generated from dxw/terraform-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy paths3-infrastructure-logs.tf
105 lines (83 loc) · 3.49 KB
/
s3-infrastructure-logs.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
resource "aws_s3_bucket" "infrastructure_logs" {
count = local.enable_infrastructure_logs_bucket ? 1 : 0
bucket = "${local.resource_prefix_hash}-logs"
}
resource "aws_s3_bucket_ownership_controls" "infrastructure_logs" {
count = local.enable_infrastructure_logs_bucket ? 1 : 0
bucket = aws_s3_bucket.infrastructure_logs[0].id
rule {
object_ownership = contains([for service in local.infrastructure_ecs_cluster_services : service["cloudfront_access_logging_enabled"]], true) ? "BucketOwnerPreferred" : "BucketOwnerEnforced"
}
}
resource "aws_s3_bucket_acl" "infrastructure_logs_log_delivery_write" {
count = local.enable_infrastructure_logs_bucket && contains([for service in local.infrastructure_ecs_cluster_services : service["cloudfront_access_logging_enabled"]], true) ? 1 : 0
bucket = aws_s3_bucket.infrastructure_logs[0].id
acl = "log-delivery-write"
depends_on = [
aws_s3_bucket_ownership_controls.infrastructure_logs,
]
}
resource "aws_s3_bucket_policy" "infrastructure_logs" {
count = local.enable_infrastructure_logs_bucket ? 1 : 0
bucket = aws_s3_bucket.infrastructure_logs[0].id
policy = templatefile(
"${path.module}/policies/s3-bucket-policy.json.tpl",
{
statement = <<EOT
[
${templatefile("${path.root}/policies/s3-bucket-policy-statements/enforce-tls.json.tpl", { bucket_arn = aws_s3_bucket.infrastructure_logs[0].arn })},
${templatefile("${path.root}/policies/s3-bucket-policy-statements/log-delivery-access.json.tpl", {
log_bucket_arn = aws_s3_bucket.infrastructure_logs[0].arn
s3_source_arns = jsonencode(local.logs_bucket_s3_source_arns)
logs_source_arns = jsonencode(local.logs_bucket_logs_source_arns)
vpc_flow_logs_prefix = local.infrastructure_vpc_flow_logs_s3_key_prefix
account_id = local.aws_account_id
})}
]
EOT
}
)
}
resource "aws_s3_bucket_public_access_block" "infrastructure_logs" {
count = local.enable_infrastructure_logs_bucket ? 1 : 0
bucket = aws_s3_bucket.infrastructure_logs[0].id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_versioning" "infrastructure_logs" {
count = local.enable_infrastructure_logs_bucket ? 1 : 0
bucket = aws_s3_bucket.infrastructure_logs[0].id
versioning_configuration {
status = "Enabled"
}
}
# because infrastructure_kms_encryption is only true when multiple other
# vars are true, tfsec can't figure out that this will actually have kms encryption when
# enabled
#tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "infrastructure_logs" {
count = local.enable_infrastructure_logs_bucket ? 1 : 0
bucket = aws_s3_bucket.infrastructure_logs[0].id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = local.infrastructure_kms_encryption ? aws_kms_key.infrastructure[0].arn : null
sse_algorithm = local.infrastructure_kms_encryption ? "aws:kms" : "AES256"
}
}
}
resource "aws_s3_bucket_lifecycle_configuration" "logs" {
count = local.enable_infrastructure_logs_bucket && local.infrastructure_logging_bucket_retention != 0 ? 1 : 0
bucket = aws_s3_bucket.infrastructure_logs[0].id
rule {
id = "all_expire"
filter {
prefix = ""
}
expiration {
days = local.infrastructure_logging_bucket_retention
}
status = "Enabled"
}
}