Allow access logging to be enabled when a target bucket for access lo… (

#31) * Allow access logging to be enabled when a target bucket for access logs has been entered. Issue: #26 * Updated README.md Co-authored-by: Rommel Layco <[email protected]> Co-authored-by: actions-bot <[email protected]>
cloudposse · Jul 1, 2020 · a04158d · a04158d
1 parent 53ecb42
commit a04158d
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -144,6 +144,7 @@ Available targets:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | abort\_incomplete\_multipart\_upload\_days | Maximum time (in days) that you want to allow multipart uploads to remain in progress | `number` | `5` | no |
+| access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no |
 | acl | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no |
 | attributes | Additional attributes (e.g. `policy` or `role`) | `list(string)` | `[]` | no |
 | block\_public\_acls | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -18,6 +18,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | abort\_incomplete\_multipart\_upload\_days | Maximum time (in days) that you want to allow multipart uploads to remain in progress | `number` | `5` | no |
+| access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no |
 | acl | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no |
 | attributes | Additional attributes (e.g. `policy` or `role`) | `list(string)` | `[]` | no |
 | block\_public\_acls | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |

diff --git a/main.tf b/main.tf
@@ -62,6 +62,14 @@ resource "aws_s3_bucket" "default" {
 
   }
 
+  dynamic "logging" {
+    for_each = var.access_log_bucket_name != "" ? [1] : []
+    content {
+      target_bucket = var.access_log_bucket_name
+      target_prefix = "logs/${module.default_label.id}/"
+    }
+  }
+
   # https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
   # https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#enable-default-server-side-encryption
   server_side_encryption_configuration {

diff --git a/variables.tf b/variables.tf
@@ -170,3 +170,9 @@ variable "restrict_public_buckets" {
   default     = true
   description = "Set to `false` to disable the restricting of making the bucket public"
 }
+
+variable "access_log_bucket_name" {
+  type        = string
+  default     = ""
+  description = "Name of the S3 bucket where s3 access log will be sent to"
+}