Added support for S3 bucket policy (incl. ELB logs delivery policy) (#10

)
terraform-aws-modules · Nov 20, 2019 · 706919c · 706919c
1 parent f778720
commit 706919c
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 9 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,10 +1,10 @@
 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.19.0
+  rev: v1.21.0
   hooks:
     - id: terraform_fmt
     - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v2.3.0
+  rev: v2.4.0
   hooks:
     - id: check-merge-conflict
diff --git a/README.md b/README.md
@@ -4,7 +4,8 @@ Terraform module which creates S3 bucket on AWS with all (or almost all) feature
 
 This type of resources are supported:
 
-* [S3 bucket](https://www.terraform.io/docs/providers/aws/r/s3_bucket.html)
+* [S3 Bucket](https://www.terraform.io/docs/providers/aws/r/s3_bucket.html)
+* [S3 Bucket Policy](https://www.terraform.io/docs/providers/aws/r/s3_bucket_policy.html)
 
 These features of S3 bucket configurations are supported:
 
@@ -39,6 +40,22 @@ module "s3_bucket" {
 }
 ```
 
+### Bucket with ELB access log delivery policy attached
+
+```hcl
+module "s3_bucket_for_logs" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = "my-s3-bucket-for-logs"
+  acl    = "log-delivery-write"
+
+  # Allow deletion of non-empty bucket
+  force_destroy = true
+
+  attach_elb_log_delivery_policy = true
+}
+```
+
 ## Conditional creation
 
 Sometimes you need to have a way to create S3 resources conditionally but Terraform does not allow to use `count` inside `module` block, so the solution is to specify argument `create_bucket`.
@@ -65,6 +82,7 @@ module "s3_bucket" {
 |------|-------------|:----:|:-----:|:-----:|
 | acceleration\_status | (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. | string | `"null"` | no |
 | acl | (Optional) The canned ACL to apply. Defaults to 'private'. | string | `"private"` | no |
+| attach\_elb\_log\_delivery\_policy | Controls if S3 bucket should have ELB log delivery policy attached | bool | `"false"` | no |
 | bucket | (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. | string | `"null"` | no |
 | bucket\_prefix | (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. | string | `"null"` | no |
 | cors\_rule | Map containing a rule of Cross-Origin Resource Sharing. | any | `{}` | no |

diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -2,7 +2,7 @@
 
 Configuration in this directory creates S3 bucket which demos such capabilities:
 - static web-site hosting
-- access logging
+- access logging (for S3 and ELB)
 - versioning
 - CORS
 - lifecycle rules

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -8,10 +8,12 @@ resource "aws_kms_key" "objects" {
 }
 
 module "log_bucket" {
-  source        = "../../"
-  bucket        = "logs-${random_pet.this.id}"
-  acl           = "log-delivery-write"
-  force_destroy = true
+  source = "../../"
+
+  bucket                         = "logs-${random_pet.this.id}"
+  acl                            = "log-delivery-write"
+  force_destroy                  = true
+  attach_elb_log_delivery_policy = true
 }
 
 module "s3_bucket" {

diff --git a/main.tf b/main.tf
@@ -4,7 +4,6 @@ resource "aws_s3_bucket" "this" {
   bucket              = var.bucket
   bucket_prefix       = var.bucket_prefix
   acl                 = var.acl
-  policy              = var.policy
   tags                = var.tags
   force_destroy       = var.force_destroy
   acceleration_status = var.acceleration_status
@@ -217,3 +216,38 @@ resource "aws_s3_bucket" "this" {
   }
 
 }
+
+resource "aws_s3_bucket_policy" "this" {
+  count = var.create_bucket && (var.attach_elb_log_delivery_policy || var.policy != null) ? 1 : 0
+
+  bucket = aws_s3_bucket.this[0].id
+  policy = var.attach_elb_log_delivery_policy ? data.aws_iam_policy_document.elb_log_delivery[0].json : var.policy
+}
+
+# AWS Load Balancer access log delivery policy
+data "aws_elb_service_account" "this" {
+  count = var.create_bucket && var.attach_elb_log_delivery_policy ? 1 : 0
+}
+
+data "aws_iam_policy_document" "elb_log_delivery" {
+  count = var.create_bucket && var.attach_elb_log_delivery_policy ? 1 : 0
+
+  statement {
+    sid = ""
+
+    principals {
+      type        = "AWS"
+      identifiers = data.aws_elb_service_account.this.*.arn
+    }
+
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.this[0].id}/*",
+    ]
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,12 @@ variable "create_bucket" {
   default     = true
 }
 
+variable "attach_elb_log_delivery_policy" {
+  description = "Controls if S3 bucket should have ELB log delivery policy attached"
+  type        = bool
+  default     = false
+}
+
 variable "bucket" {
   description = "(Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name."
   type        = string