From 3189f932bd827b7c53d688f69878ea2fbe449aa3 Mon Sep 17 00:00:00 2001 From: Yuchen Ying Date: Mon, 19 Aug 2024 08:36:44 -0700 Subject: [PATCH] Add an option to enable ELB access logging (#357) --- cloud/aws/modules/ecs_fargate_service/main.tf | 31 +++++++++++++++++++ .../modules/ecs_fargate_service/variables.tf | 6 ++++ cloud/aws/templates/aws_oidc/app.tf | 1 + .../aws_oidc/variable_definitions.json | 6 ++++ cloud/aws/templates/aws_oidc/variables.tf | 6 ++++ 5 files changed, 50 insertions(+) diff --git a/cloud/aws/modules/ecs_fargate_service/main.tf b/cloud/aws/modules/ecs_fargate_service/main.tf index 68322412..fcad9b3a 100644 --- a/cloud/aws/modules/ecs_fargate_service/main.tf +++ b/cloud/aws/modules/ecs_fargate_service/main.tf @@ -20,6 +20,32 @@ locals { name_prefix = "${var.app_prefix}-civiform" } +resource "aws_s3_bucket" "lb_logs" { + count = var.lb_logging_enabled ? 1 : 0 + bucket = "${local.name_prefix}-lb-logs" +} + +resource "aws_s3_bucket_policy" "lb_logs_policy" { + count = var.lb_logging_enabled ? 1 : 0 + bucket = aws_s3_bucket.lb_logs[count.index].id + policy = data.aws_iam_policy_document.lb_logs_policy[count.index].json +} + +data "aws_iam_policy_document" "lb_logs_policy" { + count = var.lb_logging_enabled ? 1 : 0 + statement { + effect = "Allow" + principals { + type = "AWS" + identifiers = [data.aws_elb_service_account.default.arn] + } + actions = ["s3:PutObject"] + resources = [ + "arn:aws:s3:::${aws_s3_bucket.lb_logs[count.index].bucket}/*" + ] + } +} + #------------------------------------------------------------------------------ # APPLICATION LOAD BALANCER #------------------------------------------------------------------------------ @@ -43,6 +69,11 @@ resource "aws_lb" "civiform_lb" { Name = "${local.name_prefix}-lb" }, ) + + access_logs { + bucket = var.lb_logging_enabled ? aws_s3_bucket.lb_logs[0].id : "" + enabled = var.lb_logging_enabled + } } moved { diff --git a/cloud/aws/modules/ecs_fargate_service/variables.tf b/cloud/aws/modules/ecs_fargate_service/variables.tf index 785c7f26..31518cc1 100644 --- a/cloud/aws/modules/ecs_fargate_service/variables.tf +++ b/cloud/aws/modules/ecs_fargate_service/variables.tf @@ -137,3 +137,9 @@ variable "default_certificate_arn" { type = string default = null } + +variable "lb_logging_enabled" { + description = "Whether to enable LB access logs." + type = bool + default = false +} diff --git a/cloud/aws/templates/aws_oidc/app.tf b/cloud/aws/templates/aws_oidc/app.tf index e9140481..3ff9702c 100644 --- a/cloud/aws/templates/aws_oidc/app.tf +++ b/cloud/aws/templates/aws_oidc/app.tf @@ -334,6 +334,7 @@ module "ecs_fargate_service" { scale_target_min_capacity = var.ecs_scale_target_min_capacity https_target_port = var.port lb_internal = local.enable_managed_vpc ? false : true + lb_logging_enabled = var.lb_logging_enabled tags = { Name = "${var.app_prefix} Civiform Fargate Service" diff --git a/cloud/aws/templates/aws_oidc/variable_definitions.json b/cloud/aws/templates/aws_oidc/variable_definitions.json index 86d4d4a0..33ebea83 100644 --- a/cloud/aws/templates/aws_oidc/variable_definitions.json +++ b/cloud/aws/templates/aws_oidc/variable_definitions.json @@ -430,5 +430,11 @@ "secret": false, "tfvar": true, "type": "bool" + }, + "LB_LOGGING_ENABLED": { + "required": false, + "secret": false, + "tfvar": true, + "type": "bool" } } diff --git a/cloud/aws/templates/aws_oidc/variables.tf b/cloud/aws/templates/aws_oidc/variables.tf index 2da337ce..84fd6a9e 100644 --- a/cloud/aws/templates/aws_oidc/variables.tf +++ b/cloud/aws/templates/aws_oidc/variables.tf @@ -537,3 +537,9 @@ variable "external_vpc_public_subnet_ids" { description = "The externally managed VPC's public subnet ID." default = [] } + +variable "lb_logging_enabled" { + type = bool + description = "Whether to enable LB access logging." + default = false +}