From 9fa8fdc4e273751914eb4058a7ea2f457c7a1e20 Mon Sep 17 00:00:00 2001 From: "John C. Bland II" Date: Fri, 5 Nov 2021 23:34:25 -0500 Subject: [PATCH] Add support for a log bucket (#104) * feat: add support for a log bucket * Auto Format * chore: add support for log bucket var config * Auto Format * chore: tighten up the bucket name integration * Auto Format * chore: fix incorrect local * Auto Format * chore: consolidate locals Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> --- README.md | 5 +++++ docs/terraform.md | 5 +++++ main.tf | 25 +++++++++++++++++++++++-- variables.tf | 24 ++++++++++++++++++++++++ 4 files changed, 57 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7455cfa..811f82c 100644 --- a/README.md +++ b/README.md @@ -264,6 +264,7 @@ Available targets: | Name | Source | Version | |------|--------|---------| | [dynamodb\_table\_label](#module\_dynamodb\_table\_label) | cloudposse/label/null | 0.25.0 | +| [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 0.26.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -313,6 +314,10 @@ Available targets: | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | | [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | | [logging](#input\_logging) | Bucket access logging configuration. | 
object({
    bucket_name = string
    prefix      = string
  })
| `null` | no | +| [logging\_bucket\_enabled](#input\_logging\_bucket\_enabled) | Whether to create the s3 access log bucket. | `bool` | `false` | no | +| [logging\_bucket\_expiration\_days](#input\_logging\_bucket\_expiration\_days) | Whether to create the s3 access log bucket. | `number` | `90` | no | +| [logging\_bucket\_glacier\_transition\_days](#input\_logging\_bucket\_glacier\_transition\_days) | Whether to create the s3 access log bucket. | `number` | `60` | no | +| [logging\_bucket\_standard\_transition\_days](#input\_logging\_bucket\_standard\_transition\_days) | Whether to create the s3 access log bucket. | `number` | `30` | no | | [mfa\_delete](#input\_mfa\_delete) | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `false` | no | | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 5222ac8..39fc4ba 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -19,6 +19,7 @@ | Name | Source | Version | |------|--------|---------| | [dynamodb\_table\_label](#module\_dynamodb\_table\_label) | cloudposse/label/null | 0.25.0 | +| [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 0.26.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -68,6 +69,10 @@ | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | | [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | | [logging](#input\_logging) | Bucket access logging configuration. | 
object({
    bucket_name = string
    prefix      = string
  })
| `null` | no | +| [logging\_bucket\_enabled](#input\_logging\_bucket\_enabled) | Whether to create the s3 access log bucket. | `bool` | `false` | no | +| [logging\_bucket\_expiration\_days](#input\_logging\_bucket\_expiration\_days) | Whether to create the s3 access log bucket. | `number` | `90` | no | +| [logging\_bucket\_glacier\_transition\_days](#input\_logging\_bucket\_glacier\_transition\_days) | Whether to create the s3 access log bucket. | `number` | `60` | no | +| [logging\_bucket\_standard\_transition\_days](#input\_logging\_bucket\_standard\_transition\_days) | Whether to create the s3 access log bucket. | `number` | `30` | no | | [mfa\_delete](#input\_mfa\_delete) | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `false` | no | | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | diff --git a/main.tf b/main.tf index 1fa5cea..4fa1f5f 100644 --- a/main.tf +++ b/main.tf @@ -45,6 +45,12 @@ locals { }) bucket_name = var.s3_bucket_name != "" ? var.s3_bucket_name : module.this.id + + logging_bucket_enabled = local.bucket_enabled && var.logging_bucket_enabled + logging_bucket_name_default = try(var.logging["bucket_name"], "${local.bucket_name}-logs") + logging_prefix_default = try(var.logging["prefix"], "logs/") + logging_bucket_name = local.logging_bucket_enabled ? module.log_storage.bucket_id : local.logging_bucket_name_default + logging_prefix = local.logging_bucket_enabled ? module.log_storage.prefix : local.logging_prefix_default } data "aws_iam_policy_document" "prevent_unencrypted_uploads" { @@ -132,6 +138,21 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" { } } +module "log_storage" { + source = "cloudposse/s3-log-storage/aws" + version = "0.26.0" + + enabled = local.logging_bucket_enabled + access_log_bucket_prefix = local.logging_prefix_default + acl = "log-delivery-write" + expiration_days = var.logging_bucket_expiration_days + glacier_transition_days = var.logging_bucket_glacier_transition_days + name = local.logging_bucket_name_default + standard_transition_days = var.logging_bucket_standard_transition_days + + context = module.this.context +} + resource "aws_s3_bucket" "default" { count = local.bucket_enabled ? 1 : 0 @@ -176,8 +197,8 @@ resource "aws_s3_bucket" "default" { dynamic "logging" { for_each = var.logging == null ? [] : [1] content { - target_bucket = var.logging["bucket_name"] - target_prefix = var.logging["prefix"] + target_bucket = local.logging_bucket_name + target_prefix = local.logging_prefix } } diff --git a/variables.tf b/variables.tf index 963309b..f80d6b8 100644 --- a/variables.tf +++ b/variables.tf @@ -153,6 +153,30 @@ variable "logging" { description = "Bucket access logging configuration." } +variable "logging_bucket_enabled" { + type = bool + default = false + description = "Whether to create the s3 access log bucket." +} + +variable "logging_bucket_standard_transition_days" { + type = number + default = 30 + description = "Whether to create the s3 access log bucket." +} + +variable "logging_bucket_glacier_transition_days" { + type = number + default = 60 + description = "Whether to create the s3 access log bucket." +} + +variable "logging_bucket_expiration_days" { + type = number + default = 90 + description = "Whether to create the s3 access log bucket." +} + variable "bucket_enabled" { type = bool default = true