[#323]Make s3 module to be generic, and move locals out of main file and create dedicated locals and data files

Author: tung-nimblehq

src/commands/generate/index.test.ts

@@ -65,9 +65,9 @@ describe('Generator command', () => {
           expect(postProcess).toHaveBeenCalledTimes(1);
         });
 
-        it('contains processed project name in main files', () => {
-          const mainFiles = ['shared/main.tf', 'core/main.tf'];
-          mainFiles.forEach((fileName) => {
+        it('contains processed project name in locals files', () => {
+          const localsFiles = ['shared/locals.tf', 'core/locals.tf'];
+          localsFiles.forEach((fileName) => {
             expect(processedDirectoryName).toHaveContentInFile(
               fileName,
               `project_name = "${processedDirectoryName}"`,

src/generators/addons/aws/modules/alb.test.ts

@@ -46,6 +46,7 @@ describe('ALB add-on', () => {
         'core/variables.tf',
         'modules/alb/main.tf',
         'modules/alb/variables.tf',
+        'modules/alb/outputs.tf',
       ];
 
       expect(projectDir).toHaveFiles(expectedFiles);

src/generators/addons/aws/modules/alb.ts

@@ -6,18 +6,64 @@ import {
   requireAwsModules,
 } from '@/generators/addons/aws/dependencies';
 import {
+  INFRA_CORE_DATA_PATH,
+  INFRA_CORE_LOCALS_PATH,
   INFRA_CORE_MAIN_PATH,
   INFRA_CORE_OUTPUTS_PATH,
   INFRA_CORE_VARIABLES_PATH,
+  MODULES_LOCALS_INDICATOR,
 } from '@/generators/terraform/constants';
-import { appendToFile, copy } from '@/helpers/file';
+import { appendToFile, copy, injectToFile } from '@/helpers/file';
 
 import {
   AWS_SECURITY_GROUP_MAIN_PATH,
   AWS_SECURITY_GROUP_OUTPUTS_PATH,
   AWS_TEMPLATE_PATH,
 } from '../constants';
 
+const albLocalesContent = dedent`
+    ###ALB Locals###
+    alb_s3_bucket_policy = {
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Effect = "Allow"
+          Principal = {
+            AWS = [
+              "\${data.aws_elb_service_account.elb_service_account.arn}"
+            ]
+          }
+          Action   = "s3:PutObject"
+          Resource = "arn:aws:s3:::\${module.s3_alb_access_log.aws_s3_bucket_name}/AWSLogs/*"
+        },
+        {
+          Effect = "Allow",
+          Principal = {
+            Service = "delivery.logs.amazonaws.com"
+          }
+          Action   = "s3:PutObject"
+          Resource = "arn:aws:s3:::\${module.s3_alb_access_log.aws_s3_bucket_name}/AWSLogs/*",
+          Condition = {
+            StringEquals = {
+              "s3:x-amz-acl" = "bucket-owner-full-control"
+            }
+          }
+        },
+        {
+          Effect = "Allow",
+          Principal = {
+            Service = "delivery.logs.amazonaws.com"
+          }
+          Action   = "s3:GetBucketAcl"
+          Resource = "arn:aws:s3:::\${module.s3_alb_access_log.aws_s3_bucket_name}"
+        }
+      ]
+    }`;
+
+const albDataContent = dedent`
+  ###ALB Locals###
+  data "aws_elb_service_account" "elb_service_account" {}`;
+
 const albVariablesContent = dedent`
   variable "health_check_path" {
     description = "Application health check path"
@@ -30,15 +76,31 @@ const albVariablesContent = dedent`
   }`;
 
 const albModuleContent = dedent`
+  module "s3_alb_access_log" {
+    source = "../modules/s3"
+
+    env_namespace = local.env_namespace
+    bucket_name   = "\${local.env_namespace}-alb-access-logs-\${data.aws_caller_identity.current.account_id}"
+    force_destroy = true
+  }
+
   module "alb" {
     source = "../modules/alb"
 
