[#316] Make s3 module to be generic

tung-nimblehq · tung-nimblehq · commit 6b20d9c9c60a · 2026-01-09T16:07:26.000+07:00
diff --git a/src/generators/addons/aws/index.ts b/src/generators/addons/aws/index.ts
@@ -10,6 +10,7 @@ import {
   applyAwsRegion,
   applyAwsSecurityGroup,
   applyAwsVpc,
+  applyTerraformAwsData,
 } from './modules';
 
 const awsChoices = [
@@ -66,6 +67,7 @@ const generateAwsTemplate = async (
 
     case 'advanced':
       await applyProviderAndRegion(awsOptions);
+      await applyTerraformAwsData(awsOptions);
       await applyAwsVpc(awsOptions);
       await applyAwsSecurityGroup(awsOptions);
       await applyAwsIamUserAndGroup(awsOptions);
diff --git a/src/generators/addons/aws/modules/alb.test.ts b/src/generators/addons/aws/modules/alb.test.ts
@@ -46,6 +46,7 @@ describe('ALB add-on', () => {
         'core/variables.tf',
         'modules/alb/main.tf',
         'modules/alb/variables.tf',
+        'modules/alb/outputs.tf',
       ];
 
       expect(projectDir).toHaveFiles(expectedFiles);
diff --git a/src/generators/addons/aws/modules/alb.ts b/src/generators/addons/aws/modules/alb.ts
@@ -30,6 +30,14 @@ const albVariablesContent = dedent`
   }`;
 
 const albModuleContent = dedent`
+  module "s3_access_log" {
+    source = "../modules/s3"
+
+    env_namespace = local.env_namespace
+    bucket_name   = "\${local.env_namespace}-alb-access-logs-\${data.aws_caller_identity.current.account_id}"
+    force_destroy = true
+  }
+
   module "alb" {
     source = "../modules/alb"
 
@@ -39,6 +47,49 @@ const albModuleContent = dedent`
     subnet_ids         = module.vpc.public_subnet_ids
     security_group_ids = module.security_group.alb_security_group_ids
     health_check_path  = var.health_check_path
+    bucket_access_log_name = module.s3_access_log.aws_s3_bucket_name
+  }
+    
+  module "s3_bucket_access_log_policy" {
+    source = "../modules/s3BucketPolicy"
+
+    s3_bucket_name = module.s3_access_log.aws_s3_bucket_name
+    s3_bucket_policy = {
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Effect = "Allow"
+          Principal = {
+            AWS = [
+              "\${data.aws_elb_service_account.elb_service_account.arn}"
+            ]
+          }
+          Action   = "s3:PutObject"
+          Resource = "arn:aws:s3:::\${module.s3_access_log.aws_s3_bucket_name}/AWSLogs/*"
+        },
+        {
+          Effect = "Allow",
+          Principal = {
+            Service = "delivery.logs.amazonaws.com"
+          }
+          Action   = "s3:PutObject"
+          Resource = "arn:aws:s3:::\${module.s3_access_log.aws_s3_bucket_name}/AWSLogs/*",
+          Condition = {
+            StringEquals = {
+              "s3:x-amz-acl" = "bucket-owner-full-control"
+            }
+          }
+        },
+        {
+          Effect = "Allow",
+          Principal = {
+            Service = "delivery.logs.amazonaws.com"
+          }
+          Action   = "s3:GetBucketAcl"
+          Resource = "arn:aws:s3:::\${module.s3_access_log.aws_s3_bucket_name}"
+        }
+      ]
+    }
   }`;
 
