diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index 2e95347..8c223cd 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -20,3 +20,22 @@ provider "registry.terraform.io/hashicorp/aws" {
"zh:f7e1733dc990524420d4ac027c581cf40e6c4751aaf7dd2c9da19dc473d741a5",
]
}
+
+provider "registry.terraform.io/hashicorp/random" {
+ version = "3.2.0"
+ hashes = [
+ "h1:NvMyFNHHq65GUNyBGjLuLD4ABA6sTlRebZCIK5OtvFU=",
+ "zh:2960977ce9a7d6a7d3e934e75ec5814735626f95c186ad95a9102344a1a38ac1",
+ "zh:2fd012abfabe7076f3f2f402eeef4970e20574d20ffec57c162b02b6e848c32f",
+ "zh:4cd3234671cf01c913023418b227eb78b0659f2cd2e0b387be1f0bb607d29889",
+ "zh:52e695b4fa3fae735ffc901edff8183745f980923510a744db7616e8f10dc499",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:848b4a294e5ba15192ee4bfd199c07f60a437d7572efcd2d89db036e1ebc0e6e",
+ "zh:9d49aa432a05748a9527e95448cebee1238c87c97c7e8dec694bfd709683f9c7",
+ "zh:b4ad4cf289d3f7408649b74b8639918833613f2a1f3cf51b51f4b2fdaa412dd2",
+ "zh:c1544c4b416096fb8d8dbf84c4488584a2844a30dd533b957e9e9e60a165f24e",
+ "zh:dc737d6b4591cad8c9a1d0b347e587e846d8d901789b29b4dd401b6cdf82c017",
+ "zh:f5645fd39f749dbbf847cbdc87ba0dbd141143f12917a6a8904faf8a9b64111e",
+ "zh:fdedf610e0d020878a8f1fedda8105e0c33a7e23c4792fca54460685552de308",
+ ]
+}
diff --git a/README.md b/README.md
index 171e307..c841d03 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,10 @@ In order to run all checks at any point run the following command:
## Providers
-No providers.
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 4.15.0 |
+| [random](#provider\_random) | 3.2.0 |
## Modules
@@ -38,16 +41,32 @@ No modules.
## Resources
-No resources.
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_policy.logs_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.logs_block_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [aws_iam_policy_document.logs_access_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [aws\_principals\_identifiers](#input\_aws\_principals\_identifiers) | List of identifiers for AWS principals with access to write in the logs bucket | `list(string)` | n/a | yes |
+| [block\_s3\_bucket\_public\_access](#input\_block\_s3\_bucket\_public\_access) | (Optional) If true, public access to the S3 bucket will be blocked. | `bool` | `true` | no |
+| [enable\_s3\_bucket\_server\_side\_encryption](#input\_enable\_s3\_bucket\_server\_side\_encryption) | (Optional) If true, server side encryption will be applied. | `bool` | `true` | no |
| [name\_prefix](#input\_name\_prefix) | Name prefix for resources on AWS | `string` | n/a | yes |
+| [s3\_bucket\_server\_side\_encryption\_key](#input\_s3\_bucket\_server\_side\_encryption\_key) | (Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms. | `string` | `"aws/s3"` | no |
+| [s3\_bucket\_server\_side\_encryption\_sse\_algorithm](#input\_s3\_bucket\_server\_side\_encryption\_sse\_algorithm) | (Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms | `string` | `"aws:kms"` | no |
| [tags](#input\_tags) | Resource tags | `map(string)` | `{}` | no |
## Outputs
-No outputs.
