random_password = false
 
   engine               = local.engine
@@ -198,7 +197,7 @@ module "replica" {
   skip_final_snapshot     = true
   deletion_protection     = false
 
-  # Must create or specify a subnet group since the replica is on another region
+  # Specify a subnet group created in the replica region
   db_subnet_group_name = module.vpc_region2.database_subnet_group_name
 
   tags = local.tags
diff --git a/examples/cross-region-replica-postgres/outputs.tf b/examples/cross-region-replica-postgres/outputs.tf
index bf351e2d..f4056186 100644
--- a/examples/cross-region-replica-postgres/outputs.tf
+++ b/examples/cross-region-replica-postgres/outputs.tf
@@ -71,6 +71,11 @@ output "master_db_subnet_group_arn" {
   value       = module.master.db_subnet_group_arn
 }
 
+output "master_db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.master.db_instance_cloudwatch_log_groups
+}
+
 # Replica
 output "replica_db_instance_address" {
   description = "The address of the RDS instance"
@@ -127,3 +132,8 @@ output "replica_db_instance_port" {
   description = "The database port"
   value       = module.replica.db_instance_port
 }
+
+output "replica_db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.replica.db_instance_cloudwatch_log_groups
+}
diff --git a/examples/enhanced-monitoring/README.md b/examples/enhanced-monitoring/README.md
index 48b980ca..cfc4898e 100644
--- a/examples/enhanced-monitoring/README.md
+++ b/examples/enhanced-monitoring/README.md
@@ -57,6 +57,7 @@ No inputs.
 | <a name="output_db_instance_address"></a> [db\_instance\_address](#output\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_db_instance_arn"></a> [db\_instance\_arn](#output\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_db_instance_availability_zone"></a> [db\_instance\_availability\_zone](#output\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_db_instance_cloudwatch_log_groups"></a> [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_db_instance_endpoint"></a> [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_db_instance_hosted_zone_id"></a> [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_db_instance_id"></a> [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID |
diff --git a/examples/enhanced-monitoring/main.tf b/examples/enhanced-monitoring/main.tf
index aed51c90..2136b452 100644
--- a/examples/enhanced-monitoring/main.tf
+++ b/examples/enhanced-monitoring/main.tf
@@ -97,7 +97,7 @@ module "db" {
   engine_version       = "8.0.27"
   family               = "mysql8.0" # DB parameter group
   major_engine_version = "8.0"      # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage     = 20
   max_allocated_storage = 100
diff --git a/examples/enhanced-monitoring/outputs.tf b/examples/enhanced-monitoring/outputs.tf
index 3dddc423..e4806fff 100644
--- a/examples/enhanced-monitoring/outputs.tf
+++ b/examples/enhanced-monitoring/outputs.tf
@@ -79,3 +79,8 @@ output "db_parameter_group_arn" {
   description = "The ARN of the db parameter group"
   value       = module.db.db_parameter_group_arn
 }
+
+output "db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.db.db_instance_cloudwatch_log_groups
+}
diff --git a/examples/groups/main.tf b/examples/groups/main.tf
index 90ff45a4..261cc4df 100644
--- a/examples/groups/main.tf
+++ b/examples/groups/main.tf
@@ -31,7 +31,7 @@ module "default_postgres" {
   engine_version       = "14.1"
   family               = "postgres14" # DB parameter group
   major_engine_version = "14"         # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage = 20
 
@@ -62,7 +62,7 @@ module "default_mysql" {
   engine_version       = "8.0.27"
   family               = "mysql8.0" # DB parameter group
   major_engine_version = "8.0"      # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage = 20
 
@@ -97,7 +97,7 @@ module "default_mysql_name" {
   engine_version       = "8.0.27"
   family               = "mysql8.0" # DB parameter group
   major_engine_version = "8.0"      # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage = 20
 
@@ -129,7 +129,7 @@ module "default_mysql_default_aws" {
   engine_version       = "8.0.27"
   family               = "mysql8.0" # DB parameter group
   major_engine_version = "8.0"      # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage = 20
 
