feat: ALB Connection logging (#334)

Co-authored-by: Bryant Biggs <[email protected]>

Author: magreenbaum

README.md

@@ -385,6 +385,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_logs"></a> [access\_logs](#input\_access\_logs) | Map containing access logging configuration for load balancer | `map(string)` | `{}` | no |
 | <a name="input_associate_web_acl"></a> [associate\_web\_acl](#input\_associate\_web\_acl) | Indicates whether a Web Application Firewall (WAF) ACL should be associated with the load balancer | `bool` | `false` | no |
+| <a name="input_connection_logs"></a> [connection\_logs](#input\_connection\_logs) | Map containing access logging configuration for load balancer | `map(string)` | `{}` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (affects nearly all resources) | `bool` | `true` | no |
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no |
 | <a name="input_customer_owned_ipv4_pool"></a> [customer\_owned\_ipv4\_pool](#input\_customer\_owned\_ipv4\_pool) | The ID of the customer owned ipv4 pool to use for this load balancer | `string` | `null` | no |

examples/complete-alb/main.tf

@@ -58,6 +58,13 @@ module "alb" {
 
   access_logs = {
     bucket = module.log_bucket.s3_bucket_id
+    prefix = "access-logs"
+  }
+
+  connection_logs = {
+    bucket  = module.log_bucket.s3_bucket_id
+    enabled = true
+    prefix  = "connection-logs"
   }
 
   listeners = {

main.tf

@@ -22,6 +22,15 @@ resource "aws_lb" "this" {
     }
   }
 
+  dynamic "connection_logs" {
+    for_each = length(var.connection_logs) > 0 ? [var.connection_logs] : []
+    content {
+      bucket  = connection_logs.value.bucket
+      enabled = try(connection_logs.value.enabled, true)
+      prefix  = try(connection_logs.value.prefix, null)
+    }
+  }
+
   customer_owned_ipv4_pool                                     = var.customer_owned_ipv4_pool
   desync_mitigation_mode                                       = var.desync_mitigation_mode
   dns_record_client_routing_policy                             = var.dns_record_client_routing_policy

variables.tf

@@ -20,6 +20,12 @@ variable "access_logs" {
   default     = {}
 }
 
+variable "connection_logs" {
+  description = "Map containing access logging configuration for load balancer"
+  type        = map(string)
+  default     = {}
+}
+
 variable "customer_owned_ipv4_pool" {
   description = "The ID of the customer owned ipv4 pool to use for this load balancer"
   type        = string

wrappers/main.tf

@@ -5,6 +5,7 @@ module "wrapper" {
 
   access_logs                                                  = try(each.value.access_logs, var.defaults.access_logs, {})
   associate_web_acl                                            = try(each.value.associate_web_acl, var.defaults.associate_web_acl, false)
+  connection_logs                                              = try(each.value.connection_logs, var.defaults.connection_logs, {})
   create                                                       = try(each.value.create, var.defaults.create, true)
   create_security_group                                        = try(each.value.create_security_group, var.defaults.create_security_group, true)
   customer_owned_ipv4_pool                                     = try(each.value.customer_owned_ipv4_pool, var.defaults.customer_owned_ipv4_pool, null)