From 558e237f205dcf732f0401e9fcda66bece7e85b7 Mon Sep 17 00:00:00 2001 From: Julian Nonino Date: Fri, 20 May 2022 11:54:25 +0100 Subject: [PATCH] Initial commit (#2) * Initial commit * Update variables.tf * Update variables.tf * First version of the module * First version of the module --- .terraform.lock.hcl | 19 ++++ README.md | 25 +++++- examples/disabled/main.tf | 4 - examples/enabled/.terraform.lock.hcl | 22 ----- examples/enabled/main.tf | 4 - examples/enabled/mock_provider.tf | 19 ---- .../{disabled => test}/.terraform.lock.hcl | 19 ++++ examples/test/main.tf | 10 +++ examples/{disabled => test}/mock_provider.tf | 0 main.tf | 88 +++++++++++++++++++ outputs.tf | 12 +++ variables.tf | 35 ++++++++ 12 files changed, 205 insertions(+), 52 deletions(-) delete mode 100644 examples/disabled/main.tf delete mode 100644 examples/enabled/.terraform.lock.hcl delete mode 100644 examples/enabled/main.tf delete mode 100644 examples/enabled/mock_provider.tf rename examples/{disabled => test}/.terraform.lock.hcl (53%) create mode 100644 examples/test/main.tf rename examples/{disabled => test}/mock_provider.tf (100%) diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 2e95347..8c223cd 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -20,3 +20,22 @@ provider "registry.terraform.io/hashicorp/aws" { "zh:f7e1733dc990524420d4ac027c581cf40e6c4751aaf7dd2c9da19dc473d741a5", ] } + +provider "registry.terraform.io/hashicorp/random" { + version = "3.2.0" + hashes = [ + "h1:NvMyFNHHq65GUNyBGjLuLD4ABA6sTlRebZCIK5OtvFU=", + "zh:2960977ce9a7d6a7d3e934e75ec5814735626f95c186ad95a9102344a1a38ac1", + "zh:2fd012abfabe7076f3f2f402eeef4970e20574d20ffec57c162b02b6e848c32f", + "zh:4cd3234671cf01c913023418b227eb78b0659f2cd2e0b387be1f0bb607d29889", + "zh:52e695b4fa3fae735ffc901edff8183745f980923510a744db7616e8f10dc499", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:848b4a294e5ba15192ee4bfd199c07f60a437d7572efcd2d89db036e1ebc0e6e", + "zh:9d49aa432a05748a9527e95448cebee1238c87c97c7e8dec694bfd709683f9c7", + "zh:b4ad4cf289d3f7408649b74b8639918833613f2a1f3cf51b51f4b2fdaa412dd2", + "zh:c1544c4b416096fb8d8dbf84c4488584a2844a30dd533b957e9e9e60a165f24e", + "zh:dc737d6b4591cad8c9a1d0b347e587e846d8d901789b29b4dd401b6cdf82c017", + "zh:f5645fd39f749dbbf847cbdc87ba0dbd141143f12917a6a8904faf8a9b64111e", + "zh:fdedf610e0d020878a8f1fedda8105e0c33a7e23c4792fca54460685552de308", + ] +} diff --git a/README.md b/README.md index 171e307..c841d03 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,10 @@ In order to run all checks at any point run the following command: ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.15.0 | +| [random](#provider\_random) | 3.2.0 | ## Modules @@ -38,16 +41,32 @@ No modules. ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_policy.logs_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.logs_block_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [aws_iam_policy_document.logs_access_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [aws\_principals\_identifiers](#input\_aws\_principals\_identifiers) | List of identifiers for AWS principals with access to write in the logs bucket | `list(string)` | n/a | yes | +| [block\_s3\_bucket\_public\_access](#input\_block\_s3\_bucket\_public\_access) | (Optional) If true, public access to the S3 bucket will be blocked. | `bool` | `true` | no | +| [enable\_s3\_bucket\_server\_side\_encryption](#input\_enable\_s3\_bucket\_server\_side\_encryption) | (Optional) If true, server side encryption will be applied. | `bool` | `true` | no | | [name\_prefix](#input\_name\_prefix) | Name prefix for resources on AWS | `string` | n/a | yes | +| [s3\_bucket\_server\_side\_encryption\_key](#input\_s3\_bucket\_server\_side\_encryption\_key) | (Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms. | `string` | `"aws/s3"` | no | +| [s3\_bucket\_server\_side\_encryption\_sse\_algorithm](#input\_s3\_bucket\_server\_side\_encryption\_sse\_algorithm) | (Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms | `string` | `"aws:kms"` | no | | [tags](#input\_tags) | Resource tags | `map(string)` | `{}` | no | ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [lb\_logs\_s3\_bucket\_arn](#output\_lb\_logs\_s3\_bucket\_arn) | LB Logging S3 Bucket ARN | +| [lb\_logs\_s3\_bucket\_id](#output\_lb\_logs\_s3\_bucket\_id) | LB Logging S3 Bucket ID | diff --git a/examples/disabled/main.tf b/examples/disabled/main.tf deleted file