From d061f41967eeebed16b8e882f628e6205796c69c Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Tue, 24 Sep 2024 16:24:59 +0100
Subject: [PATCH] optionally create output to S3 bucket if bucket arn supplied

---
 terraform/modules/firewall-logging/main.tf      | 10 ++++++++++
 terraform/modules/firewall-logging/variables.tf |  5 +++++
 2 files changed, 15 insertions(+)

diff --git a/terraform/modules/firewall-logging/main.tf b/terraform/modules/firewall-logging/main.tf
index 6103904c4..95f10edd4 100644
--- a/terraform/modules/firewall-logging/main.tf
+++ b/terraform/modules/firewall-logging/main.tf
@@ -14,6 +14,16 @@ resource "aws_networkfirewall_logging_configuration" "main" {
       log_destination_type = "CloudWatchLogs"
       log_type             = "ALERT"
     }
+    dynamic "log_destination_config" {
+      for_each = var.s3_log_bucket != "" ? toset([var.s3_log_bucket]) : []
+      content {
+        log_destination = {
+          bucketName = log_destination_config.value
+        }
+        log_destination_type = "S3"
+        log_type             = "ALERT"
+      }
+    }
   }
 }
 
diff --git a/terraform/modules/firewall-logging/variables.tf b/terraform/modules/firewall-logging/variables.tf
index 35b8b49a5..5927b3579 100644
--- a/terraform/modules/firewall-logging/variables.tf
+++ b/terraform/modules/firewall-logging/variables.tf
@@ -7,6 +7,11 @@ variable "fw_arn" {
   description = "ARN of firewall for logging configuration"
   type        = string
 }
+variable "s3_log_bucket" {
+  description = "Optional ARN of an S3 bucket to ship logs to"
+  default     = ""
+  type        = string
+}
 
 variable "tags" {
   description = "A map of keys and values used to create resource metadata tags"