Merge pull request #16 from rhythmictech/v2

Updates for v2 release

Author: sdickenson

.gitignore

@@ -27,3 +27,5 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
+
+.terraform.lock.hcl

.pre-commit-config.yaml

@@ -2,7 +2,7 @@
 exclude: ".terraform"
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.105.0
     hooks:
       - id: terraform_docs
         always_run: true

.terraform.lock.hcl

@@ -1,10 +1,9 @@
 config {
-  module     = true
 }
 
 plugin "aws" {
     enabled = true
-    version = "0.12.0"
+    version = "0.45.0"
     source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 

.tflint.hcl

@@ -24,21 +24,21 @@ This module makes use of the AWS CLI to optionally create an Athena table.
 
 If you would rather you can follow the instructions Amazon provides [here](https://docs.aws.amazon.com/athena/latest/ug/application-load-balancer-logs.html) to set this up yourself.
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.4 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.8 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.17.1 |
-| <a name="provider_null"></a> [null](#provider\_null) | 3.2.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.31.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 
 ## Modules
 
@@ -53,6 +53,7 @@ No modules.
 | [aws_iam_policy.athena](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_s3_bucket.athena_results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.athena_results](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
@@ -76,11 +77,13 @@ No modules.
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Name to apply to bucket (use `bucket_name` or `bucket_suffix`) | `string` | `null` | no |
 | <a name="input_bucket_suffix"></a> [bucket\_suffix](#input\_bucket\_suffix) | Suffix to apply to the bucket (use `bucket_name` or `bucket_suffix`). When using `bucket_suffix`, the bucket name will be `[ACCOUNT_ID]-[REGION]-s3logging-[BUCKET_SUFFIX].` | `string` | `"elblogging"` | no |
 | <a name="input_create_athena_query"></a> [create\_athena\_query](#input\_create\_athena\_query) | Create an Athena table for querying ALB logs. Uses the aws cli | `bool` | `false` | no |
-| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | KMS key to encrypt bucket with. | `string` | `null` | no |
-| <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | lifecycle rules to apply to the bucket | <pre>list(object(<br>    {<br>      id                            = string<br>      enabled                       = bool<br>      prefix                        = string<br>      expiration                    = number<br>      noncurrent_version_expiration = number<br>  }))</pre> | `[]` | no |
+| <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | lifecycle rules to apply to the bucket | <pre>list(object(<br/>    {<br/>      id                            = string<br/>      enabled                       = bool<br/>      prefix                        = string<br/>      expiration                    = number<br/>      noncurrent_version_expiration = number<br/>  }))</pre> | `[]` | no |
 | <a name="input_s3_access_logging_bucket"></a> [s3\_access\_logging\_bucket](#input\_s3\_access\_logging\_bucket) | Optional target for S3 access logging | `string` | `null` | no |
 | <a name="input_s3_access_logging_prefix"></a> [s3\_access\_logging\_prefix](#input\_s3\_access\_logging\_prefix) | Optional target prefix for S3 access logging (only used if `s3_access_logging_bucket` is set) | `string` | `null` | no |
+| <a name="input_source_accounts"></a> [source\_accounts](#input\_source\_accounts) | List of AWS account IDs to restrict log delivery to. Defaults to caller account. Set to an empty list to allow any account. | `list(string)` | <pre>[<br/>  "self"<br/>]</pre> | no |
+| <a name="input_source_organizations"></a> [source\_organizations](#input\_source\_organizations) | List of AWS Organization IDs to restrict log delivery to. Overrides `source_accounts`. | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to add to supported resources | `map(string)` | `{}` | no |
+| <a name="input_use_legacy_elb_policy"></a> [use\_legacy\_elb\_policy](#input\_use\_legacy\_elb\_policy) | Use the legacy ELB policy statement from pre-2022. | `bool` | `false` | no |
 | <a name="input_versioning_enabled"></a> [versioning\_enabled](#input\_versioning\_enabled) | Whether or not to use versioning on the bucket. This can be useful for audit purposes since objects in a logging bucket should not be updated. | `bool` | `true` | no |
 
