initial commit

modules/storage/S3LbAccessLog/main.tf

@@ -0,0 +1,117 @@
+/**
+* # S3LbAccessLog
+* Module to create s3 bucket for LB access logging. Bucket policy is automatically set
+*/
+
+resource "aws_s3_bucket" "this" {
+  bucket        = var.bucket_name
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_public_access_block" "block_public_access" {
+  bucket = aws_s3_bucket.this.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+# Add SecureTransport restriction by default
+data "aws_region" "this" {}
+
+data "aws_iam_policy_document" "bucket_policy" {
+  # Regions created before 2022
+  dynamic "statement" {
+    for_each = can(var.region_account_map[data.aws_region.this.id]) ? [1] : []
+    content {
+      sid     = "AllowLbWrite_Pre2022Region"
+      actions = ["s3:PutObject", "s3:GetBucketAcl"]
+      effect  = "Allow"
+      principals {
+        identifiers = [
+          var.region_account_map[data.aws_region.this.id]
+        ]
+        type = "AWS"
+      }
+      resources = [
+        aws_s3_bucket.this.arn,
+        "${aws_s3_bucket.this.arn}/*"
+      ]
+    }
+  }
+
+  # regions created after 2022
+  dynamic "statement" {
+    for_each = can(var.region_account_map[data.aws_region.this.id]) ? [] : [1]
+    content {
+      sid     = "AllowLbWrite_Post2022Region"
+      actions = ["s3:PutObject", "s3:GetBucketAcl"]
+      effect  = "Allow"
+      principals {
+        identifiers = ["logdelivery.elasticloadbalancing.amazonaws.com"]
+        type        = "Service"
+      }
+      resources = [
+        aws_s3_bucket.this.arn,
+        "${aws_s3_bucket.this.arn}/*"
+      ]
+    }
+  }
+
+  statement {
+    sid     = "AllowSSLRequestsOnly"
+    actions = ["s3:*"]
+    effect  = "Deny"
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [
+      aws_s3_bucket.this.arn,
+      "${aws_s3_bucket.this.arn}/*"
+    ]
+    condition {
+      test     = "Bool"
+      values   = [false]
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
+# Sets up bucket policy referencing AWS doc
+# https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
+resource "aws_s3_bucket_policy" "bucket_policy" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.bucket_policy.json
+}
+
+# Sets up bucket retention
+resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" {
+  count  = var.enable_bucket_lifecycle ? 1 : 0
+  bucket = aws_s3_bucket.this.id
+  rule {
+    id = "ExpireAfterRetention"
+
+    filter {}
+
+    expiration {
+      days = var.current_version_expiration_days
+    }
+
+    status = "Enabled"
+  }
+}
+
+# Enable encryption by default
+resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
+  bucket = aws_s3_bucket.this.id
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = var.encryption_key_arn
+      sse_algorithm     = length(var.encryption_key_arn) > 0 ? "aws:kms" : "AES256"
+    }
+    bucket_key_enabled = length(var.encryption_key_arn) > 0 ? true : false
+  }
+}
+