From 3af109086c6614444af9087593c5c55c42102638 Mon Sep 17 00:00:00 2001
From: Ramesh Maddegoda <94033485+ramesh-maddegoda@users.noreply.github.com>
Date: Tue, 4 Feb 2025 19:36:06 -0800
Subject: [PATCH] ADD an S3 bucket (pds_nucleus_auth_alb_logs_bucket_logs) to
 enable logging for pds_nucleus_auth_alb_logs bucket for additional audit
 trails as per SonarQube suggestions.

Refer to issue: NASA-PDS/nucleus#123
---
 .../cognito-auth/cognito-auth.tf              | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/terraform/terraform-modules/cognito-auth/cognito-auth.tf b/terraform/terraform-modules/cognito-auth/cognito-auth.tf
index 7771da2..5dfc46d 100644
--- a/terraform/terraform-modules/cognito-auth/cognito-auth.tf
+++ b/terraform/terraform-modules/cognito-auth/cognito-auth.tf
@@ -30,6 +30,50 @@ resource "aws_s3_bucket" "pds_nucleus_auth_alb_logs" {
   bucket = "pds-nucleus-auth-alb-logs"
 }
 
+resource "aws_s3_bucket_logging" "pds_nucleus_auth_alb_logs_bucket_logging" {
+  bucket = aws_s3_bucket.pds_nucleus_auth_alb_logs.id
+
+  target_bucket = aws_s3_bucket.pds_nucleus_auth_alb_logs.id
+  target_prefix = "auth-alb-logs-bucket-logs"
+}
+
+#  logging bucket for pds_nucleus_auth_alb_logs bucket
+resource "aws_s3_bucket" "pds_nucleus_auth_alb_logs_bucket_logs" {
+  bucket = "pds-nucleus-auth-alb-logs-bucket-logs"
+}
+
+data "aws_iam_policy_document" "pds_nucleus_auth_alb_logs_bucket_logs_bucket_policy" {
+  statement {
+    sid    = "s3-log-delivery"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+
+    actions = ["s3:PutObject"]
+
+    resources = [
+      "${aws_s3_bucket.pds_nucleus_auth_alb_logs_bucket_logs.arn}/*",
+    ]
+  }
+}
+
+resource "aws_s3_bucket_policy" "pds_nucleus_auth_alb_logs_bucket_logs_policy" {
+  bucket = aws_s3_bucket.pds_nucleus_auth_alb_logs_bucket_logs.id
+  policy = data.aws_iam_policy_document.pds_nucleus_auth_alb_logs_bucket_logs_bucket_policy.json
+}
+
+resource "aws_s3_bucket_public_access_block" "pds_nucleus_auth_alb_logs_public_access_block" {
+  bucket = aws_s3_bucket.pds_nucleus_auth_alb_logs.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 data "aws_iam_policy_document" "pds_nucleus_auth_alb_logs_s3_bucket_policy" {
   statement {
     effect = "Allow"