 const albOutputsContent = dedent`
diff --git a/src/generators/addons/aws/modules/core/data.test.ts b/src/generators/addons/aws/modules/core/data.test.ts
@@ -0,0 +1,29 @@
+import { AwsOptions } from '@/generators/addons/aws';
+import { remove } from '@/helpers/file';
+
+import applyTerraformAwsData from './data';
+
+describe('Data add-on', () => {
+  describe('given valid AwsOptions', () => {
+    const projectDir = 'data-addon-test';
+
+    beforeAll(async () => {
+      const awsOptions: AwsOptions = {
+        projectName: projectDir,
+        provider: 'aws',
+        infrastructureType: 'advanced',
+      };
+
+      await applyTerraformAwsData(awsOptions);
+    });
+
+    afterAll(() => {
+      jest.clearAllMocks();
+      remove('/', projectDir);
+    });
+
+    it('creates the expected file', () => {
+      expect(projectDir).toHaveFile('core/data.tf');
+    });
+  });
+});
diff --git a/src/generators/addons/aws/modules/core/data.ts b/src/generators/addons/aws/modules/core/data.ts
@@ -0,0 +1,14 @@
+import { AwsOptions } from '@/generators/addons/aws';
+import { AWS_TEMPLATE_PATH } from '@/generators/addons/aws/constants';
+import { INFRA_CORE_PATH } from '@/generators/terraform/constants';
+import { copy } from '@/helpers/file';
+
+const applyTerraformAwsData = async (options: AwsOptions) => {
+  copy(
+    `${AWS_TEMPLATE_PATH}/data.tf`,
+    `${INFRA_CORE_PATH}/data.tf`,
+    options.projectName
+  );
+};
+
+export default applyTerraformAwsData;
diff --git a/src/generators/addons/aws/modules/index.ts b/src/generators/addons/aws/modules/index.ts
@@ -1,6 +1,7 @@
 import applyAwsAlb from './alb';
 import applyAwsBastion from './bastion';
 import applyAwsCloudwatch from './cloudwatch';
+import applyTerraformAwsData from './core/data';
 import applyAwsIamUserAndGroup from './core/iamUserAndGroup';
 import applyTerraformAwsProvider from './core/provider';
 import applyAwsRegion from './core/region';
@@ -16,6 +17,7 @@ export {
   applyAwsAlb,
   applyAwsBastion,
   applyTerraformAwsProvider,
+  applyTerraformAwsData,
   applyAwsCloudwatch,
   applyAwsEcr,
   applyAwsEcs,
diff --git a/src/generators/addons/aws/modules/s3.test.ts b/src/generators/addons/aws/modules/s3.test.ts
@@ -3,7 +3,7 @@ import { applyTerraformCore } from '@/generators/terraform';
 import { remove } from '@/helpers/file';
 
 import applyTerraformAwsProvider from './core/provider';
-import applyAwsS3, { s3ModuleContent, s3OutputsContent } from './s3';
+import applyAwsS3 from './s3';
 
 jest.mock('inquirer', () => {
   return {
@@ -41,20 +41,11 @@ describe('S3 add-on', () => {
         'modules/s3/main.tf',
         'modules/s3/variables.tf',
         'modules/s3/outputs.tf',
+        'modules/s3BucketPolicy/main.tf',
+        'modules/s3BucketPolicy/variables.tf',
       ];
 
       expect(projectDir).toHaveFiles(expectedFiles);
     });
-
-    it('adds S3 module to main.tf', () => {
-      expect(projectDir).toHaveContentInFile('core/main.tf', s3ModuleContent);
-    });
-
-    it('adds S3 outputs to outputs.tf', () => {
-      expect(projectDir).toHaveContentInFile(
-        'core/outputs.tf',
-        s3OutputsContent
-      );
-    });
   });
 });
diff --git a/src/generators/addons/aws/modules/s3.ts b/src/generators/addons/aws/modules/s3.ts
@@ -1,37 +1,20 @@
-import { dedent } from 'ts-dedent';
-
 import { AwsOptions } from '@/generators/addons/aws';
 import { isAwsModuleAdded } from '@/generators/addons/aws/dependencies';
-import {
-  INFRA_CORE_MAIN_PATH,
-  INFRA_CORE_OUTPUTS_PATH,
-} from '@/generators/terraform/constants';
-import { appendToFile, copy } from '@/helpers/file';
+import { copy } from '@/helpers/file';
 
 import { AWS_TEMPLATE_PATH } from '../constants';
 