+| Name | Description |
+|------|-------------|
+| [lb\_logs\_s3\_bucket\_arn](#output\_lb\_logs\_s3\_bucket\_arn) | LB Logging S3 Bucket ARN |
+| [lb\_logs\_s3\_bucket\_id](#output\_lb\_logs\_s3\_bucket\_id) | LB Logging S3 Bucket ID |
diff --git a/examples/disabled/main.tf b/examples/disabled/main.tf
deleted file mode 100644
index e077dcc..0000000
--- a/examples/disabled/main.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-module "logs_bucket" {
- source = "../../"
- name_prefix = "test-enabled"
-}
diff --git a/examples/enabled/.terraform.lock.hcl b/examples/enabled/.terraform.lock.hcl
deleted file mode 100644
index 2e95347..0000000
--- a/examples/enabled/.terraform.lock.hcl
+++ /dev/null
@@ -1,22 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
- version = "4.15.0"
- constraints = ">= 4.0.0"
- hashes = [
- "h1:MFXNlVb+vvBcz3Lnny3eQcV2Q+9cFmhjaOF9mcctPgw=",
- "zh:005a4b78becbcf5ead8c0bf0a3b7b3c17990f4d030951948088ff9f9867e192f",
- "zh:21c2cf1de303d6bd83d11a11966ec2553ccfd27166a6bcec9f67a4d69af1e8aa",
- "zh:22c43c99e8140654dd84a25183c5d5ba92a0b7524573bba11950d3dc59ac6846",
- "zh:4da4fa8dd7689c84b712b743084ad5483fd0b20b97bf43eff8eede9dcffd3751",
- "zh:532b297b3fa0c5dddc1603d755b27d7bf952eb639177b66c7ea5e5ca328a37cf",
- "zh:6681db82e988ffd1880993494d191b98a1bf89ad6aa39727d838fd3720227bf8",
- "zh:8adf567cc3b787e8400eeb5da0c3057123d67cf06055b76018947109596e2605",
- "zh:8fbc009feed7b58a5bed6d36fe4fbcf093537cc406cd61b7a5ae452f292f6302",
- "zh:912040f3a60da22622eabdd0c295c3bff1de98606ab559c4d9020196604a33b8",
- "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
- "zh:d95b42e326574ec35dc44785fbe5a716ff4b0593c42e9e20fc4598d913082516",
- "zh:f7e1733dc990524420d4ac027c581cf40e6c4751aaf7dd2c9da19dc473d741a5",
- ]
-}
diff --git a/examples/enabled/main.tf b/examples/enabled/main.tf
deleted file mode 100644
index e077dcc..0000000
--- a/examples/enabled/main.tf
+++ /dev/null
@@ -1,4 +0,0 @@
-module "logs_bucket" {
- source = "../../"
- name_prefix = "test-enabled"
-}
diff --git a/examples/enabled/mock_provider.tf b/examples/enabled/mock_provider.tf
deleted file mode 100644
index 934ad5a..0000000
--- a/examples/enabled/mock_provider.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-terraform {
- required_version = ">= 0.13"
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = ">= 4"
- }
- }
-}
-
-provider "aws" {
- region = "us-east-1"
- skip_credentials_validation = true
- skip_requesting_account_id = true
- skip_metadata_api_check = true
- s3_use_path_style = true
- access_key = "mock_access_key"
- secret_key = "mock_secret_key"
-}
diff --git a/examples/disabled/.terraform.lock.hcl b/examples/test/.terraform.lock.hcl
similarity index 53%
rename from examples/disabled/.terraform.lock.hcl
rename to examples/test/.terraform.lock.hcl
index 2e95347..8c223cd 100644
--- a/examples/disabled/.terraform.lock.hcl
+++ b/examples/test/.terraform.lock.hcl
@@ -20,3 +20,22 @@ provider "registry.terraform.io/hashicorp/aws" {
"zh:f7e1733dc990524420d4ac027c581cf40e6c4751aaf7dd2c9da19dc473d741a5",
]
}
+
+provider "registry.terraform.io/hashicorp/random" {
+ version = "3.2.0"
+ hashes = [
+ "h1:NvMyFNHHq65GUNyBGjLuLD4ABA6sTlRebZCIK5OtvFU=",
+ "zh:2960977ce9a7d6a7d3e934e75ec5814735626f95c186ad95a9102344a1a38ac1",
+ "zh:2fd012abfabe7076f3f2f402eeef4970e20574d20ffec57c162b02b6e848c32f",
+ "zh:4cd3234671cf01c913023418b227eb78b0659f2cd2e0b387be1f0bb607d29889",
+ "zh:52e695b4fa3fae735ffc901edff8183745f980923510a744db7616e8f10dc499",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:848b4a294e5ba15192ee4bfd199c07f60a437d7572efcd2d89db036e1ebc0e6e",
+ "zh:9d49aa432a05748a9527e95448cebee1238c87c97c7e8dec694bfd709683f9c7",
+ "zh:b4ad4cf289d3f7408649b74b8639918833613f2a1f3cf51b51f4b2fdaa412dd2",
+ "zh:c1544c4b416096fb8d8dbf84c4488584a2844a30dd533b957e9e9e60a165f24e",
+ "zh:dc737d6b4591cad8c9a1d0b347e587e846d8d901789b29b4dd401b6cdf82c017",
+ "zh:f5645fd39f749dbbf847cbdc87ba0dbd141143f12917a6a8904faf8a9b64111e",
+ "zh:fdedf610e0d020878a8f1fedda8105e0c33a7e23c4792fca54460685552de308",
+ ]
+}
diff --git a/examples/test/main.tf b/examples/test/main.tf
new file mode 100644
index 0000000..ed00ec4
--- /dev/null
+++ b/examples/test/main.tf
@@ -0,0 +1,10 @@
+module "logs_bucket" {
+ source = "../../"
+
+ name_prefix = "test"
+ aws_principals_identifiers = ["test-user-arn"]
+ block_s3_bucket_public_access = true
+ enable_s3_bucket_server_side_encryption = true
+ s3_bucket_server_side_encryption_sse_algorithm = "aws:kms"
+ s3_bucket_server_side_encryption_key = "aws/s3"
+}
diff --git a/examples/disabled/mock_provider.tf b/examples/test/mock_provider.tf
similarity index 100%