mode 100644 index e077dcc..0000000 --- a/examples/disabled/main.tf +++ /dev/null @@ -1,4 +0,0 @@ -module "logs_bucket" { - source = "../../" - name_prefix = "test-enabled" -} diff --git a/examples/enabled/.terraform.lock.hcl b/examples/enabled/.terraform.lock.hcl deleted file mode 100644 index 2e95347..0000000 --- a/examples/enabled/.terraform.lock.hcl +++ /dev/null @@ -1,22 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "4.15.0" - constraints = ">= 4.0.0" - hashes = [ - "h1:MFXNlVb+vvBcz3Lnny3eQcV2Q+9cFmhjaOF9mcctPgw=", - "zh:005a4b78becbcf5ead8c0bf0a3b7b3c17990f4d030951948088ff9f9867e192f", - "zh:21c2cf1de303d6bd83d11a11966ec2553ccfd27166a6bcec9f67a4d69af1e8aa", - "zh:22c43c99e8140654dd84a25183c5d5ba92a0b7524573bba11950d3dc59ac6846", - "zh:4da4fa8dd7689c84b712b743084ad5483fd0b20b97bf43eff8eede9dcffd3751", - "zh:532b297b3fa0c5dddc1603d755b27d7bf952eb639177b66c7ea5e5ca328a37cf", - "zh:6681db82e988ffd1880993494d191b98a1bf89ad6aa39727d838fd3720227bf8", - "zh:8adf567cc3b787e8400eeb5da0c3057123d67cf06055b76018947109596e2605", - "zh:8fbc009feed7b58a5bed6d36fe4fbcf093537cc406cd61b7a5ae452f292f6302", - "zh:912040f3a60da22622eabdd0c295c3bff1de98606ab559c4d9020196604a33b8", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:d95b42e326574ec35dc44785fbe5a716ff4b0593c42e9e20fc4598d913082516", - "zh:f7e1733dc990524420d4ac027c581cf40e6c4751aaf7dd2c9da19dc473d741a5", - ] -} diff --git a/examples/enabled/main.tf b/examples/enabled/main.tf deleted file mode 100644 index e077dcc..0000000 --- a/examples/enabled/main.tf +++ /dev/null @@ -1,4 +0,0 @@ -module "logs_bucket" { - source = "../../" - name_prefix = "test-enabled" -} diff --git a/examples/enabled/mock_provider.tf b/examples/enabled/mock_provider.tf deleted file mode 100644 index 934ad5a..0000000 --- a/examples/enabled/mock_provider.tf +++ /dev/null @@ -1,19 +0,0 @@ -terraform { - required_version = ">= 0.13" - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4" - } - } -} - -provider "aws" { - region = "us-east-1" - skip_credentials_validation = true - skip_requesting_account_id = true - skip_metadata_api_check = true - s3_use_path_style = true - access_key = "mock_access_key" - secret_key = "mock_secret_key" -} diff --git a/examples/disabled/.terraform.lock.hcl b/examples/test/.terraform.lock.hcl similarity index 53% rename from examples/disabled/.terraform.lock.hcl rename to examples/test/.terraform.lock.hcl index 2e95347..8c223cd 100644 --- a/examples/disabled/.terraform.lock.hcl +++ b/examples/test/.terraform.lock.hcl @@ -20,3 +20,22 @@ provider "registry.terraform.io/hashicorp/aws" { "zh:f7e1733dc990524420d4ac027c581cf40e6c4751aaf7dd2c9da19dc473d741a5", ] } + +provider "registry.terraform.io/hashicorp/random" { + version = "3.2.0" + hashes = [ + "h1:NvMyFNHHq65GUNyBGjLuLD4ABA6sTlRebZCIK5OtvFU=", + "zh:2960977ce9a7d6a7d3e934e75ec5814735626f95c186ad95a9102344a1a38ac1", + "zh:2fd012abfabe7076f3f2f402eeef4970e20574d20ffec57c162b02b6e848c32f", + "zh:4cd3234671cf01c913023418b227eb78b0659f2cd2e0b387be1f0bb607d29889", + "zh:52e695b4fa3fae735ffc901edff8183745f980923510a744db7616e8f10dc499", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:848b4a294e5ba15192ee4bfd199c07f60a437d7572efcd2d89db036e1ebc0e6e", + "zh:9d49aa432a05748a9527e95448cebee1238c87c97c7e8dec694bfd709683f9c7", + "zh:b4ad4cf289d3f7408649b74b8639918833613f2a1f3cf51b51f4b2fdaa412dd2", + "zh:c1544c4b416096fb8d8dbf84c4488584a2844a30dd533b957e9e9e60a165f24e", + "zh:dc737d6b4591cad8c9a1d0b347e587e846d8d901789b29b4dd401b6cdf82c017", + "zh:f5645fd39f749dbbf847cbdc87ba0dbd141143f12917a6a8904faf8a9b64111e", + "zh:fdedf610e0d020878a8f1fedda8105e0c33a7e23c4792fca54460685552de308", + ] +} diff --git a/examples/test/main.tf b/examples/test/main.tf new file mode 100644 index 0000000..ed00ec4 --- /dev/null +++ b/examples/test/main.tf @@ -0,0 +1,10 @@ +module "logs_bucket" { + source = "../../" + + name_prefix = "test" + aws_principals_identifiers = ["test-user-arn"] + block_s3_bucket_public_access = true + enable_s3_bucket_server_side_encryption = true + s3_bucket_server_side_encryption_sse_algorithm = "aws:kms" + s3_bucket_server_side_encryption_key = "aws/s3" +} diff --git a/examples/disabled/mock_provider.tf b/examples/test/mock_provider.tf similarity index 100% rename from examples/disabled/mock_provider.tf rename to examples/test/mock_provider.tf diff --git a/main.tf b/main.tf index e69de29..747bb3d 100644 --- a/main.tf +++ b/main.tf @@ -0,0 +1,88 @@ +#------------------------------------------------------------------------------ +# S3 BUCKET - For access logs +#------------------------------------------------------------------------------ +resource "random_string" "random" { + length = 7 + lower = true + number = false + upper = false + special = false + keepers = { + name_prefix = var.name_prefix + } +} + +resource "aws_s3_bucket" "logs" { + bucket = lower("${random_string.random.keepers.name_prefix}-logs-${random_string.random.result}") + tags = merge( + var.tags, + { + Name = lower("${random_string.random.keepers.name_prefix}-logs-${random_string.random.result}") + }, + ) +} + +resource "aws_s3_bucket_acl" "logs" { + bucket = aws_s3_bucket.logs.id + acl = "log-delivery-write" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "logs" { + count = var.enable_s3_bucket_server_side_encryption ? 1 : 0 + + bucket = aws_s3_bucket.logs.id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = var.s3_bucket_server_side_encryption_sse_algorithm + kms_master_key_id = var.s3_bucket_server_side_encryption_sse_algorithm == "aws:kms" ? var.s3_bucket_server_side_encryption_key : null + + } + } +} + +#------------------------------------------------------------------------------ +# IAM POLICY DOCUMENT - For access logs to the S3 bucket +#------------------------------------------------------------------------------ +data "aws_iam_policy_document" "logs_access_policy_document" { + statement { + effect = "Allow" + + principals { + type = "AWS" + identifiers = var.aws_principals_identifiers + } + + actions = [ + "s3:PutObject", + ] + + resources = [ + "${aws_s3_bucket.logs.arn}/*", + ] + } +} + +#------------------------------------------------------------------------------ +# IAM POLICY - For access logs to the s3 bucket +#------------------------------------------------------------------------------ +resource "aws_s3_bucket_policy" "logs_access_policy" { + bucket = aws_s3_bucket.logs.id + policy = data.aws_iam_policy_document.logs_access_policy_document.json +} + +#------------------------------------------------------------------------------ +# S3 bucket block public access +#------------------------------------------------------------------------------ +resource "aws_s3_bucket_public_access_block" "logs_block_public_access" { + count = var.block_s3_bucket_public_access ? 1 : 0 + + bucket = aws_s3_bucket.logs.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + + depends_on = [aws_s3_bucket_policy.logs_access_policy] +} diff --git a/outputs.tf b/outputs.tf index e69de29..d6f144d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -0,0 +1,12 @@ +#------------------------------------------------------------------------------ +# S3 Bucket +#------------------------------------------------------------------------------ +output "lb_logs_s3_bucket_id" { + description = "LB Logging S3 Bucket ID" + value = aws_s3_bucket.logs.id +} + +output "lb_logs_s3_bucket_arn" { + description = "LB Logging S3 Bucket ARN" + value = aws_s3_bucket.logs.arn +} diff --git a/variables.tf b/variables.tf index d302036..069b7dc 100644 --- a/variables.tf +++ b/variables.tf @@ -11,3 +11,38 @@ variable "tags" { default = {} description = "Resource tags" } + +#------------------------------------------------------------------------------ +# IAM +#------------------------------------------------------------------------------ +variable "aws_principals_identifiers" { + type = list(string) + description = "List of identifiers for AWS principals with access to write in the logs bucket" +} + +#------------------------------------------------------------------------------ +# S3 bucket +#------------------------------------------------------------------------------ +variable "block_s3_bucket_public_access" { + description = "(Optional) If true, public access to the S3 bucket will be blocked." + type = bool + default = true +} + +variable "enable_s3_bucket_server_side_encryption" { + description = "(Optional) If true, server side encryption will be applied." + type = bool + default = true +} + +variable "s3_bucket_server_side_encryption_sse_algorithm" { + description = "(Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms" + type = string + default = "aws:kms" +} + +variable "s3_bucket_server_side_encryption_key" { + description = "(Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms." + type = string + default = "aws/s3" +}