Merge pull request #8045 from ministryofjustice/feature/7607-firewall…

…-logs-direct-to-s3 Optionally output firewall logs to S3 bucket
ministryofjustice · Sep 24, 2024 · 1e939e7 · 1e939e7
2 parents 46f2136 + d061f41
commit 1e939e7
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/terraform/modules/firewall-logging/main.tf b/terraform/modules/firewall-logging/main.tf
@@ -14,6 +14,16 @@ resource "aws_networkfirewall_logging_configuration" "main" {
       log_destination_type = "CloudWatchLogs"
       log_type             = "ALERT"
     }
+    dynamic "log_destination_config" {
+      for_each = var.s3_log_bucket != "" ? toset([var.s3_log_bucket]) : []
+      content {
+        log_destination = {
+          bucketName = log_destination_config.value
+        }
+        log_destination_type = "S3"
+        log_type             = "ALERT"
+      }
+    }
   }
 }
 

diff --git a/terraform/modules/firewall-logging/variables.tf b/terraform/modules/firewall-logging/variables.tf
@@ -7,6 +7,11 @@ variable "fw_arn" {
   description = "ARN of firewall for logging configuration"
   type        = string
 }
+variable "s3_log_bucket" {
+  description = "Optional ARN of an S3 bucket to ship logs to"
+  default     = ""
+  type        = string
+}
 
 variable "tags" {
   description = "A map of keys and values used to create resource metadata tags"