@@ -164,7 +164,7 @@ module "byo_mysql" {
   engine_version       = "8.0.27"
   family               = "mysql8.0" # DB parameter group
   major_engine_version = "8.0"      # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage = 20
 
diff --git a/examples/replica-mysql/README.md b/examples/replica-mysql/README.md
index a6401bfa..f49bdcee 100644
--- a/examples/replica-mysql/README.md
+++ b/examples/replica-mysql/README.md
@@ -50,6 +50,7 @@ No inputs.
 | <a name="output_master_db_instance_address"></a> [master\_db\_instance\_address](#output\_master\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_master_db_instance_arn"></a> [master\_db\_instance\_arn](#output\_master\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_master_db_instance_availability_zone"></a> [master\_db\_instance\_availability\_zone](#output\_master\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_master_db_instance_cloudwatch_log_groups"></a> [master\_db\_instance\_cloudwatch\_log\_groups](#output\_master\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_master_db_instance_endpoint"></a> [master\_db\_instance\_endpoint](#output\_master\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_master_db_instance_hosted_zone_id"></a> [master\_db\_instance\_hosted\_zone\_id](#output\_master\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_master_db_instance_id"></a> [master\_db\_instance\_id](#output\_master\_db\_instance\_id) | The RDS instance ID |
@@ -64,6 +65,7 @@ No inputs.
 | <a name="output_replica_db_instance_address"></a> [replica\_db\_instance\_address](#output\_replica\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_replica_db_instance_arn"></a> [replica\_db\_instance\_arn](#output\_replica\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_replica_db_instance_availability_zone"></a> [replica\_db\_instance\_availability\_zone](#output\_replica\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_replica_db_instance_cloudwatch_log_groups"></a> [replica\_db\_instance\_cloudwatch\_log\_groups](#output\_replica\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_replica_db_instance_endpoint"></a> [replica\_db\_instance\_endpoint](#output\_replica\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_replica_db_instance_hosted_zone_id"></a> [replica\_db\_instance\_hosted\_zone\_id](#output\_replica\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_replica_db_instance_id"></a> [replica\_db\_instance\_id](#output\_replica\_db\_instance\_id) | The RDS instance ID |
diff --git a/examples/replica-mysql/main.tf b/examples/replica-mysql/main.tf
index 5ecffd57..eb789c8a 100644
--- a/examples/replica-mysql/main.tf
+++ b/examples/replica-mysql/main.tf
@@ -14,7 +14,7 @@ locals {
   engine_version        = "8.0.27"
   family                = "mysql8.0" # DB parameter group
   major_engine_version  = "8.0"      # DB option group
-  instance_class        = "db.t3a.large"
+  instance_class        = "db.t4g.large"
   allocated_storage     = 20
   max_allocated_storage = 100
   port                  = 3306
diff --git a/examples/replica-mysql/outputs.tf b/examples/replica-mysql/outputs.tf
index bf351e2d..f4056186 100644
--- a/examples/replica-mysql/outputs.tf
+++ b/examples/replica-mysql/outputs.tf
@@ -71,6 +71,11 @@ output "master_db_subnet_group_arn" {
   value       = module.master.db_subnet_group_arn
 }
 