 ## Outputs
@@ -91,4 +94,4 @@ No modules.
 | <a name="output_s3_bucket_arn"></a> [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | The ARN of the bucket |
 | <a name="output_s3_bucket_domain_name"></a> [s3\_bucket\_domain\_name](#output\_s3\_bucket\_domain\_name) | The domain name of the bucket |
 | <a name="output_s3_bucket_name"></a> [s3\_bucket\_name](#output\_s3\_bucket\_name) | The name of the bucket |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

README.md

@@ -17,29 +17,41 @@ locals {
   region      = data.aws_region.current.name
 }
 
-#trivy:ignore:avd-aws-0089
+#trivy:ignore:AVD-AWS-0089
 resource "aws_s3_bucket" "this" {
   bucket = local.bucket_name
   tags   = var.tags
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "this" {
+  bucket                                 = aws_s3_bucket.this.id
+  transition_default_minimum_object_size = "varies_by_storage_class"
 
-  dynamic "lifecycle_rule" {
+  dynamic "rule" {
     iterator = rule
     for_each = var.lifecycle_rules
 
     content {
-      id      = rule.value.id
-      enabled = rule.value.enabled
-      prefix  = lookup(rule.value, "prefix", null)
+      id     = rule.value.id
+      status = rule.value.enabled ? "Enabled" : "Disabled"
+
+      dynamic "filter" {
+        for_each = contains(keys(rule.value), "prefix") ? [true] : []
+        content {
+          prefix = rule.value.prefix
+        }
+      }
 
       expiration {
         days = rule.value.expiration
       }
 
       noncurrent_version_expiration {
-        days = rule.value.noncurrent_version_expiration
+        noncurrent_days = rule.value.noncurrent_version_expiration
       }
     }
   }
+
 }
 
 resource "aws_s3_bucket_versioning" "this" {
@@ -53,13 +65,13 @@ resource "aws_s3_bucket_versioning" "this" {
   }
 }
 
+#trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
   bucket = aws_s3_bucket.this.id
 
   rule {
     apply_server_side_encryption_by_default {
-      kms_master_key_id = var.kms_key_id
-      sse_algorithm     = var.kms_key_id != null ? "aws:kms" : "AES256"
+      sse_algorithm = "AES256"
     }
   }
 }
@@ -72,47 +84,118 @@ resource "aws_s3_bucket_public_access_block" "this" {
   restrict_public_buckets = true
 }
 
+locals {
+  real_source_accounts = [for a in var.source_accounts : a == "self" ? local.account_id : a]
+  elb_source_accounts  = length(var.source_organizations) > 0 ? ["*"] : sort(distinct(local.real_source_accounts))
+  alb_source_arns      = [for a in local.elb_source_accounts : "arn:aws:elasticloadbalancing:*:${a}:loadbalancer/*"]
+  nlb_source_arns      = [for a in local.elb_source_accounts : "arn:aws:logs:*:${a}:*"]
+}
+
 data "aws_iam_policy_document" "this" {
-  statement {
-    sid       = "AllowElbLogging"
-    actions   = ["s3:PutObject"]
-    effect    = "Allow"
-    resources = ["arn:${local.partition}:s3:::${aws_s3_bucket.this.bucket}/*"]
 
-    principals {
-      type        = "AWS"
-      identifiers = [data.aws_elb_service_account.principal.arn]
+  dynamic "statement" {
+    for_each = var.use_legacy_elb_policy ? [true] : []
+    content {
+      sid       = "AllowElbLogging"
+      actions   = ["s3:PutObject"]
+      effect    = "Allow"
+      resources = ["arn:${local.partition}:s3:::${aws_s3_bucket.this.bucket}/*"]
+
+      principals {
+        type        = "AWS"
+        identifiers = [data.aws_elb_service_account.principal.arn]
+      }
     }
   }
 