-const s3OutputsContent = dedent`
-  output "s3_alb_log_bucket_name" {
-    description = "S3 bucket name for ALB log"
-    value       = module.s3.aws_alb_log_bucket_name
-  }`;
-
-const s3ModuleContent = dedent`
-  module "s3" {
-    source = "../modules/s3"
-
-    env_namespace = local.env_namespace
-  }`;
-
 const applyAwsS3 = async (options: AwsOptions) => {
   if (isAwsModuleAdded('s3', options.projectName)) {
     return;
   }
 
   copy(`${AWS_TEMPLATE_PATH}/modules/s3`, 'modules/s3', options.projectName);
-  appendToFile(INFRA_CORE_OUTPUTS_PATH, s3OutputsContent, options.projectName);
-  appendToFile(INFRA_CORE_MAIN_PATH, s3ModuleContent, options.projectName);
+  copy(
+    `${AWS_TEMPLATE_PATH}/modules/s3BucketPolicy`,
+    'modules/s3BucketPolicy',
+    options.projectName
+  );
 };
 
 export default applyAwsS3;
-export { s3ModuleContent, s3OutputsContent };
diff --git a/templates/addons/aws/data.tf b/templates/addons/aws/data.tf
@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {}
+data "aws_elb_service_account" "elb_service_account" {}
+data "aws_partition" "current" {}
diff --git a/templates/addons/aws/modules/alb/locals.tf b/templates/addons/aws/modules/alb/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  enable_stickiness = false
+}
diff --git a/templates/addons/aws/modules/alb/main.tf b/templates/addons/aws/modules/alb/main.tf
@@ -1,7 +1,3 @@
-locals {
-  enable_stickiness = false
-}
-
 # trivy:ignore:AVD-AWS-0053
 resource "aws_lb" "main" {
   name               = "${var.env_namespace}-alb"
@@ -14,7 +10,7 @@ resource "aws_lb" "main" {
   drop_invalid_header_fields = true
 
   access_logs {
-    bucket  = "${var.env_namespace}-alb-log"
+    bucket  = var.bucket_access_log_name
     enabled = true
   }
 }
diff --git a/templates/addons/aws/modules/alb/variables.tf b/templates/addons/aws/modules/alb/variables.tf
@@ -8,6 +8,11 @@ variable "subnet_ids" {
   type        = list(string)
 }
 
+variable "bucket_access_log_name" {
+  description = "The name of the S3 bucket for ALB access logs"
+  type        = string
+}
+
 variable "security_group_ids" {
   description = "A list of security group IDs to assign to the LB"
   type        = list(string)
diff --git a/templates/addons/aws/modules/s3/main.tf b/templates/addons/aws/modules/s3/main.tf
@@ -1,75 +1,30 @@
-data "aws_elb_service_account" "elb_service_account" {}
-
 # trivy:ignore:AVD-AWS-0089 trivy:ignore:AVD-AWS-0132 trivy:ignore:AVD-AWS-0088 trivy:ignore:AVD-AWS-0090
-resource "aws_s3_bucket" "alb_log" {
-  bucket        = "${var.env_namespace}-alb-log"
-  force_destroy = true
+resource "aws_s3_bucket" "s3_bucket" {
+  bucket        = var.bucket_name
+  force_destroy = var.force_destroy
 }
 
-resource "aws_s3_bucket_ownership_controls" "alb_log" {
-  bucket = aws_s3_bucket.alb_log.id
+resource "aws_s3_bucket_ownership_controls" "s3_bucket_ownership_controls" {
+  bucket = aws_s3_bucket.s3_bucket.id
   rule {
-    object_ownership = "ObjectWriter"
+    object_ownership = var.object_ownership
   }
 }
 
-resource "aws_s3_bucket_acl" "alb_log_bucket_acl" {
-  bucket = aws_s3_bucket.alb_log.id
+resource "aws_s3_bucket_acl" "s3_bucket_acl" {
+  count  = var.object_ownership == "ObjectWriter" ? 1 : 0
+  bucket = aws_s3_bucket.s3_bucket.id
   acl    = "private"
 
   depends_on = [
-    aws_s3_bucket_ownership_controls.alb_log
+    aws_s3_bucket_ownership_controls.s3_bucket_ownership_controls
   ]
 }
 
