Add an option to enable ELB access logging (#357)

civiform · Aug 19, 2024 · 3189f93 · 3189f93
1 parent 894ae66
commit 3189f93
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 0 deletions.
diff --git a/cloud/aws/modules/ecs_fargate_service/main.tf b/cloud/aws/modules/ecs_fargate_service/main.tf
@@ -20,6 +20,32 @@ locals {
   name_prefix = "${var.app_prefix}-civiform"
 }
 
+resource "aws_s3_bucket" "lb_logs" {
+  count  = var.lb_logging_enabled ? 1 : 0
+  bucket = "${local.name_prefix}-lb-logs"
+}
+
+resource "aws_s3_bucket_policy" "lb_logs_policy" {
+  count  = var.lb_logging_enabled ? 1 : 0
+  bucket = aws_s3_bucket.lb_logs[count.index].id
+  policy = data.aws_iam_policy_document.lb_logs_policy[count.index].json
+}
+
+data "aws_iam_policy_document" "lb_logs_policy" {
+  count = var.lb_logging_enabled ? 1 : 0
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [data.aws_elb_service_account.default.arn]
+    }
+    actions = ["s3:PutObject"]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.lb_logs[count.index].bucket}/*"
+    ]
+  }
+}
+
 #------------------------------------------------------------------------------
 # APPLICATION LOAD BALANCER
 #------------------------------------------------------------------------------
@@ -43,6 +69,11 @@ resource "aws_lb" "civiform_lb" {
       Name = "${local.name_prefix}-lb"
     },
   )
+
+  access_logs {
+    bucket  = var.lb_logging_enabled ? aws_s3_bucket.lb_logs[0].id : ""
+    enabled = var.lb_logging_enabled
+  }
 }
 
 moved {

diff --git a/cloud/aws/modules/ecs_fargate_service/variables.tf b/cloud/aws/modules/ecs_fargate_service/variables.tf
@@ -137,3 +137,9 @@ variable "default_certificate_arn" {
   type        = string
   default     = null
 }
+
+variable "lb_logging_enabled" {
+  description = "Whether to enable LB access logs."
+  type        = bool
+  default     = false
+}
diff --git a/cloud/aws/templates/aws_oidc/app.tf b/cloud/aws/templates/aws_oidc/app.tf
@@ -334,6 +334,7 @@ module "ecs_fargate_service" {
   scale_target_min_capacity = var.ecs_scale_target_min_capacity
   https_target_port         = var.port
   lb_internal               = local.enable_managed_vpc ? false : true
+  lb_logging_enabled        = var.lb_logging_enabled
 
   tags = {
     Name = "${var.app_prefix} Civiform Fargate Service"

diff --git a/cloud/aws/templates/aws_oidc/variable_definitions.json b/cloud/aws/templates/aws_oidc/variable_definitions.json
@@ -430,5 +430,11 @@
     "secret": false,
     "tfvar": true,
     "type": "bool"
+  },
+  "LB_LOGGING_ENABLED": {
+    "required": false,
+    "secret": false,
+    "tfvar": true,
+    "type": "bool"
   }
 }
diff --git a/cloud/aws/templates/aws_oidc/variables.tf b/cloud/aws/templates/aws_oidc/variables.tf
@@ -537,3 +537,9 @@ variable "external_vpc_public_subnet_ids" {
   description = "The externally managed VPC's public subnet ID."
   default     = []
 }
+
+variable "lb_logging_enabled" {
+  type        = bool
+  description = "Whether to enable LB access logging."
+  default     = false
+}