rename from examples/disabled/mock_provider.tf
rename to examples/test/mock_provider.tf
diff --git a/main.tf b/main.tf
index e69de29..747bb3d 100644
--- a/main.tf
+++ b/main.tf
@@ -0,0 +1,88 @@
+#------------------------------------------------------------------------------
+# S3 BUCKET - For access logs
+#------------------------------------------------------------------------------
+resource "random_string" "random" {
+ length = 7
+ lower = true
+ number = false
+ upper = false
+ special = false
+ keepers = {
+ name_prefix = var.name_prefix
+ }
+}
+
+resource "aws_s3_bucket" "logs" {
+ bucket = lower("${random_string.random.keepers.name_prefix}-logs-${random_string.random.result}")
+ tags = merge(
+ var.tags,
+ {
+ Name = lower("${random_string.random.keepers.name_prefix}-logs-${random_string.random.result}")
+ },
+ )
+}
+
+resource "aws_s3_bucket_acl" "logs" {
+ bucket = aws_s3_bucket.logs.id
+ acl = "log-delivery-write"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
+ count = var.enable_s3_bucket_server_side_encryption ? 1 : 0
+
+ bucket = aws_s3_bucket.logs.id
+
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = var.s3_bucket_server_side_encryption_sse_algorithm
+ kms_master_key_id = var.s3_bucket_server_side_encryption_sse_algorithm == "aws:kms" ? var.s3_bucket_server_side_encryption_key : null
+
+ }
+ }
+}
+
+#------------------------------------------------------------------------------
+# IAM POLICY DOCUMENT - For access logs to the S3 bucket
+#------------------------------------------------------------------------------
+data "aws_iam_policy_document" "logs_access_policy_document" {
+ statement {
+ effect = "Allow"
+
+ principals {
+ type = "AWS"
+ identifiers = var.aws_principals_identifiers
+ }
+
+ actions = [
+ "s3:PutObject",
+ ]
+
+ resources = [
+ "${aws_s3_bucket.logs.arn}/*",
+ ]
+ }
+}
+
+#------------------------------------------------------------------------------
+# IAM POLICY - For access logs to the s3 bucket
+#------------------------------------------------------------------------------
+resource "aws_s3_bucket_policy" "logs_access_policy" {
+ bucket = aws_s3_bucket.logs.id
+ policy = data.aws_iam_policy_document.logs_access_policy_document.json
+}
+
+#------------------------------------------------------------------------------
+# S3 bucket block public access
+#------------------------------------------------------------------------------
+resource "aws_s3_bucket_public_access_block" "logs_block_public_access" {
+ count = var.block_s3_bucket_public_access ? 1 : 0
+
+ bucket = aws_s3_bucket.logs.id
+
+ block_public_acls = true
+ block_public_policy = true
+ ignore_public_acls = true
+ restrict_public_buckets = true
+
+ depends_on = [aws_s3_bucket_policy.logs_access_policy]
+}
diff --git a/outputs.tf b/outputs.tf
index e69de29..d6f144d 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -0,0 +1,12 @@
+#------------------------------------------------------------------------------
+# S3 Bucket
+#------------------------------------------------------------------------------
+output "lb_logs_s3_bucket_id" {
+ description = "LB Logging S3 Bucket ID"
+ value = aws_s3_bucket.logs.id
+}
+
+output "lb_logs_s3_bucket_arn" {
+ description = "LB Logging S3 Bucket ARN"
+ value = aws_s3_bucket.logs.arn
+}
diff --git a/variables.tf b/variables.tf
index d302036..069b7dc 100644
--- a/variables.tf
+++ b/variables.tf
@@ -11,3 +11,38 @@ variable "tags" {
default = {}
description = "Resource tags"
}
+
+#------------------------------------------------------------------------------
+# IAM
+#------------------------------------------------------------------------------
+variable "aws_principals_identifiers" {
+ type = list(string)
+ description = "List of identifiers for AWS principals with access to write in the logs bucket"
+}
+
+#------------------------------------------------------------------------------
+# S3 bucket
+#------------------------------------------------------------------------------
+variable "block_s3_bucket_public_access" {
+ description = "(Optional) If true, public access to the S3 bucket will be blocked."
+ type = bool
+ default = true
+}
+
+variable "enable_s3_bucket_server_side_encryption" {
+ description = "(Optional) If true, server side encryption will be applied."
+ type = bool
+ default = true
+}
+
+variable "s3_bucket_server_side_encryption_sse_algorithm" {
+ description = "(Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms"
+ type = string
+ default = "aws:kms"
+}
+
+variable "s3_bucket_server_side_encryption_key" {
+ description = "(Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms."
+ type = string
+ default = "aws/s3"
+}