Add support for a log bucket (#104)

* feat: add support for a log bucket

* Auto Format

* chore: add support for log bucket var config

* Auto Format

* chore: tighten up the bucket name integration

* Auto Format

* chore: fix incorrect local

* Auto Format

* chore: consolidate locals

Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>

README.md

@@ -264,6 +264,7 @@ Available targets:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_dynamodb_table_label"></a> [dynamodb\_table\_label](#module\_dynamodb\_table\_label) | cloudposse/label/null | 0.25.0 |
+| <a name="module_log_storage"></a> [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 0.26.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
@@ -313,6 +314,10 @@ Available targets:
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Bucket access logging configuration. | <pre>object({<br>    bucket_name = string<br>    prefix      = string<br>  })</pre> | `null` | no |
+| <a name="input_logging_bucket_enabled"></a> [logging\_bucket\_enabled](#input\_logging\_bucket\_enabled) | Whether to create the s3 access log bucket. | `bool` | `false` | no |
+| <a name="input_logging_bucket_expiration_days"></a> [logging\_bucket\_expiration\_days](#input\_logging\_bucket\_expiration\_days) | Whether to create the s3 access log bucket. | `number` | `90` | no |
+| <a name="input_logging_bucket_glacier_transition_days"></a> [logging\_bucket\_glacier\_transition\_days](#input\_logging\_bucket\_glacier\_transition\_days) | Whether to create the s3 access log bucket. | `number` | `60` | no |
+| <a name="input_logging_bucket_standard_transition_days"></a> [logging\_bucket\_standard\_transition\_days](#input\_logging\_bucket\_standard\_transition\_days) | Whether to create the s3 access log bucket. | `number` | `30` | no |
 | <a name="input_mfa_delete"></a> [mfa\_delete](#input\_mfa\_delete) | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |

docs/terraform.md

@@ -19,6 +19,7 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_dynamodb_table_label"></a> [dynamodb\_table\_label](#module\_dynamodb\_table\_label) | cloudposse/label/null | 0.25.0 |
+| <a name="module_log_storage"></a> [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 0.26.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
@@ -68,6 +69,10 @@
 | <a name="input_label_value_case"></a> [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,<br>set as tag values, and output by this module individually.<br>Does not affect values of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper` and `none` (no transformation).<br>Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.<br>Default value: `lower`. | `string` | `null` | no |
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Bucket access logging configuration. | <pre>object({<br>    bucket_name = string<br>    prefix      = string<br>  })</pre> | `null` | no |
+| <a name="input_logging_bucket_enabled"></a> [logging\_bucket\_enabled](#input\_logging\_bucket\_enabled) | Whether to create the s3 access log bucket. | `bool` | `false` | no |
+| <a name="input_logging_bucket_expiration_days"></a> [logging\_bucket\_expiration\_days](#input\_logging\_bucket\_expiration\_days) | Whether to create the s3 access log bucket. | `number` | `90` | no |
+| <a name="input_logging_bucket_glacier_transition_days"></a> [logging\_bucket\_glacier\_transition\_days](#input\_logging\_bucket\_glacier\_transition\_days) | Whether to create the s3 access log bucket. | `number` | `60` | no |
+| <a name="input_logging_bucket_standard_transition_days"></a> [logging\_bucket\_standard\_transition\_days](#input\_logging\_bucket\_standard\_transition\_days) | Whether to create the s3 access log bucket. | `number` | `30` | no |
 | <a name="input_mfa_delete"></a> [mfa\_delete](#input\_mfa\_delete) | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |

main.tf

@@ -45,6 +45,12 @@ locals {
   })
 
   bucket_name = var.s3_bucket_name != "" ? var.s3_bucket_name : module.this.id
+
+  logging_bucket_enabled      = local.bucket_enabled && var.logging_bucket_enabled
+  logging_bucket_name_default = try(var.logging["bucket_name"], "${local.bucket_name}-logs")
+  logging_prefix_default      = try(var.logging["prefix"], "logs/")
+  logging_bucket_name         = local.logging_bucket_enabled ? module.log_storage.bucket_id : local.logging_bucket_name_default
+  logging_prefix              = local.logging_bucket_enabled ? module.log_storage.prefix : local.logging_prefix_default
 }
 
 data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
@@ -132,6 +138,21 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
   }
 }
 
+module "log_storage" {
+  source  = "cloudposse/s3-log-storage/aws"
+  version = "0.26.0"
+
+  enabled                  = local.logging_bucket_enabled
+  access_log_bucket_prefix = local.logging_prefix_default
+  acl                      = "log-delivery-write"
+  expiration_days          = var.logging_bucket_expiration_days
+  glacier_transition_days  = var.logging_bucket_glacier_transition_days
+  name                     = local.logging_bucket_name_default
+  standard_transition_days = var.logging_bucket_standard_transition_days
+
+  context = module.this.context
+}
+
 resource "aws_s3_bucket" "default" {
   count = local.bucket_enabled ? 1 : 0
 
@@ -176,8 +197,8 @@ resource "aws_s3_bucket" "default" {
   dynamic "logging" {
     for_each = var.logging == null ? [] : [1]
     content {
-      target_bucket = var.logging["bucket_name"]
-      target_prefix = var.logging["prefix"]
+      target_bucket = local.logging_bucket_name
+      target_prefix = local.logging_prefix
     }
   }
 

variables.tf

@@ -153,6 +153,30 @@ variable "logging" {
   description = "Bucket access logging configuration."
 }
 
+variable "logging_bucket_enabled" {
+  type        = bool
+  default     = false
+  description = "Whether to create the s3 access log bucket."
+}
+
+variable "logging_bucket_standard_transition_days" {
+  type        = number
+  default     = 30
+  description = "Whether to create the s3 access log bucket."
+}
+
+variable "logging_bucket_glacier_transition_days" {
+  type        = number
+  default     = 60
+  description = "Whether to create the s3 access log bucket."
+}
+
+variable "logging_bucket_expiration_days" {
+  type        = number
+  default     = 90
+  description = "Whether to create the s3 access log bucket."
+}
+
 variable "bucket_enabled" {
   type        = bool
   default     = true