118 lines
2.9 KiB
Terraform
118 lines
2.9 KiB
Terraform
/**
|
|
* # S3LbAccessLog
|
|
* Module to create s3 bucket for LB access logging. Bucket policy is automatically set
|
|
*/
|
|
|
|
resource "aws_s3_bucket" "this" {
|
|
bucket = var.bucket_name
|
|
force_destroy = true
|
|
}
|
|
|
|
resource "aws_s3_bucket_public_access_block" "block_public_access" {
|
|
bucket = aws_s3_bucket.this.id
|
|
|
|
block_public_acls = true
|
|
block_public_policy = true
|
|
ignore_public_acls = true
|
|
restrict_public_buckets = true
|
|
}
|
|
|
|
# Add SecureTransport restriction by default
|
|
data "aws_region" "this" {}
|
|
|
|
data "aws_iam_policy_document" "bucket_policy" {
|
|
# Regions created before 2022
|
|
dynamic "statement" {
|
|
for_each = can(var.region_account_map[data.aws_region.this.id]) ? [1] : []
|
|
content {
|
|
sid = "AllowLbWrite_Pre2022Region"
|
|
actions = ["s3:PutObject", "s3:GetBucketAcl"]
|
|
effect = "Allow"
|
|
principals {
|
|
identifiers = [
|
|
var.region_account_map[data.aws_region.this.id]
|
|
]
|
|
type = "AWS"
|
|
}
|
|
resources = [
|
|
aws_s3_bucket.this.arn,
|
|
"${aws_s3_bucket.this.arn}/*"
|
|
]
|
|
}
|
|
}
|
|
|
|
# regions created after 2022
|
|
dynamic "statement" {
|
|
for_each = can(var.region_account_map[data.aws_region.this.id]) ? [] : [1]
|
|
content {
|
|
sid = "AllowLbWrite_Post2022Region"
|
|
actions = ["s3:PutObject", "s3:GetBucketAcl"]
|
|
effect = "Allow"
|
|
principals {
|
|
identifiers = ["logdelivery.elasticloadbalancing.amazonaws.com"]
|
|
type = "Service"
|
|
}
|
|
resources = [
|
|
aws_s3_bucket.this.arn,
|
|
"${aws_s3_bucket.this.arn}/*"
|
|
]
|
|
}
|
|
}
|
|
|
|
statement {
|
|
sid = "AllowSSLRequestsOnly"
|
|
actions = ["s3:*"]
|
|
effect = "Deny"
|
|
principals {
|
|
type = "*"
|
|
identifiers = ["*"]
|
|
}
|
|
resources = [
|
|
aws_s3_bucket.this.arn,
|
|
"${aws_s3_bucket.this.arn}/*"
|
|
]
|
|
condition {
|
|
test = "Bool"
|
|
values = [false]
|
|
variable = "aws:SecureTransport"
|
|
}
|
|
}
|
|
}
|
|
|
|
# Sets up bucket policy referencing AWS doc
|
|
# https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
|
|
resource "aws_s3_bucket_policy" "bucket_policy" {
|
|
bucket = aws_s3_bucket.this.id
|
|
policy = data.aws_iam_policy_document.bucket_policy.json
|
|
}
|
|
|
|
# Sets up bucket retention
|
|
resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" {
|
|
count = var.enable_bucket_lifecycle ? 1 : 0
|
|
bucket = aws_s3_bucket.this.id
|
|
rule {
|
|
id = "ExpireAfterRetention"
|
|
|
|
filter {}
|
|
|
|
expiration {
|
|
days = var.current_version_expiration_days
|
|
}
|
|
|
|
status = "Enabled"
|
|
}
|
|
}
|
|
|
|
# Enable encryption by default
|
|
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
|
|
bucket = aws_s3_bucket.this.id
|
|
rule {
|
|
apply_server_side_encryption_by_default {
|
|
kms_master_key_id = var.encryption_key_arn
|
|
sse_algorithm = length(var.encryption_key_arn) > 0 ? "aws:kms" : "AES256"
|
|
}
|
|
bucket_key_enabled = length(var.encryption_key_arn) > 0 ? true : false
|
|
}
|
|
}
|
|
|