add optional access log bucket creation (#35)

Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>

README.md

@@ -144,6 +144,7 @@ Available targets:
 | block\_public\_acls | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |
 | block\_public\_policy | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no |
 | context | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | <pre>object({<br>    enabled             = bool<br>    namespace           = string<br>    environment         = string<br>    stage               = string<br>    name                = string<br>    delimiter           = string<br>    attributes          = list(string)<br>    tags                = map(string)<br>    additional_tag_map  = map(string)<br>    regex_replace_chars = string<br>    label_order         = list(string)<br>    id_length_limit     = number<br>  })</pre> | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_order": [],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {}<br>}</pre> | no |
+| create\_access\_log\_bucket | A flag to indicate if a bucket for s3 access logs should be created | `bool` | `false` | no |
 | delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | enable\_glacier\_transition | Glacier transition might just increase your bill. Set to false to disable lifecycle transitions to AWS Glacier. | `bool` | `false` | no |
 | enabled | Set to false to prevent the module from creating any resources | `bool` | `null` | no |

docs/terraform.md

@@ -27,6 +27,7 @@
 | block\_public\_acls | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |
 | block\_public\_policy | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no |
 | context | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | <pre>object({<br>    enabled             = bool<br>    namespace           = string<br>    environment         = string<br>    stage               = string<br>    name                = string<br>    delimiter           = string<br>    attributes          = list(string)<br>    tags                = map(string)<br>    additional_tag_map  = map(string)<br>    regex_replace_chars = string<br>    label_order         = list(string)<br>    id_length_limit     = number<br>  })</pre> | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_order": [],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {}<br>}</pre> | no |
+| create\_access\_log\_bucket | A flag to indicate if a bucket for s3 access logs should be created | `bool` | `false` | no |
 | delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.<br>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | enable\_glacier\_transition | Glacier transition might just increase your bill. Set to false to disable lifecycle transitions to AWS Glacier. | `bool` | `false` | no |
 | enabled | Set to false to prevent the module from creating any resources | `bool` | `null` | no |

examples/complete/main.tf

@@ -5,7 +5,8 @@ provider "aws" {
 module "cloudtrail_s3_bucket" {
   source = "../../"
 
-  force_destroy = true
+  force_destroy            = true
+  create_access_log_bucket = true
 
   context = module.this.context
 }

main.tf

@@ -1,3 +1,74 @@
+
+module "access_log_label" {
+  source  = "cloudposse/label/null"
+  version = "0.22.1"
+
+  name = "cloudtrail-access-log"
+
+  context = module.this.context
+}
+
+module "s3_bucket" {
+  source  = "cloudposse/s3-log-storage/aws"
+  version = "0.17.0"
+  enabled = module.this.enabled
+
+  acl                                    = var.acl
+  policy                                 = join("", data.aws_iam_policy_document.default.*.json)
+  force_destroy                          = var.force_destroy
+  versioning_enabled                     = var.versioning_enabled
+  lifecycle_rule_enabled                 = var.lifecycle_rule_enabled
+  lifecycle_prefix                       = var.lifecycle_prefix
+  lifecycle_tags                         = var.lifecycle_tags
+  noncurrent_version_expiration_days     = var.noncurrent_version_expiration_days
+  noncurrent_version_transition_days     = var.noncurrent_version_transition_days
+  standard_transition_days               = var.standard_transition_days
+  glacier_transition_days                = var.glacier_transition_days
+  enable_glacier_transition              = var.enable_glacier_transition
+  expiration_days                        = var.expiration_days
+  abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days
+  sse_algorithm                          = var.sse_algorithm
+  kms_master_key_arn                     = var.kms_master_key_arn
+  block_public_acls                      = var.block_public_acls
+  block_public_policy                    = var.block_public_policy
+  ignore_public_acls                     = var.ignore_public_acls
+  restrict_public_buckets                = var.restrict_public_buckets
+  access_log_bucket_name                 = local.access_log_bucket_name
+
+  context = module.this.context
+}
+
+module "s3_access_log_bucket" {
+  source  = "cloudposse/s3-log-storage/aws"
+  version = "0.17.0"
+  enabled = module.this.enabled && var.create_access_log_bucket
+
+  acl                                    = var.acl
+  policy                                 = ""
+  force_destroy                          = var.force_destroy
+  versioning_enabled                     = var.versioning_enabled
+  lifecycle_rule_enabled                 = var.lifecycle_rule_enabled
+  lifecycle_prefix                       = var.lifecycle_prefix
+  lifecycle_tags                         = var.lifecycle_tags
+  noncurrent_version_expiration_days     = var.noncurrent_version_expiration_days
+  noncurrent_version_transition_days     = var.noncurrent_version_transition_days
+  standard_transition_days               = var.standard_transition_days
+  glacier_transition_days                = var.glacier_transition_days
+  enable_glacier_transition              = var.enable_glacier_transition
+  expiration_days                        = var.expiration_days
+  abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days
+  sse_algorithm                          = var.sse_algorithm
+  kms_master_key_arn                     = var.kms_master_key_arn
+  block_public_acls                      = var.block_public_acls
+  block_public_policy                    = var.block_public_policy
+  ignore_public_acls                     = var.ignore_public_acls
+  restrict_public_buckets                = var.restrict_public_buckets
+  access_log_bucket_name                 = ""
+
+  attributes = ["access-logs"]
+  context    = module.this.context
+}
+
 data "aws_iam_policy_document" "default" {
   count = module.this.enabled ? 1 : 0
 
@@ -45,32 +116,6 @@ data "aws_iam_policy_document" "default" {
   }
 }
 
-module "s3_bucket" {
-  source  = "cloudposse/s3-log-storage/aws"
-  version = "0.17.0"
-  enabled = module.this.enabled
-
-  acl                                    = var.acl
-  policy                                 = join("", data.aws_iam_policy_document.default.*.json)
-  force_destroy                          = var.force_destroy
-  versioning_enabled                     = var.versioning_enabled
-  lifecycle_rule_enabled                 = var.lifecycle_rule_enabled
-  lifecycle_prefix                       = var.lifecycle_prefix
-  lifecycle_tags                         = var.lifecycle_tags
-  noncurrent_version_expiration_days     = var.noncurrent_version_expiration_days
-  noncurrent_version_transition_days     = var.noncurrent_version_transition_days
-  standard_transition_days               = var.standard_transition_days
-  glacier_transition_days                = var.glacier_transition_days
-  enable_glacier_transition              = var.enable_glacier_transition
-  expiration_days                        = var.expiration_days
-  abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days
-  sse_algorithm                          = var.sse_algorithm
-  kms_master_key_arn                     = var.kms_master_key_arn
-  block_public_acls                      = var.block_public_acls
-  block_public_policy                    = var.block_public_policy
-  ignore_public_acls                     = var.ignore_public_acls
-  restrict_public_buckets                = var.restrict_public_buckets
-  access_log_bucket_name                 = var.access_log_bucket_name
-
-  context = module.this.context
+locals {
+  access_log_bucket_name = var.create_access_log_bucket == true ? module.s3_access_log_bucket.bucket_id : var.access_log_bucket_name
 }

variables.tf

@@ -124,3 +124,9 @@ variable "access_log_bucket_name" {
   default     = ""
   description = "Name of the S3 bucket where s3 access log will be sent to"
 }
+
+variable "create_access_log_bucket" {
+  type        = bool
+  default     = false
+  description = "A flag to indicate if a bucket for s3 access logs should be created"
+}