forked from cn-terraform/terraform-aws-logs-s3-bucket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
126 lines (107 loc) · 3.58 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#------------------------------------------------------------------------------
# S3 BUCKET - For access logs
#------------------------------------------------------------------------------
resource "random_string" "random" {
length = 7
lower = true
numeric = false
upper = false
special = false
keepers = {
name_prefix = var.name_prefix
}
}
resource "aws_s3_bucket" "logs" {
bucket = lower("${random_string.random.keepers.name_prefix}-logs-${random_string.random.result}")
force_destroy = var.s3_bucket_force_destroy
tags = merge(
var.tags,
{
Name = lower("${random_string.random.keepers.name_prefix}-logs-${random_string.random.result}")
},
)
}
resource "aws_s3_bucket_acl" "logs" {
bucket = aws_s3_bucket.logs.id
acl = "log-delivery-write"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
count = var.enable_s3_bucket_server_side_encryption ? 1 : 0
bucket = aws_s3_bucket.logs.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = var.s3_bucket_server_side_encryption_sse_algorithm
kms_master_key_id = var.s3_bucket_server_side_encryption_sse_algorithm == "aws:kms" ? var.s3_bucket_server_side_encryption_key : null
}
}
}
#------------------------------------------------------------------------------
# IAM POLICY DOCUMENT - For access logs to the S3 bucket
#------------------------------------------------------------------------------
data "aws_caller_identity" "current" {}
locals {
aws_principals_identifiers = (
length(var.aws_principals_identifiers) == 0
? [data.aws_caller_identity.current.account_id]
: var.aws_principals_identifiers
)
}
data "aws_iam_policy_document" "logs_access_policy_document" {
statement {
effect = "Allow"
principals {
type = "AWS"
identifiers = local.aws_principals_identifiers
}
actions = ["s3:PutObject"]
resources = ["${aws_s3_bucket.logs.arn}/*", ]
}
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["logdelivery.elb.amazonaws.com"]
}
actions = ["s3:GetBucketAcl"]
resources = [aws_s3_bucket.logs.arn]
}
statement {
sid = "https-only"
principals {
type = "*"
identifiers = ["*"]
}
effect = "Deny"
actions = [
"s3:*",
]
resources = [
"arn:aws:s3:::${aws_s3_bucket.logs.id}",
"arn:aws:s3:::${aws_s3_bucket.logs.id}/*",
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = [false]
}
}
}
#------------------------------------------------------------------------------
# IAM POLICY - For access logs to the s3 bucket
#------------------------------------------------------------------------------
resource "aws_s3_bucket_policy" "logs_access_policy" {
bucket = aws_s3_bucket.logs.id
policy = data.aws_iam_policy_document.logs_access_policy_document.json
}
#------------------------------------------------------------------------------
# S3 bucket block public access
#------------------------------------------------------------------------------
resource "aws_s3_bucket_public_access_block" "logs_block_public_access" {
count = var.block_s3_bucket_public_access ? 1 : 0
bucket = aws_s3_bucket.logs.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
depends_on = [aws_s3_bucket_policy.logs_access_policy]
}