+output "master_db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.master.db_instance_cloudwatch_log_groups
+}
+
 # Replica
 output "replica_db_instance_address" {
   description = "The address of the RDS instance"
@@ -127,3 +132,8 @@ output "replica_db_instance_port" {
   description = "The database port"
   value       = module.replica.db_instance_port
 }
+
+output "replica_db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.replica.db_instance_cloudwatch_log_groups
+}
diff --git a/examples/replica-postgres/README.md b/examples/replica-postgres/README.md
index d3f64355..0f8b810f 100644
--- a/examples/replica-postgres/README.md
+++ b/examples/replica-postgres/README.md
@@ -50,6 +50,7 @@ No inputs.
 | <a name="output_master_db_instance_address"></a> [master\_db\_instance\_address](#output\_master\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_master_db_instance_arn"></a> [master\_db\_instance\_arn](#output\_master\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_master_db_instance_availability_zone"></a> [master\_db\_instance\_availability\_zone](#output\_master\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_master_db_instance_cloudwatch_log_groups"></a> [master\_db\_instance\_cloudwatch\_log\_groups](#output\_master\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_master_db_instance_endpoint"></a> [master\_db\_instance\_endpoint](#output\_master\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_master_db_instance_hosted_zone_id"></a> [master\_db\_instance\_hosted\_zone\_id](#output\_master\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_master_db_instance_id"></a> [master\_db\_instance\_id](#output\_master\_db\_instance\_id) | The RDS instance ID |
@@ -64,6 +65,7 @@ No inputs.
 | <a name="output_replica_db_instance_address"></a> [replica\_db\_instance\_address](#output\_replica\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_replica_db_instance_arn"></a> [replica\_db\_instance\_arn](#output\_replica\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_replica_db_instance_availability_zone"></a> [replica\_db\_instance\_availability\_zone](#output\_replica\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_replica_db_instance_cloudwatch_log_groups"></a> [replica\_db\_instance\_cloudwatch\_log\_groups](#output\_replica\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_replica_db_instance_endpoint"></a> [replica\_db\_instance\_endpoint](#output\_replica\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_replica_db_instance_hosted_zone_id"></a> [replica\_db\_instance\_hosted\_zone\_id](#output\_replica\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_replica_db_instance_id"></a> [replica\_db\_instance\_id](#output\_replica\_db\_instance\_id) | The RDS instance ID |
diff --git a/examples/replica-postgres/main.tf b/examples/replica-postgres/main.tf
index a43808ef..516ef712 100644
--- a/examples/replica-postgres/main.tf
+++ b/examples/replica-postgres/main.tf
@@ -14,7 +14,7 @@ locals {
   engine_version        = "14.1"
   family                = "postgres14" # DB parameter group
   major_engine_version  = "14"         # DB option group
-  instance_class        = "db.t3a.large"
+  instance_class        = "db.t4g.large"
   allocated_storage     = 20
   max_allocated_storage = 100
   port                  = 5432
diff --git a/examples/replica-postgres/outputs.tf b/examples/replica-postgres/outputs.tf
index bf351e2d..f4056186 100644
--- a/examples/replica-postgres/outputs.tf
+++ b/examples/replica-postgres/outputs.tf
@@ -71,6 +71,11 @@ output "master_db_subnet_group_arn" {
   value       = module.master.db_subnet_group_arn
 }
 
+output "master_db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.master.db_instance_cloudwatch_log_groups
+}
+
 # Replica
 output "replica_db_instance_address" {
   description = "The address of the RDS instance"
@@ -127,3 +132,8 @@ output "replica_db_instance_port" {
   description = "The database port"
   value       = module.replica.db_instance_port
 }
+
+output "replica_db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.replica.db_instance_cloudwatch_log_groups
+}
diff --git a/examples/s3-import-mysql/README.md b/examples/s3-import-mysql/README.md
index 3293039f..d17cb0a7 100644
--- a/examples/s3-import-mysql/README.md
+++ b/examples/s3-import-mysql/README.md
@@ -89,6 +89,7 @@ No inputs.
 | <a name="output_db_instance_address"></a> [db\_instance\_address](#output\_db\_instance\_address) | The address of the RDS instance |
 | <a name="output_db_instance_arn"></a> [db\_instance\_arn](#output\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_db_instance_availability_zone"></a> [db\_instance\_availability\_zone](#output\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| <a name="output_db_instance_cloudwatch_log_groups"></a> [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_db_instance_endpoint"></a> [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint |
 | <a name="output_db_instance_hosted_zone_id"></a> [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | <a name="output_db_instance_id"></a> [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID |
diff --git a/examples/s3-import-mysql/main.tf b/examples/s3-import-mysql/main.tf
index 97ff7f4c..55b0afd3 100644
--- a/examples/s3-import-mysql/main.tf
+++ b/examples/s3-import-mysql/main.tf
@@ -171,7 +171,7 @@ module "db" {
   engine_version       = "8.0.27"
   family               = "mysql8.0" # DB parameter group
   major_engine_version = "8.0"      # DB option group
-  instance_class       = "db.t3a.large"
+  instance_class       = "db.t4g.large"
 
