initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,53 @@
+<!-- This readme file is generated with terraform-docs -->
+# S3LbAccessLog
+Module to create s3 bucket for LB access logging. Bucket policy is automatically set
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| aws | ~> 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | ~> 5.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_lifecycle_configuration.lifecycle](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.block_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| bucket\_name | Name of bucket | `string` | n/a | yes |
+| current\_version\_expiration\_days | Delete logs after days - default 30 | `number` | `30` | no |
+| enable\_bucket\_lifecycle | Enable s3 bucket lifecycle | `bool` | `true` | no |
+| encryption\_key\_arn | Leave blank to use AES256 | `string` | `""` | no |
+| region\_account\_map | AWS account id from which LB logs are produced | `map(string)` | <pre>{<br>  "af-south-1": "098369216593",<br>  "ap-east-1": "754344448648",<br>  "ap-northeast-1": "582318560864",<br>  "ap-northeast-2": "600734575887",<br>  "ap-northeast-3": "383597477331",<br>  "ap-south-1": "718504428378",<br>  "ap-southeast-1": "114774131450",<br>  "ap-southeast-2": "783225319266",<br>  "ap-southeast-3": "589379963580",<br>  "ca-central-1": "985666609251",<br>  "eu-central-1": "054676820928",<br>  "eu-north-1": "897822967062",<br>  "eu-south-1": "635631232127",<br>  "eu-west-1": "156460612806",<br>  "eu-west-2": "652711504416",<br>  "eu-west-3": "009996457667",<br>  "me-south-1": "076674570225",<br>  "sa-east-1": "507241528517",<br>  "us-east-1": "127311923021",<br>  "us-east-2": "033677994240",<br>  "us-west-1": "027434742980",<br>  "us-west-2": "797873946194"<br>}</pre> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| bucket\_arn | n/a |
+| bucket\_name | n/a |
+ 
+---
+## Authorship
+This module was developed by xpk.
@@ -0,0 +1,117 @@
+/**
+* # S3LbAccessLog
+* Module to create s3 bucket for LB access logging. Bucket policy is automatically set
+*/
+
+resource "aws_s3_bucket" "this" {
+  bucket        = var.bucket_name
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_public_access_block" "block_public_access" {
+  bucket = aws_s3_bucket.this.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+# Add SecureTransport restriction by default
+data "aws_region" "this" {}
+
+data "aws_iam_policy_document" "bucket_policy" {
+  # Regions created before 2022
+  dynamic "statement" {
+    for_each = can(var.region_account_map[data.aws_region.this.id]) ? [1] : []
+    content {
+      sid     = "AllowLbWrite_Pre2022Region"
+      actions = ["s3:PutObject", "s3:GetBucketAcl"]
+      effect  = "Allow"
+      principals {
+        identifiers = [
+          var.region_account_map[data.aws_region.this.id]
+        ]
+        type = "AWS"
+      }
+      resources = [
+        aws_s3_bucket.this.arn,
+        "${aws_s3_bucket.this.arn}/*"
+      ]
+    }
+  }
+
+  # regions created after 2022
+  dynamic "statement" {
+    for_each = can(var.region_account_map[data.aws_region.this.id]) ? [] : [1]
+    content {
+      sid     = "AllowLbWrite_Post2022Region"
+      actions = ["s3:PutObject", "s3:GetBucketAcl"]
+      effect  = "Allow"
+      principals {
+        identifiers = ["logdelivery.elasticloadbalancing.amazonaws.com"]
+        type        = "Service"
+      }
+      resources = [
+        aws_s3_bucket.this.arn,
+        "${aws_s3_bucket.this.arn}/*"
+      ]
+    }
+  }
+
+  statement {
+    sid     = "AllowSSLRequestsOnly"
+    actions = ["s3:*"]
+    effect  = "Deny"
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [
+      aws_s3_bucket.this.arn,
+      "${aws_s3_bucket.this.arn}/*"
+    ]
+    condition {
+      test     = "Bool"
+      values   = [false]
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
+# Sets up bucket policy referencing AWS doc
+# https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
+resource "aws_s3_bucket_policy" "bucket_policy" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.bucket_policy.json
+}
+
+# Sets up bucket retention
+resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" {
+  count  = var.enable_bucket_lifecycle ? 1 : 0
+  bucket = aws_s3_bucket.this.id
+  rule {
+    id = "ExpireAfterRetention"
+
+    filter {}
+
+    expiration {
+      days = var.current_version_expiration_days
+    }
+
+    status = "Enabled"
+  }
+}
+
+# Enable encryption by default
+resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
+  bucket = aws_s3_bucket.this.id
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = var.encryption_key_arn
+      sse_algorithm     = length(var.encryption_key_arn) > 0 ? "aws:kms" : "AES256"
+    }
+    bucket_key_enabled = length(var.encryption_key_arn) > 0 ? true : false
+  }
+}
+
@@ -0,0 +1,7 @@
+output bucket_name {
+  value = aws_s3_bucket.this.id
+}
+
+output bucket_arn {
+  value = aws_s3_bucket.this.arn
+}
@@ -0,0 +1,52 @@
+variable "bucket_name" {
+  type        = string
+  description = "Name of bucket"
+}
+
+variable "current_version_expiration_days" {
+  type        = number
+  default     = 30
+  description = "Delete logs after days - default 30"
+}
+
+variable "encryption_key_arn" {
+  type        = string
+  default     = ""
+  description = "Leave blank to use AES256"
+}
+
+variable "enable_bucket_lifecycle" {
+  type        = bool
+  description = "Enable s3 bucket lifecycle"
+  default     = true
+}
+
+variable "region_account_map" {
+  type = map(string)
+  description = "AWS account id from which LB logs are produced"
+  default = {
+    us-east-1      = "127311923021"
+    us-east-2      = "033677994240"
+    us-west-1      = "027434742980"
+    us-west-2      = "797873946194"
+    af-south-1     = "098369216593"
+    ap-east-1      = "754344448648"
+    ap-southeast-3 = "589379963580"
+    ap-south-1     = "718504428378"
+    ap-northeast-3 = "383597477331"
+    ap-northeast-2 = "600734575887"
+    ap-southeast-1 = "114774131450"
+    ap-southeast-2 = "783225319266"
+    ap-northeast-1 = "582318560864"
+    ca-central-1   = "985666609251"
+    eu-central-1   = "054676820928"
+    eu-west-1      = "156460612806"
+    eu-west-2      = "652711504416"
+    eu-south-1     = "635631232127"
+    eu-west-3      = "009996457667"
+    eu-north-1     = "897822967062"
+    me-south-1     = "076674570225"
+    sa-east-1      = "507241528517"
+  }
+}
+
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}