Skip to content

StratusGrid/terraform-aws-s3-bucket-logging

BranchesTags

Repository files navigation

Contact Us | Stratusphere FinOps | StratusGrid Home | Blog

terraform-aws-s3-bucket-logging

GitHub: StratusGrid/terraform-aws-s3-bucket-logging

This Terraform module creates a centralized s3 bucket for logging in the account that can later be configured for centralized logging.

This module configures a bucket with:

  • Server Side Encryption (Not KMS)
  • Requires encrypted transit

Example - Simple

module "s3_bucket_logging" {
  source             = "StratusGrid/s3-bucket-logging/aws"
  version            = "2.0.1"
  name_prefix        = var.name_prefix
  input_tags         = local.common_tags
  versioning_enabled = true #Enabled by default
}

Example - Remote Logging

module "s3_bucket_logging" {
  source             = "StratusGrid/s3-bucket-logging/aws"
  version            = "2.0.1"
  name_prefix        = var.name_prefix
  input_tags         = local.common_tags
  versioning_enabled = true #Enabled by default
}

Example - Regional

module "s3_bucket_logging_us_east_2" {
  source      = "StratusGrid/s3-bucket-logging/aws"
  version     = "2.0.1"
  name_prefix = var.name_prefix
  name_suffix = "${local.name_suffix}-us-east-2"
  input_tags  = merge(local.common_tags, {})
  providers = {
    aws = aws.us-east-2
  }
  versioning_enabled = true #Enabled by default
}

Example - Regional

Below is an example of the required source IAM policy to coordinate making this work

data "aws_iam_policy_document" "s3_replication" {
  statement {
    sid = "AllowS3SourceReplication"
    actions = [
      "s3:GetObjectVersionForReplication",
      "s3:GetObjectVersionAcl",
      "s3:GetObjectVersionTagging"
    ]
    resources = [
      "arn:aws:s3:::${module.s3_bucket_logging_us_east_1.bucket_id}/*"
    ]
  }
  statement {
    sid = "AllowS3SourceReplicationMetadata"
    actions = [
      "s3:ListBucket",
      "s3:GetReplicationConfiguration"
    ]
    resources = [
      "arn:aws:s3:::${module.s3_bucket_logging_us_east_1.bucket_id}"
    ]
  }

  //Destination bucket objects
  statement {
    sid = "AllowS3SourceReplicationObjects"
    actions = [
      "s3:ReplicateObject",
      "s3:ReplicateDelete",
      "s3:ReplicateTags",
      "s3:ObjectOwnerOverrideToBucketOwner"
    ]
    resources = [
      "arn:aws:s3:::${var.s3_destination_bucket_name}/*"
    ]
  }
}

resource "aws_iam_policy" "s3_role_assumption" {
  name        = "S3-replication-policy"
  description = "Policy to allow S3 role assumption for centralized logging"
  policy      = data.aws_iam_policy_document.s3_replication.json
}


module "iam_role_s3" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version = "~> 4"

  trusted_role_services = ["s3.amazonaws.com"]

  create_role       = true
  role_requires_mfa = false #No MFA since it's a service

  role_name = "${var.name_prefix}-s3-central-replication${local.name_suffix}" #The assuming account matches it based upon name

  custom_role_policy_arns = [
    aws_iam_policy.s3_role_assumption.arn
  ]

  tags = {
    "Name" = "${var.name_prefix}-s3-central-replication${local.name_suffix}"
  }
}

Requirements

Name Version
terraform >= 1.1
aws >= 4.0

Resources

Name Type
aws_s3_bucket.bucket resource
aws_s3_bucket_lifecycle_configuration.bucket resource
aws_s3_bucket_policy.bucket_policy_attachment resource
aws_s3_bucket_public_access_block.bucket resource
aws_s3_bucket_replication_configuration.replication resource
aws_s3_bucket_server_side_encryption_configuration.bucket resource
aws_s3_bucket_versioning.resource resource

Inputs

Name Description Type Default Required
aws_s3_bucket_server_side_encryption_type Selection of the bucket encryption type string "SSE_S3" no
days_to_object_expiration Number of days before expiring data completely string "2557" no
enable_centralized_logging Enable support for centralized logging to a centralized logging account bool false no
enable_object_expiration Number of days before expiring data completely bool false no
iam_role_s3_replication_arn IAM Role that enable S3 Role Assumption for Centralized Logging string "" no
input_tags Map of tags to apply to resources map(string) {} no
logging_account_id Logging Account Number string "" no
name_prefix String to prefix on object names string n/a yes
name_suffix String to append to object names. This is optional, so start with dash if using string "" no
replication_dest_storage_class The storage class to send replicated objects (https://docs.aws.amazon.com/AmazonS3/latest/API/API_Transition.html#AmazonS3-Type-Transition-StorageClass) string "STANDARD_IA" no
s3_destination_bucket_name Centralized Logging Bucket Name string "" no
transition_expiration Number of days before expiring data completely string "2557" no
transition_glacier Number of days before transitioning data to Glacier string "366" no
transition_ia Number of days before transitioning data to S3 Infrequently Accessed string "180" no
versioning_enabled Enable versioning on the S3 bucket, this is mainly for S3 logging replication bool true no

Outputs

Name Description
bucket_arn outputs the full arn of the bucket created
bucket_id outputs the id of the bucket created

Notes

Note, manual changes to the README will be overwritten when the documentation is updated. To update the documentation, run terraform-docs -c .config/.terraform-docs.yml .

About

S3 bucket to be used as logging target for other resources

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases 20

v2.1.6 Latest
Apr 24, 2024
+ 19 releases

Packages

No packages published

Contributors 13

Languages