feat: ALB/NLB log delivery support (#96)

46d5a85e · Anton Babenko · GitHub · 9138a967 · 46d5a85e · 46d5a85e
Commit 46d5a85e authored Jun 11, 2021 by Anton Babenko Committed by GitHub Jun 11, 2021
7 changed files
--- a/README.md
+++ b/README.md
@@ -13,6 +13,7 @@ These features of S3 bucket configurations are supported:
 - object locking
 - Cross-Region Replication (CRR)
 - ELB log delivery bucket policy
+- ALB/NLB log delivery bucket policy

 ## Usage

@@ -48,6 +49,22 @@ module "s3_bucket_for_logs" {
 }
 ```

+### Bucket with ALB/NLB access log delivery policy attached
+
+```hcl
+module "s3_bucket_for_logs" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = "my-s3-bucket-for-logs"
+  acl    = "log-delivery-write"
+
+  # Allow deletion of non-empty bucket
+  force_destroy = true
+
+  attach_lb_log_delivery_policy = true
+}
+```
+
 ## Conditional creation

 Sometimes you need to have a way to create S3 resources conditionally but Terraform does not allow to use `count` inside `module` block, so the solution is to specify argument `create_bucket`.
@@ -113,6 +130,7 @@ No modules.
 | [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deny_insecure_transport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.elb_log_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lb_log_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

 ## Inputs

@@ -122,6 +140,7 @@ No modules.
 | <a name="input_acl"></a> [acl](#input\_acl) | (Optional) The canned ACL to apply. Defaults to 'private'. Conflicts with `grant` | `string` | `"private"` | no |
 | <a name="input_attach_deny_insecure_transport_policy"></a> [attach\_deny\_insecure\_transport\_policy](#input\_attach\_deny\_insecure\_transport\_policy) | Controls if S3 bucket should have deny non-SSL transport policy attached | `bool` | `false` | no |
 | <a name="input_attach_elb_log_delivery_policy"></a> [attach\_elb\_log\_delivery\_policy](#input\_attach\_elb\_log\_delivery\_policy) | Controls if S3 bucket should have ELB log delivery policy attached | `bool` | `false` | no |
+| <a name="input_attach_lb_log_delivery_policy"></a> [attach\_lb\_log\_delivery\_policy](#input\_attach\_lb\_log\_delivery\_policy) | Controls if S3 bucket should have ALB/NLB log delivery policy attached | `bool` | `false` | no |
 | <a name="input_attach_policy"></a> [attach\_policy](#input\_attach\_policy) | Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy) | `bool` | `false` | no |
 | <a name="input_attach_public_policy"></a> [attach\_public\_policy](#input\_attach\_public\_policy) | Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket) | `bool` | `true` | no |
 | <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket. | `bool` | `false` | no |

--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -2,7 +2,7 @@

 Configuration in this directory creates S3 bucket which demos such capabilities:
 - static web-site hosting
- access logging (for S3 and ELB)
+- access logging (for S3, ELB and ALB/NLB)
 - versioning
 - CORS
 - lifecycle rules

--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -55,6 +55,7 @@ module "log_bucket" {
  acl                                   = "log-delivery-write"
  force_destroy                         = true
  attach_elb_log_delivery_policy        = true
+  attach_lb_log_delivery_policy         = true
  attach_deny_insecure_transport_policy = true
 }


--- a/main.tf
+++ b/main.tf
 locals {
-  attach_policy = var.attach_elb_log_delivery_policy || var.attach_deny_insecure_transport_policy || var.attach_policy
+  attach_policy = var.attach_elb_log_delivery_policy || var.attach_lb_log_delivery_policy || var.attach_deny_insecure_transport_policy || var.attach_policy
 }

 resource "aws_s3_bucket" "this" {
@@ -247,6 +247,7 @@ data "aws_iam_policy_document" "combined" {

  source_policy_documents = compact([
    var.attach_elb_log_delivery_policy ? data.aws_iam_policy_document.elb_log_delivery[0].json : "",
+    var.attach_lb_log_delivery_policy ? data.aws_iam_policy_document.lb_log_delivery[0].json : "",
    var.attach_deny_insecure_transport_policy ? data.aws_iam_policy_document.deny_insecure_transport[0].json : "",
    var.attach_policy ? var.policy : ""
  ])
@@ -280,6 +281,57 @@ data "aws_iam_policy_document" "elb_log_delivery" {
  }
 }

+# ALB/NLB
+
+data "aws_iam_policy_document" "lb_log_delivery" {
+  count = var.create_bucket && var.attach_lb_log_delivery_policy ? 1 : 0
+
+  statement {
+    sid = "AWSLogDeliveryWrite"
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "${aws_s3_bucket.this[0].arn}/*",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+
+  statement {
+    sid = "AWSLogDeliveryAclCheck"
+
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:GetBucketAcl",
+    ]
+
+    resources = [
+      "${aws_s3_bucket.this[0].arn}",
+    ]
+
+  }
+}
+
 data "aws_iam_policy_document" "deny_insecure_transport" {
  count = var.create_bucket && var.attach_deny_insecure_transport_policy ? 1 : 0


--- a/variables.tf
+++ b/variables.tf
@@ -10,6 +10,12 @@ variable "attach_elb_log_delivery_policy" {
  default     = false
 }

+variable "attach_lb_log_delivery_policy" {
+  description = "Controls if S3 bucket should have ALB/NLB log delivery policy attached"
+  type        = bool
+  default     = false
+}
+
 variable "attach_deny_insecure_transport_policy" {
  description = "Controls if S3 bucket should have deny non-SSL transport policy attached"
  type        = bool

--- a/wrappers/README.md
+++ b/wrappers/README.md
@@ -6,7 +6,7 @@ You may want to use a single Terragrunt configuration file to manage multiple re

 This wrapper does not implement any extra functionality.

-# Usage with Terragrunt
+## Usage with Terragrunt

 `terragrunt.hcl`:


--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -5,6 +5,7 @@ module "wrapper" {

  create_bucket                         = lookup(each.value, "create_bucket", true)
  attach_elb_log_delivery_policy        = lookup(each.value, "attach_elb_log_delivery_policy", false)
+  attach_lb_log_delivery_policy         = lookup(each.value, "attach_lb_log_delivery_policy", false)
  attach_deny_insecure_transport_policy = lookup(each.value, "attach_deny_insecure_transport_policy", false)
  attach_policy                         = lookup(each.value, "attach_policy", false)
  attach_public_policy                  = lookup(each.value, "attach_public_policy", true)