v1.3: add s3-flow-logs, rename access-logs to s3-access-logs

CHANGELOG.md

@@ -10,3 +10,7 @@
 
 * v1.2 -- 20210223
   - module: access-logging
+
+* v1.3 -- 20210223
+  - module: rename access-logging to s3-access-logs
+  - module: add s3-flow-logs

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.2"
+  _module_version = "1.3"
 }

s3-flow-logs/data.tf

@@ -0,0 +1 @@
+../common/data.tf

s3-flow-logs/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

s3-flow-logs/main.tf

@@ -0,0 +1,110 @@
+/*
+* # aws-inf-setup :: s3-flow-logs
+* 
+* This set up the needed components for S3 VPC flow log bucket.  Only one flow log bucket is
+* needed
+* 
+* * S3 bucket
+* * S3 bucket objects (key prefixes, aka "directories")
+* * S3 bucket policy
+* 
+* # Usage
+* Here is a simple example, the one most commonly expected to be used.
+*
+* ```hcl
+* module "flowlogs" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs"
+* }
+* ```
+*
+* This one can be used if you need to customize stuff, though really, the defaults are all built 
+* for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in
+* variable file generation.
+*
+* ```hcl
+* module "flowlogs_full" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs"
+* 
+*   # optional
+*   account_alias         = "do2-govcloud"
+*   bucket_name           = "inf-flowlogs-123456789012"
+*
+*   # flowlogs is generally not needed and not recommended
+*   component_tags        = {
+*     "s3" = {
+*       "SpecialTag1" = "something"
+*       "SpecialTag2" = "somethingElse"
+*     }
+*   }
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  flowlogs_region     = data.aws_region.current.name
+  account_environment = data.aws_arn.current.partiion == "aws-us-gov" ? "gov" : "ew"
+
+  bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.flowlogs_region)
+
+  base_tags = {
+    "Organization"          = "census:aditcio:csvd"
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+#---
+# s3
+#---
+resource "aws_s3_bucket" "flowlogs" {
+  bucket = local.bucket_name
+  acl    = "log-delivery-write"
+
+  # need to create the inf_ key used for infrastucture things like
+  # vpc flow, cloudtrail, config, sns, sqs
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        #        kms_master_key_id = local.inf_key_arn
+        sse_algorithm = "aws:kms"
+      }
+    }
+  }
+
+  versioning {
+    enabled = false
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  # probably want some migration of old data to some other location
+  # like glacier
+
+  tags = merge(
+    var.tags,
+    local.base_tags,
+    lookup(var.component_tags, "s3", {}),
+    map("Name", local.bucket_name),
+  )
+
+  provisioner "local-exec" {
+    command = "sleep 30"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "flowlogs" {
+  bucket                  = aws_s3_bucket.flowlogs.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "flowlogs" {
+  bucket = aws_s3_bucket.flowlogs.id
+  policy = data.aws_iam_policy_document.flowlogs_s3.json
+}

s3-flow-logs/outputs.tf

@@ -0,0 +1,9 @@
+output "flowlogs_bucket_id" {
+  description = "VPC Flow Logs S3 bucket ID"
+  value       = aws_s3_bucket.flowlogs.id
+}
+
+output "flowlogs_bucket_arn" {
+  description = "VPC Flow Logs S3 bucket ARN"
+  value       = aws_s3_bucket.flowlogs.arn
+}

s3-flow-logs/policy_data.tf

@@ -0,0 +1,27 @@
+data "aws_iam_policy_document" "flowlog_s3" {
+  statement {
+    sid     = "AWSLogDeliveryWrite"
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+    resources = ["${aws_s3_bucket.flowlog.arn}/*"]
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+  }
+  statement {
+    sid     = "AWSLogDeliveryAclCheck"
+    effect  = "Allow"
+    actions = ["s3:GetBucketAcl"]
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+    resources = [aws_s3_bucket.flowlog.arn]
+  }
+}

s3-flow-logs/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

s3-flow-logs/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

s3-flow-logs/variables.tf

@@ -0,0 +1,20 @@
+variable "bucket_name" {
+  description = "VPC Flow Logs S3 bucket name"
+  type        = string
+  #  default     = "inf-flowlogs-{{ tf_account }}-{{ region }}"
+  #  default     = "inf-flowlogs-{{ tf_account }}"
+  default = ""
+}
+
+variable "bucket_name_prefix" {
+  #  description = "VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name."
+  description = "VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID to make the bucket name."
+  type        = string
+  default     = "inf-flowlogs"
+}
+
+variable "component_tags" {
+  description = "Additional tags for Components (s3, kms, ddb)"
+  type        = map(map(string))
+  default     = { "s3" = {}, "kms" = {}, "ddb" = {} }
+}

s3-flow-logs/version.tf

@@ -0,0 +1 @@
+../common/version.tf