   allocated_storage     = 20
   max_allocated_storage = 100
diff --git a/examples/s3-import-mysql/outputs.tf b/examples/s3-import-mysql/outputs.tf
index 3dddc423..e4806fff 100644
--- a/examples/s3-import-mysql/outputs.tf
+++ b/examples/s3-import-mysql/outputs.tf
@@ -79,3 +79,8 @@ output "db_parameter_group_arn" {
   description = "The ARN of the db parameter group"
   value       = module.db.db_parameter_group_arn
 }
+
+output "db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.db.db_instance_cloudwatch_log_groups
+}
diff --git a/main.tf b/main.tf
index c27e1a33..7a2ade9e 100644
--- a/main.tf
+++ b/main.tf
@@ -1,8 +1,8 @@
 locals {
   create_random_password = var.create_db_instance && var.create_random_password && var.snapshot_identifier == null
   master_password        = try(random_password.master_password[0].result, var.password)
-  db_subnet_group_name   = !var.cross_region_replica && var.replicate_source_db != null ? null : try(module.db_subnet_group.db_subnet_group_id, var.db_subnet_group_name)
 
+  db_subnet_group_name    = var.create_db_subnet_group ? module.db_subnet_group.db_subnet_group_id : var.db_subnet_group_name
   parameter_group_name_id = var.create_db_parameter_group ? module.db_parameter_group.db_parameter_group_id : var.parameter_group_name
 
   create_db_option_group = var.create_db_option_group && var.engine != "postgres"
@@ -122,9 +122,13 @@ module "db_instance" {
   monitoring_role_description = var.monitoring_role_description
   create_monitoring_role      = var.create_monitoring_role
 
-  character_set_name              = var.character_set_name
-  timezone                        = var.timezone
-  enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
+  character_set_name = var.character_set_name
+  timezone           = var.timezone
+
+  enabled_cloudwatch_logs_exports        = var.enabled_cloudwatch_logs_exports
+  create_cloudwatch_log_group            = var.create_cloudwatch_log_group
+  cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
+  cloudwatch_log_group_kms_key_id        = var.cloudwatch_log_group_kms_key_id
 
   timeouts = var.timeouts
 
diff --git a/modules/db_instance/README.md b/modules/db_instance/README.md
index af84eead..d2971c72 100644
--- a/modules/db_instance/README.md
+++ b/modules/db_instance/README.md
@@ -24,6 +24,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_db_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource |
 | [aws_iam_role.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -44,8 +45,11 @@ No modules.
 | <a name="input_backup_window"></a> [backup\_window](#input\_backup\_window) | The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance\_window | `string` | `null` | no |
 | <a name="input_ca_cert_identifier"></a> [ca\_cert\_identifier](#input\_ca\_cert\_identifier) | Specifies the identifier of the CA certificate for the DB instance | `string` | `null` | no |
 | <a name="input_character_set_name"></a> [character\_set\_name](#input\_character\_set\_name) | The character set name to use for DB encoding in Oracle instances. This can't be changed. See Oracle Character Sets Supported in Amazon RDS and Collations and Character Sets for Microsoft SQL Server for more information. This can only be set on creation. | `string` | `null` | no |
+| <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
+| <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no |
 | <a name="input_copy_tags_to_snapshot"></a> [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | On delete, copy all Instance tags to the final snapshot | `bool` | `false` | no |
 | <a name="input_create"></a> [create](#input\_create) | Whether to create this resource or not? | `bool` | `true` | no |
+| <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports` | `bool` | `false` | no |
 | <a name="input_create_monitoring_role"></a> [create\_monitoring\_role](#input\_create\_monitoring\_role) | Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. | `bool` | `false` | no |
 | <a name="input_db_name"></a> [db\_name](#input\_db\_name) | The DB name to create. If omitted, no database is created initially | `string` | `null` | no |
 | <a name="input_db_subnet_group_name"></a> [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC | `string` | `null` | no |
@@ -100,6 +104,7 @@ No modules.
 | <a name="output_db_instance_arn"></a> [db\_instance\_arn](#output\_db\_instance\_arn) | The ARN of the RDS instance |
 | <a name="output_db_instance_availability_zone"></a> [db\_instance\_availability\_zone](#output\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
 | <a name="output_db_instance_ca_cert_identifier"></a> [db\_instance\_ca\_cert\_identifier](#output\_db\_instance\_ca\_cert\_identifier) | Specifies the identifier of the CA certificate for the DB instance |
+| <a name="output_db_instance_cloudwatch_log_groups"></a> [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
 | <a name="output_db_instance_domain"></a> [db\_instance\_domain](#output\_db\_instance\_domain) | The ID of the Directory Service Active Directory domain the instance is joined to |
 | <a name="output_db_instance_domain_iam_role_name"></a> [db\_instance\_domain\_iam\_role\_name](#output\_db\_instance\_domain\_iam\_role\_name) | The name of the IAM role to be used when making API calls to the Directory Service. |
 | <a name="output_db_instance_endpoint"></a> [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint |
diff --git a/modules/db_instance/main.tf b/modules/db_instance/main.tf
index 043a074e..8cad0624 100644
--- a/modules/db_instance/main.tf
+++ b/modules/db_instance/main.tf
@@ -126,6 +126,20 @@ resource "aws_db_instance" "this" {
   }
 }
 
