Create and manage a bucket suitable for access logging for ELBs.
module "elblogging-bucket" {
source = "rhythmictech/elblogging-bucket/aws"
bucket_suffix = "application"
}
Reading access logs directly from S3 is painful. Athena can be used to improve this dramatically, but unfortunately Terraform does not yet have a resource for creating Athena tables (Issue Tracked Here). This module makes use of the AWS CLI to optionally create an Athena table.
If you would rather you can follow the instructions Amazon provides here to set this up yourself.
| Name | Version |
|---|---|
| terraform | >= 1.5 |
| aws | >= 5.0 |
| null | >= 3 |
| Name | Version |
|---|---|
| aws | 6.31.0 |
| null | 3.2.4 |
No modules.
| Name | Type |
|---|---|
| aws_athena_database.this | resource |
| aws_athena_workgroup.this | resource |
| aws_iam_policy.athena | resource |
| aws_s3_bucket.athena_results | resource |
| aws_s3_bucket.this | resource |
| aws_s3_bucket_lifecycle_configuration.this | resource |
| aws_s3_bucket_logging.this | resource |
| aws_s3_bucket_policy.this | resource |
| aws_s3_bucket_public_access_block.athena_results | resource |
| aws_s3_bucket_public_access_block.this | resource |
| aws_s3_bucket_server_side_encryption_configuration.athena_results | resource |
| aws_s3_bucket_server_side_encryption_configuration.this | resource |
| aws_s3_bucket_versioning.athena_results | resource |
| aws_s3_bucket_versioning.this | resource |
| null_resource.create_table | resource |
| aws_caller_identity.current | data source |
| aws_elb_service_account.principal | data source |
| aws_iam_policy_document.athena | data source |
| aws_iam_policy_document.this | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| bucket_name | Name to apply to bucket (use bucket_name or bucket_suffix) |
string |
null |
no |
| bucket_suffix | Suffix to apply to the bucket (use bucket_name or bucket_suffix). When using bucket_suffix, the bucket name will be [ACCOUNT_ID]-[REGION]-s3logging-[BUCKET_SUFFIX]. |
string |
"elblogging" |
no |
| create_athena_query | Create an Athena table for querying ALB logs. Uses the aws cli | bool |
false |
no |
| lifecycle_rules | lifecycle rules to apply to the bucket | list(object( |
[] |
no |
| s3_access_logging_bucket | Optional target for S3 access logging | string |
null |
no |
| s3_access_logging_prefix | Optional target prefix for S3 access logging (only used if s3_access_logging_bucket is set) |
string |
null |
no |
| source_accounts | List of AWS account IDs to restrict log delivery to. Defaults to caller account. Set to an empty list to allow any account. | list(string) |
[ |
no |
| source_organizations | List of AWS Organization IDs to restrict log delivery to. Overrides source_accounts. |
list(string) |
[] |
no |
| tags | Tags to add to supported resources | map(string) |
{} |
no |
| use_legacy_elb_policy | Use the legacy ELB policy statement from pre-2022. | bool |
false |
no |
| versioning_enabled | Whether or not to use versioning on the bucket. This can be useful for audit purposes since objects in a logging bucket should not be updated. | bool |
true |
no |
| Name | Description |
|---|---|
| delete_athena_table_comand | The command to delete the athena table. This is given as an output as the destroy-time provisioner does not take arguments from external resources |
| s3_bucket_arn | The ARN of the bucket |
| s3_bucket_domain_name | The domain name of the bucket |
| s3_bucket_name | The name of the bucket |