Initial commit (#2)

* Initial commit

* Update variables.tf

* Update variables.tf

* First version of the module

* First version of the module

README.md

@@ -30,24 +30,43 @@ In order to run all checks at any point run the following command:
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.15.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.2.0 |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_policy.logs_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.logs_block_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
+| [aws_iam_policy_document.logs_access_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_aws_principals_identifiers"></a> [aws\_principals\_identifiers](#input\_aws\_principals\_identifiers) | List of identifiers for AWS principals with access to write in the logs bucket | `list(string)` | n/a | yes |
+| <a name="input_block_s3_bucket_public_access"></a> [block\_s3\_bucket\_public\_access](#input\_block\_s3\_bucket\_public\_access) | (Optional) If true, public access to the S3 bucket will be blocked. | `bool` | `true` | no |
+| <a name="input_enable_s3_bucket_server_side_encryption"></a> [enable\_s3\_bucket\_server\_side\_encryption](#input\_enable\_s3\_bucket\_server\_side\_encryption) | (Optional) If true, server side encryption will be applied. | `bool` | `true` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Name prefix for resources on AWS | `string` | n/a | yes |
+| <a name="input_s3_bucket_server_side_encryption_key"></a> [s3\_bucket\_server\_side\_encryption\_key](#input\_s3\_bucket\_server\_side\_encryption\_key) | (Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms. | `string` | `"aws/s3"` | no |
+| <a name="input_s3_bucket_server_side_encryption_sse_algorithm"></a> [s3\_bucket\_server\_side\_encryption\_sse\_algorithm](#input\_s3\_bucket\_server\_side\_encryption\_sse\_algorithm) | (Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms | `string` | `"aws:kms"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Resource tags | `map(string)` | `{}` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_lb_logs_s3_bucket_arn"></a> [lb\_logs\_s3\_bucket\_arn](#output\_lb\_logs\_s3\_bucket\_arn) | LB Logging S3 Bucket ARN |
+| <a name="output_lb_logs_s3_bucket_id"></a> [lb\_logs\_s3\_bucket\_id](#output\_lb\_logs\_s3\_bucket\_id) | LB Logging S3 Bucket ID |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/test/main.tf

@@ -0,0 +1,10 @@
+module "logs_bucket" {
+  source = "../../"
+
+  name_prefix                                    = "test"
+  aws_principals_identifiers                     = ["test-user-arn"]
+  block_s3_bucket_public_access                  = true
+  enable_s3_bucket_server_side_encryption        = true
+  s3_bucket_server_side_encryption_sse_algorithm = "aws:kms"
+  s3_bucket_server_side_encryption_key           = "aws/s3"
+}

main.tf

@@ -0,0 +1,88 @@
+#------------------------------------------------------------------------------
+# S3 BUCKET - For access logs
+#------------------------------------------------------------------------------
+resource "random_string" "random" {
+  length  = 7
+  lower   = true
+  number  = false
+  upper   = false
+  special = false
+  keepers = {
+    name_prefix = var.name_prefix
+  }
+}
+
+resource "aws_s3_bucket" "logs" {
+  bucket = lower("${random_string.random.keepers.name_prefix}-logs-${random_string.random.result}")
+  tags = merge(
+    var.tags,
+    {
+      Name = lower("${random_string.random.keepers.name_prefix}-logs-${random_string.random.result}")
+    },
+  )
+}
+
+resource "aws_s3_bucket_acl" "logs" {
+  bucket = aws_s3_bucket.logs.id
+  acl    = "log-delivery-write"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
+  count = var.enable_s3_bucket_server_side_encryption ? 1 : 0
+
+  bucket = aws_s3_bucket.logs.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = var.s3_bucket_server_side_encryption_sse_algorithm
+      kms_master_key_id = var.s3_bucket_server_side_encryption_sse_algorithm == "aws:kms" ? var.s3_bucket_server_side_encryption_key : null
+
+    }
+  }
+}
+
+#------------------------------------------------------------------------------
+# IAM POLICY DOCUMENT - For access logs to the S3 bucket
+#------------------------------------------------------------------------------
+data "aws_iam_policy_document" "logs_access_policy_document" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = var.aws_principals_identifiers
+    }
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "${aws_s3_bucket.logs.arn}/*",
+    ]
+  }
+}
+
+#------------------------------------------------------------------------------
+# IAM POLICY - For access logs to the s3 bucket
+#------------------------------------------------------------------------------
+resource "aws_s3_bucket_policy" "logs_access_policy" {
+  bucket = aws_s3_bucket.logs.id
+  policy = data.aws_iam_policy_document.logs_access_policy_document.json
+}
+
+#------------------------------------------------------------------------------
+# S3 bucket block public access
+#------------------------------------------------------------------------------
+resource "aws_s3_bucket_public_access_block" "logs_block_public_access" {
+  count = var.block_s3_bucket_public_access ? 1 : 0
+
+  bucket = aws_s3_bucket.logs.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+  depends_on = [aws_s3_bucket_policy.logs_access_policy]
+}

outputs.tf

@@ -0,0 +1,12 @@
+#------------------------------------------------------------------------------
+# S3 Bucket
+#------------------------------------------------------------------------------
+output "lb_logs_s3_bucket_id" {
+  description = "LB Logging S3 Bucket ID"
+  value       = aws_s3_bucket.logs.id
+}
+
+output "lb_logs_s3_bucket_arn" {
+  description = "LB Logging S3 Bucket ARN"
+  value       = aws_s3_bucket.logs.arn
+}

variables.tf

@@ -11,3 +11,38 @@ variable "tags" {
   default     = {}
   description = "Resource tags"
 }
+
+#------------------------------------------------------------------------------
+# IAM
+#------------------------------------------------------------------------------
+variable "aws_principals_identifiers" {
+  type        = list(string)
+  description = "List of identifiers for AWS principals with access to write in the logs bucket"
+}
+
+#------------------------------------------------------------------------------
+# S3 bucket
+#------------------------------------------------------------------------------
+variable "block_s3_bucket_public_access" {
+  description = "(Optional) If true, public access to the S3 bucket will be blocked."
+  type        = bool
+  default     = true
+}
+
+variable "enable_s3_bucket_server_side_encryption" {
+  description = "(Optional) If true, server side encryption will be applied."
+  type        = bool
+  default     = true
+}
+
+variable "s3_bucket_server_side_encryption_sse_algorithm" {
+  description = "(Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms"
+  type        = string
+  default     = "aws:kms"
+}
+
+variable "s3_bucket_server_side_encryption_key" {
+  description = "(Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms."
+  type        = string
+  default     = "aws/s3"
+}