-resource "aws_s3_bucket_public_access_block" "alb_log" {
-  bucket                  = aws_s3_bucket.alb_log.id
+resource "aws_s3_bucket_public_access_block" "s3_bucket_public_access_block" {
+  bucket                  = aws_s3_bucket.s3_bucket.id
   block_public_acls       = true
   block_public_policy     = true
   ignore_public_acls      = true
   restrict_public_buckets = true
 }
-
-locals {
-  aws_s3_bucket_policy = {
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Principal = {
-          AWS = [
-            "${data.aws_elb_service_account.elb_service_account.arn}"
-          ]
-        }
-        Action   = "s3:PutObject"
-        Resource = "arn:aws:s3:::${aws_s3_bucket.alb_log.id}/AWSLogs/*"
-      },
-      {
-        Effect = "Allow",
-        Principal = {
-          Service = "delivery.logs.amazonaws.com"
-        }
-        Action   = "s3:PutObject"
-        Resource = "arn:aws:s3:::${aws_s3_bucket.alb_log.id}/AWSLogs/*",
-        Condition = {
-          StringEquals = {
-            "s3:x-amz-acl" = "bucket-owner-full-control"
-          }
-        }
-      },
-      {
-        Effect = "Allow",
-        Principal = {
-          Service = "delivery.logs.amazonaws.com"
-        }
-        Action   = "s3:GetBucketAcl"
-        Resource = "arn:aws:s3:::${aws_s3_bucket.alb_log.id}"
-      }
-    ]
-  }
-}
-
-resource "aws_s3_bucket_policy" "allow_elb_logging" {
-  bucket = aws_s3_bucket.alb_log.id
-  policy = jsonencode(local.aws_s3_bucket_policy)
-}
diff --git a/templates/addons/aws/modules/s3/outputs.tf b/templates/addons/aws/modules/s3/outputs.tf
@@ -1,4 +1,4 @@
-output "aws_alb_log_bucket_name" {
+output "aws_s3_bucket_name" {
   description = "S3 bucket name for ALB logging"
-  value       = aws_s3_bucket.alb_log.bucket
+  value       = aws_s3_bucket.s3_bucket.bucket
 }
diff --git a/templates/addons/aws/modules/s3/variables.tf b/templates/addons/aws/modules/s3/variables.tf
@@ -2,3 +2,20 @@ variable "env_namespace" {
   description = "The namespace with environment for the S3 buckets, used as the prefix for the bucket names, e.g. acme-web-staging"
   type        = string
 }
+
+variable "bucket_name" {
+  description = "The name of the S3 bucket to create, used as the suffix for the bucket name."
+  type        = string
+}
+
+variable "force_destroy" {
+  description = "Whether to force destroy the S3 bucket when deleting. Set to true to delete all objects in the bucket."
+  type        = bool
+  default     = true
+}
+
+variable "object_ownership" {
+  description = "The S3 Object Ownership setting for the bucket. Valid values are 'BucketOwnerPreferred' and 'ObjectWriter'"
+  type        = string
+  default     = "ObjectWriter"
+}
diff --git a/templates/addons/aws/modules/s3BucketPolicy/main.tf b/templates/addons/aws/modules/s3BucketPolicy/main.tf
@@ -0,0 +1,4 @@
+resource "aws_s3_bucket_policy" "allow_elb_logging" {
+  bucket = var.s3_bucket_name
+  policy = jsonencode(var.s3_bucket_policy)
+}
diff --git a/templates/addons/aws/modules/s3BucketPolicy/variables.tf b/templates/addons/aws/modules/s3BucketPolicy/variables.tf
@@ -0,0 +1,10 @@
+variable "s3_bucket_name" {
+  description = "The name of the S3 bucket"
+  type        = string
+}
+
+variable "s3_bucket_policy" {
+  description = "The S3 bucket policy in JSON format."
+  type        = any
+  default     = {}
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+data "aws_caller_identity" "current" {}`
	`2`	`+data "aws_elb_service_account" "elb_service_account" {}`
	`3`	`+data "aws_partition" "current" {}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+locals {`
	`2`	`+ enable_stickiness = false`
	`3`	`+}`