+  dynamic "statement" {
+    for_each = var.use_legacy_elb_policy ? [] : [true]
+    content {
+      sid       = "AllowAlbLogging"
+      actions   = ["s3:PutObject"]
+      effect    = "Allow"
+      resources = ["arn:${local.partition}:s3:::${aws_s3_bucket.this.bucket}/*"]
+      principals {
+        type        = "Service"
+        identifiers = ["logdelivery.elasticloadbalancing.amazonaws.com"]
+      }
+      dynamic "condition" {
+        for_each = length(local.alb_source_arns) > 0 ? [true] : []
+        content {
+          test     = "ArnLike"
+          variable = "aws:SourceArn"
+          values   = local.alb_source_arns
+        }
+      }
+      dynamic "condition" {
+        for_each = length(var.source_organizations) > 0 ? [true] : []
+        content {
+          test     = "StringEquals"
+          variable = "aws:SourceOrgId"
+          values   = var.source_organizations
+        }
+      }
+    }
+  }
   statement {
     sid       = "AllowNlbLogging"
     actions   = ["s3:PutObject"]
     effect    = "Allow"
     resources = ["arn:${local.partition}:s3:::${aws_s3_bucket.this.bucket}/*"]
-
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"
       values   = ["bucket-owner-full-control"]
     }
-
-    principals {
-      type        = "Service"
-      identifiers = ["delivery.logs.amazonaws.com"]
+    dynamic "condition" {
+      for_each = length(local.nlb_source_arns) > 0 ? [true] : []
+      content {
+        test     = "ArnLike"
+        variable = "aws:SourceArn"
+        values   = local.nlb_source_arns
+      }
     }
+    dynamic "condition" {
+      for_each = length(var.source_organizations) > 0 ? [true] : []
+      content {
+        test     = "StringEquals"
+        variable = "aws:ResourceOrgID"
+        values   = var.source_organizations
+      }
+    }
+
   }
 
   statement {
     sid       = "AllowNlbLoggingAclAccess"
-    actions   = ["s3:GetBucketAcl"]
+    actions   = ["s3:GetBucketAcl", "s3:ListBucket"]
     effect    = "Allow"
     resources = [aws_s3_bucket.this.arn]
 
     principals {
       type        = "Service"
       identifiers = ["delivery.logs.amazonaws.com"]
     }
+    dynamic "condition" {
+      for_each = length(local.nlb_source_arns) > 0 ? [true] : []
+      content {
+        test     = "ArnLike"
+        variable = "aws:SourceArn"
+        values   = local.nlb_source_arns
+      }
+    }
+    dynamic "condition" {
+      for_each = length(var.source_organizations) > 0 ? [true] : []
+      content {
+        test     = "StringEquals"
+        variable = "aws:ResourceOrgID"
+        values   = var.source_organizations
+      }
+    }
   }
 }
 

main.tf

@@ -17,12 +17,6 @@ variable "create_athena_query" {
   type        = bool
 }
 
-variable "kms_key_id" {
-  default     = null
-  description = "KMS key to encrypt bucket with."
-  type        = string
-}
-
 variable "lifecycle_rules" {
   default     = []
   description = "lifecycle rules to apply to the bucket"
@@ -49,12 +43,30 @@ variable "s3_access_logging_prefix" {
   type        = string
 }
 
+variable "source_accounts" {
+  default     = ["self"]
+  description = "List of AWS account IDs to restrict log delivery to. Defaults to caller account. Set to an empty list to allow any account."
+  type        = list(string)
+}
+
+variable "source_organizations" {
+  default     = []
+  description = "List of AWS Organization IDs to restrict log delivery to. Overrides `source_accounts`."
+  type        = list(string)
+}
+
 variable "tags" {
   default     = {}
   description = "Tags to add to supported resources"
   type        = map(string)
 }
 
+variable "use_legacy_elb_policy" {
+  default     = false
+  description = "Use the legacy ELB policy statement from pre-2022."
+  type        = bool
+}
+
 variable "versioning_enabled" {
   default     = true
   description = "Whether or not to use versioning on the bucket. This can be useful for audit purposes since objects in a logging bucket should not be updated."

variables.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.4"
+  required_version = ">= 1.5"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.8"
+      version = ">= 5.0"
     }
     null = {
       source  = "hashicorp/null"