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+resource "aws_cloudwatch_log_group" "this" {
+  for_each = toset([for log in var.enabled_cloudwatch_logs_exports : log if var.create && var.create_cloudwatch_log_group])
+
+  name              = "/aws/rds/instance/${var.identifier}/${each.value}"
+  retention_in_days = var.cloudwatch_log_group_retention_in_days
+  kms_key_id        = var.cloudwatch_log_group_kms_key_id
+
+  tags = var.tags
+}
+
 ################################################################################
 # Enhanced monitoring
 ################################################################################
diff --git a/modules/db_instance/outputs.tf b/modules/db_instance/outputs.tf
index ebcffc03..b39887d0 100644
--- a/modules/db_instance/outputs.tf
+++ b/modules/db_instance/outputs.tf
@@ -84,3 +84,12 @@ output "db_instance_master_password" {
   value       = try(aws_db_instance.this[0].password, "")
   sensitive   = true
 }
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+output "db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = aws_cloudwatch_log_group.this
+}
diff --git a/modules/db_instance/variables.tf b/modules/db_instance/variables.tf
index cca375ba..71e650e6 100644
--- a/modules/db_instance/variables.tf
+++ b/modules/db_instance/variables.tf
@@ -333,3 +333,25 @@ variable "restore_to_point_in_time" {
   type        = map(string)
   default     = null
 }
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+variable "create_cloudwatch_log_group" {
+  description = "Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports`"
+  type        = bool
+  default     = false
+}
+
+variable "cloudwatch_log_group_retention_in_days" {
+  description = "The number of days to retain CloudWatch logs for the DB instance"
+  type        = number
+  default     = 7
+}
+
+variable "cloudwatch_log_group_kms_key_id" {
+  description = "The ARN of the KMS Key to use when encrypting log data"
+  type        = string
+  default     = null
+}
diff --git a/outputs.tf b/outputs.tf
index 950ff7f3..4a8cac1d 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -121,3 +121,12 @@ output "db_master_password" {
   value       = module.db_instance.db_instance_master_password
   sensitive   = true
 }
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+output "db_instance_cloudwatch_log_groups" {
+  description = "Map of CloudWatch log groups created and their attributes"
+  value       = module.db_instance.db_instance_cloudwatch_log_groups
+}
diff --git a/variables.tf b/variables.tf
index 76f6ce5a..0603277a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -33,12 +33,6 @@ variable "replicate_source_db" {
   default     = null
 }
 
-variable "cross_region_replica" {
-  description = "Specifies if the replica should be cross region. It allows the use of a subnet group in a region different than the master instance"
-  type        = bool
-  default     = false
-}
-
 variable "license_model" {
   description = "License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1"
   type        = string
@@ -467,3 +461,25 @@ variable "random_password_length" {
   type        = number
   default     = 16
 }
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+variable "create_cloudwatch_log_group" {
+  description = "Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports`"
+  type        = bool
+  default     = false
+}
+
+variable "cloudwatch_log_group_retention_in_days" {
+  description = "The number of days to retain CloudWatch logs for the DB instance"
+  type        = number
+  default     = 7
+}
+
+variable "cloudwatch_log_group_kms_key_id" {
+  description = "The ARN of the KMS Key to use when encrypting log data"
+  type        = string
+  default     = null
+}