-    vpc_id             = module.vpc.vpc_id
-    env_namespace      = local.env_namespace
-    app_port           = var.app_port
-    subnet_ids         = module.vpc.public_subnet_ids
-    security_group_ids = module.security_group.alb_security_group_ids
-    health_check_path  = var.health_check_path
+    vpc_id                 = module.vpc.vpc_id
+    env_namespace          = local.env_namespace
+    app_port               = var.app_port
+    subnet_ids             = module.vpc.public_subnet_ids
+    security_group_ids     = module.security_group.alb_security_group_ids
+    health_check_path      = var.health_check_path
+    bucket_access_log_name = module.s3_alb_access_log.aws_s3_bucket_name
+  }
+
+  module "s3_bucket_access_log_policy" {
+    source = "../modules/s3/bucket_policy"
+
+    s3_bucket_name = module.s3_alb_access_log.aws_s3_bucket_name
+    s3_bucket_policy = local.alb_s3_bucket_policy
   }`;
 
 const albOutputsContent = dedent`
@@ -104,6 +166,10 @@ const applyAwsAlb = async (options: AwsOptions) => {
   await requireAwsModules('alb', 'securityGroup', options);
 
   copy(`${AWS_TEMPLATE_PATH}/modules/alb`, 'modules/alb', options.projectName);
+  injectToFile(INFRA_CORE_LOCALS_PATH, albLocalesContent, options.projectName, {
+    insertAfter: MODULES_LOCALS_INDICATOR,
+  });
+  appendToFile(INFRA_CORE_DATA_PATH, albDataContent, options.projectName);
   appendToFile(INFRA_CORE_MAIN_PATH, albModuleContent, options.projectName);
   appendToFile(
     INFRA_CORE_VARIABLES_PATH,

src/generators/addons/aws/modules/s3.test.ts

@@ -3,7 +3,7 @@ import { applyTerraformCore } from '@/generators/terraform';
 import { remove } from '@/helpers/file';
 
 import applyTerraformAwsProvider from './core/provider';
-import applyAwsS3, { s3ModuleContent, s3OutputsContent } from './s3';
+import applyAwsS3 from './s3';
 
 jest.mock('inquirer', () => {
   return {
@@ -41,20 +41,11 @@ describe('S3 add-on', () => {
         'modules/s3/main.tf',
         'modules/s3/variables.tf',
         'modules/s3/outputs.tf',
+        'modules/s3/bucket_policy/main.tf',
+        'modules/s3/bucket_policy/variables.tf',
       ];
 
       expect(projectDir).toHaveFiles(expectedFiles);
     });
-
-    it('adds S3 module to main.tf', () => {
-      expect(projectDir).toHaveContentInFile('core/main.tf', s3ModuleContent);
-    });
-
-    it('adds S3 outputs to outputs.tf', () => {
-      expect(projectDir).toHaveContentInFile(
-        'core/outputs.tf',
-        s3OutputsContent
-      );
-    });
   });
 });

src/generators/addons/aws/modules/s3.ts

@@ -1,37 +1,20 @@
-import { dedent } from 'ts-dedent';
-
 import { AwsOptions } from '@/generators/addons/aws';
 import { isAwsModuleAdded } from '@/generators/addons/aws/dependencies';
-import {
-  INFRA_CORE_MAIN_PATH,
-  INFRA_CORE_OUTPUTS_PATH,
-} from '@/generators/terraform/constants';
-import { appendToFile, copy } from '@/helpers/file';
+import { copy } from '@/helpers/file';
 
 import { AWS_TEMPLATE_PATH } from '../constants';
 
-const s3OutputsContent = dedent`
-  output "s3_alb_log_bucket_name" {
-    description = "S3 bucket name for ALB log"
-    value       = module.s3.aws_alb_log_bucket_name
-  }`;
-
-const s3ModuleContent = dedent`
-  module "s3" {
-    source = "../modules/s3"
-
-    env_namespace = local.env_namespace
-  }`;
-
 const applyAwsS3 = async (options: AwsOptions) => {
   if (isAwsModuleAdded('s3', options.projectName)) {
     return;
   }
 
   copy(`${AWS_TEMPLATE_PATH}/modules/s3`, 'modules/s3', options.projectName);
-  appendToFile(INFRA_CORE_OUTPUTS_PATH, s3OutputsContent, options.projectName);
-  appendToFile(INFRA_CORE_MAIN_PATH, s3ModuleContent, options.projectName);
+  copy(
+    `${AWS_TEMPLATE_PATH}/modules/s3/bucket_policy`,
+    'modules/s3/bucket_policy',
+    options.projectName
+  );
 };
 
 export default applyAwsS3;
-export { s3ModuleContent, s3OutputsContent };

src/generators/terraform/constants.ts

@@ -2,19 +2,30 @@ const INFRA_CORE_PATH = 'core/';
 const INFRA_CORE_MAIN_PATH = `${INFRA_CORE_PATH}/main.tf`;
 const INFRA_CORE_OUTPUTS_PATH = `${INFRA_CORE_PATH}/outputs.tf`;
 const INFRA_CORE_VARIABLES_PATH = `${INFRA_CORE_PATH}/variables.tf`;
+const INFRA_CORE_LOCALS_PATH = `${INFRA_CORE_PATH}/locals.tf`;
+const INFRA_CORE_DATA_PATH = `${INFRA_CORE_PATH}/data.tf`;
 
