Skip to content

Commit

Permalink
feat: Add log delivery source organization variables
Browse files Browse the repository at this point in the history
Allow S3 bucket access scoping to AWS Organizations in
ALB/NLB/S3 access log bucket policies.

Signed-off-by: szubersk <[email protected]>
  • Loading branch information
szubersk committed Dec 13, 2024
1 parent 8b855f8 commit 3812cb5
Show file tree
Hide file tree
Showing 5 changed files with 113 additions and 56 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,7 @@ No modules.
| <a name="input_acceleration_status"></a> [acceleration\_status](#input\_acceleration\_status) | (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. | `string` | `null` | no |
| <a name="input_access_log_delivery_policy_source_accounts"></a> [access\_log\_delivery\_policy\_source\_accounts](#input\_access\_log\_delivery\_policy\_source\_accounts) | (Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket. | `list(string)` | `[]` | no |
| <a name="input_access_log_delivery_policy_source_buckets"></a> [access\_log\_delivery\_policy\_source\_buckets](#input\_access\_log\_delivery\_policy\_source\_buckets) | (Optional) List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket. | `list(string)` | `[]` | no |
| <a name="input_access_log_delivery_policy_source_organizations"></a> [access\_log\_delivery\_policy\_source\_organizations](#input\_access\_log\_delivery\_policy\_source\_organizations) | (Optional) List of AWS Organization IDs should be allowed to deliver access logs to this bucket. | `list(string)` | `[]` | no |
| <a name="input_acl"></a> [acl](#input\_acl) | (Optional) The canned ACL to apply. Conflicts with `grant` | `string` | `null` | no |
| <a name="input_allowed_kms_key_arn"></a> [allowed\_kms\_key\_arn](#input\_allowed\_kms\_key\_arn) | The ARN of KMS key which should be allowed in PutObject | `string` | `null` | no |
| <a name="input_analytics_configuration"></a> [analytics\_configuration](#input\_analytics\_configuration) | Map containing bucket analytics configuration. | `any` | `{}` | no |
Expand Down Expand Up @@ -217,6 +218,7 @@ No modules.
| <a name="input_inventory_self_source_destination"></a> [inventory\_self\_source\_destination](#input\_inventory\_self\_source\_destination) | Whether or not the inventory source bucket is also the destination bucket. | `bool` | `false` | no |
| <a name="input_inventory_source_account_id"></a> [inventory\_source\_account\_id](#input\_inventory\_source\_account\_id) | The inventory source account id. | `string` | `null` | no |
| <a name="input_inventory_source_bucket_arn"></a> [inventory\_source\_bucket\_arn](#input\_inventory\_source\_bucket\_arn) | The inventory source bucket ARN. | `string` | `null` | no |
| <a name="input_lb_log_delivery_policy_source_organizations"></a> [lb\_log\_delivery\_policy\_source\_organizations](#input\_lb\_log\_delivery\_policy\_source\_organizations) | (Optional) List of AWS Organization IDs should be allowed to deliver ALB/NLB logs to this bucket. | `list(string)` | `[]` | no |
| <a name="input_lifecycle_rule"></a> [lifecycle\_rule](#input\_lifecycle\_rule) | List of maps containing configuration of object lifecycle management. | `any` | `[]` | no |
| <a name="input_logging"></a> [logging](#input\_logging) | Map containing access bucket logging configuration. | `any` | `{}` | no |
| <a name="input_metric_configuration"></a> [metric\_configuration](#input\_metric\_configuration) | Map containing bucket metric configuration. | `any` | `[]` | no |
Expand Down
6 changes: 4 additions & 2 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,10 @@ module "log_bucket" {
attach_deny_insecure_transport_policy = true
attach_require_latest_tls_policy = true

access_log_delivery_policy_source_accounts = [data.aws_caller_identity.current.account_id]
access_log_delivery_policy_source_buckets = ["arn:aws:s3:::${local.bucket_name}"]
access_log_delivery_policy_source_accounts = [data.aws_caller_identity.current.account_id]
access_log_delivery_policy_source_buckets = ["arn:aws:s3:::${local.bucket_name}"]
access_log_delivery_policy_source_organizations = ["o-123456"]
lb_log_delivery_policy_source_organizations = ["o-123456"]
}

module "cloudfront_log_bucket" {
Expand Down
39 changes: 39 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -675,6 +675,16 @@ data "aws_iam_policy_document" "lb_log_delivery" {
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}

dynamic "condition" {
for_each = length(var.lb_log_delivery_policy_source_organizations) > 0 ? [true] : []

content {
test = "StringEquals"
variable = "aws:ResourceOrgID"
values = var.lb_log_delivery_policy_source_organizations
}
}
}

statement {
Expand All @@ -696,6 +706,15 @@ data "aws_iam_policy_document" "lb_log_delivery" {
aws_s3_bucket.this[0].arn,
]

dynamic "condition" {
for_each = length(var.lb_log_delivery_policy_source_organizations) > 0 ? [true] : []

content {
test = "StringEquals"
variable = "aws:ResourceOrgID"
values = var.lb_log_delivery_policy_source_organizations
}
}
}
}

Expand Down Expand Up @@ -741,6 +760,16 @@ data "aws_iam_policy_document" "access_log_delivery" {
}
}

dynamic "condition" {
for_each = length(var.access_log_delivery_policy_source_organizations) > 0 ? [true] : []

content {
test = "StringEquals"
variable = "aws:ResourceOrgID"
values = var.access_log_delivery_policy_source_organizations
}
}

}

statement {
Expand All @@ -761,6 +790,16 @@ data "aws_iam_policy_document" "access_log_delivery" {
aws_s3_bucket.this[0].arn,
]

dynamic "condition" {
for_each = length(var.access_log_delivery_policy_source_organizations) > 0 ? [true] : []

content {
test = "StringEquals"
variable = "aws:ResourceOrgID"
values = var.access_log_delivery_policy_source_organizations
}
}

}
}

Expand Down
12 changes: 12 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,18 @@ variable "access_log_delivery_policy_source_accounts" {
default = []
}

variable "access_log_delivery_policy_source_organizations" {
description = "(Optional) List of AWS Organization IDs should be allowed to deliver access logs to this bucket."
type = list(string)
default = []
}

variable "lb_log_delivery_policy_source_organizations" {
description = "(Optional) List of AWS Organization IDs should be allowed to deliver ALB/NLB logs to this bucket."
type = list(string)
default = []
}

variable "grant" {
description = "An ACL policy grant. Conflicts with `acl`"
type = any
Expand Down
Loading

0 comments on commit 3812cb5

Please sign in to comment.