From a04158dc11e544361aea65b933691e8c590f8413 Mon Sep 17 00:00:00 2001
From: RommelLayco <rj.layco@gmail.com>
Date: Wed, 1 Jul 2020 17:45:41 +1200
Subject: [PATCH] =?UTF-8?q?Allow=20access=20logging=20to=20be=20enabled=20?=
 =?UTF-8?q?when=20a=20target=20bucket=20for=20access=20lo=E2=80=A6=20(#31)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Allow access logging to be enabled when a target bucket for access logs has been entered.

Issue: https://github.com/cloudposse/terraform-aws-s3-log-storage/issues/26

* Updated README.md

Co-authored-by: Rommel Layco <rommel.layco@rhapsody.global>
Co-authored-by: actions-bot <58130806+actions-bot@users.noreply.github.com>
---
 README.md         | 1 +
 docs/terraform.md | 1 +
 main.tf           | 8 ++++++++
 variables.tf      | 6 ++++++
 4 files changed, 16 insertions(+)

diff --git a/README.md b/README.md
index 0ad60f6..9e72069 100644
--- a/README.md
+++ b/README.md
@@ -144,6 +144,7 @@ Available targets:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | abort\_incomplete\_multipart\_upload\_days | Maximum time (in days) that you want to allow multipart uploads to remain in progress | `number` | `5` | no |
+| access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no |
 | acl | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no |
 | attributes | Additional attributes (e.g. `policy` or `role`) | `list(string)` | `[]` | no |
 | block\_public\_acls | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index b718dd2..60b53f3 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -18,6 +18,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | abort\_incomplete\_multipart\_upload\_days | Maximum time (in days) that you want to allow multipart uploads to remain in progress | `number` | `5` | no |
+| access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no |
 | acl | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no |
 | attributes | Additional attributes (e.g. `policy` or `role`) | `list(string)` | `[]` | no |
 | block\_public\_acls | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no |
diff --git a/main.tf b/main.tf
index bb0296d..b32fb62 100644
--- a/main.tf
+++ b/main.tf
@@ -62,6 +62,14 @@ resource "aws_s3_bucket" "default" {
 
   }
 
+  dynamic "logging" {
+    for_each = var.access_log_bucket_name != "" ? [1] : []
+    content {
+      target_bucket = var.access_log_bucket_name
+      target_prefix = "logs/${module.default_label.id}/"
+    }
+  }
+
   # https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
   # https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#enable-default-server-side-encryption
   server_side_encryption_configuration {
diff --git a/variables.tf b/variables.tf
index d120016..90c2f2c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -170,3 +170,9 @@ variable "restrict_public_buckets" {
   default     = true
   description = "Set to `false` to disable the restricting of making the bucket public"
 }
+
+variable "access_log_bucket_name" {
+  type        = string
+  default     = ""
+  description = "Name of the S3 bucket where s3 access log will be sent to"
+}