 const INFRA_SHARED_PATH = 'shared';
 const INFRA_SHARED_MAIN_PATH = `${INFRA_SHARED_PATH}/main.tf`;
 const INFRA_SHARED_OUTPUTS_PATH = `${INFRA_SHARED_PATH}/outputs.tf`;
 const INFRA_SHARED_VARIABLES_PATH = `${INFRA_SHARED_PATH}/variables.tf`;
+const INFRA_SHARED_LOCALS_PATH = `${INFRA_SHARED_PATH}/locals.tf`;
+const INFRA_SHARED_DATA_PATH = `${INFRA_SHARED_PATH}/data.tf`;
+
+const MODULES_LOCALS_INDICATOR = `### Modules Locals ###`;
 
 export {
   INFRA_CORE_PATH,
   INFRA_CORE_MAIN_PATH,
   INFRA_CORE_OUTPUTS_PATH,
   INFRA_CORE_VARIABLES_PATH,
+  INFRA_CORE_LOCALS_PATH,
+  INFRA_CORE_DATA_PATH,
   INFRA_SHARED_PATH,
   INFRA_SHARED_MAIN_PATH,
   INFRA_SHARED_OUTPUTS_PATH,
   INFRA_SHARED_VARIABLES_PATH,
+  INFRA_SHARED_LOCALS_PATH,
+  INFRA_SHARED_DATA_PATH,
+  MODULES_LOCALS_INDICATOR,
 };

src/generators/terraform/index.ts

@@ -2,8 +2,10 @@ import { dedent } from 'ts-dedent';
 
 import { GeneralOptions } from '@/commands/generate';
 import {
-  INFRA_CORE_MAIN_PATH,
-  INFRA_SHARED_MAIN_PATH,
+  INFRA_CORE_LOCALS_PATH,
+  INFRA_SHARED_LOCALS_PATH,
+  INFRA_CORE_DATA_PATH,
+  MODULES_LOCALS_INDICATOR,
 } from '@/generators/terraform/constants';
 import { copy, rename, appendToFile } from '@/helpers/file';
 
@@ -13,13 +15,20 @@ const applyTerraformCore = async (generalOptions: GeneralOptions) => {
   copy('terraform/', '.', projectName);
 
   const coreLocalsContent = dedent`
-      locals {
-        project_name  = "${projectName}"
-        env_namespace = "\${local.project_name}-\${var.environment}"
-      }`;
+  locals {
+    project_name  = "${projectName}"
+    env_namespace = "\${local.project_name}-\${var.environment}"
 
-  appendToFile(INFRA_CORE_MAIN_PATH, coreLocalsContent, projectName);
-  appendToFile(INFRA_SHARED_MAIN_PATH, coreLocalsContent, projectName);
+    ${MODULES_LOCALS_INDICATOR}
+  }`;
+
+  const coreDatContent = dedent`
+  data "aws_caller_identity" "current" {}
+  data "aws_partition" "current" {}`;
+
+  appendToFile(INFRA_CORE_LOCALS_PATH, coreLocalsContent, projectName);
+  appendToFile(INFRA_SHARED_LOCALS_PATH, coreLocalsContent, projectName);
+  appendToFile(INFRA_CORE_DATA_PATH, coreDatContent, projectName);
 
   // Need to rename .gitignore to gitignore because NPN package doesn't include .gitignore
   // https://github.com/npm/npm/issues/3763

templates/addons/aws/modules/alb/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  enable_stickiness = false
+}

templates/addons/aws/modules/alb/main.tf

@@ -1,7 +1,3 @@
-locals {
-  enable_stickiness = false
-}
-
 # trivy:ignore:AVD-AWS-0053
 resource "aws_lb" "main" {
   name               = "${var.env_namespace}-alb"
@@ -14,7 +10,7 @@ resource "aws_lb" "main" {
   drop_invalid_header_fields = true
 
   access_logs {
-    bucket  = "${var.env_namespace}-alb-log"
+    bucket  = var.bucket_access_log_name
     enabled = true
   }
 }

templates/addons/aws/modules/alb/variables.tf

@@ -8,6 +8,11 @@ variable "subnet_ids" {
   type        = list(string)
 }
 
+variable "bucket_access_log_name" {
+  description = "The name of the S3 bucket for ALB access logs"
+  type        = string
+}
+
 variable "security_group_ids" {
   description = "A list of security group IDs to assign to the LB"
   type        = list(string)