* 2.5.8 -- 2024-07-01

- s3-access-logs - update policy to match documentation, add nlb-logs/*
terraform-modules · Jul 1, 2024 · 1f4e358 · 1f4e358
1 parent 7d7b7ee
commit 1f4e358
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -358,3 +358,7 @@
 * 2.5.7 -- 2024-04-22
   - s3-config-org
     - add output s3_sqs_id
+
+* 2.5.8 -- 2024-07-01
+  - s3-access-logs
+    - update policy to match documentation, add nlb-logs/* 
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.5.7"
+  _module_version = "2.5.8"
 }
diff --git a/s3-access-logs/policy_data.tf b/s3-access-logs/policy_data.tf
@@ -1,3 +1,7 @@
+# see:
+# * https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
+# * https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
+
 data "aws_iam_policy_document" "logs_s3" {
   statement {
     sid       = "AWSLogWrite"
@@ -23,6 +27,16 @@ data "aws_iam_policy_document" "logs_s3" {
       variable = "s3:x-amz-acl"
       values   = ["bucket-owner-full-control"]
     }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [local.account_id]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, var.region, local.account_id)]
+    }
   }
   statement {
     sid       = "AWSLogDeliveryAclCheck"
@@ -33,17 +47,28 @@ data "aws_iam_policy_document" "logs_s3" {
       type        = "Service"
       identifiers = ["delivery.logs.amazonaws.com"]
     }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [local.account_id]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = [format("arn:%v:logs:%v:%v:*", data.aws_arn.current.partition, var.region, local.account_id)]
+    }
   }
 
-  # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
   statement {
-    sid       = "AWSALBAccessLog"
-    effect    = "Allow"
-    actions   = ["s3:PutObject"]
-    resources = ["${aws_s3_bucket.logs.arn}/alb-logs/*"]
+    sid     = "AWSALBAccessLog"
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
+    resources = [
+      "${aws_s3_bucket.logs.arn}/alb-logs/*",
+      "${aws_s3_bucket.logs.arn}/nlb-logs/*",
+    ]
     principals {
-      type = "AWS"
-      #      identifiers = [ formatlist("arn:%v:iam::%v:root",data.aws_arn.current.partition,local.logs_alb_accounts) ]
+      type        = "AWS"
       identifiers = [format("arn:%v:iam::%v:root", data.aws_arn.current.partition, local.logs_alb_account)]
     }
   }