From cb27cd6e669f3c7d76a2b62b961fd7648217aec1 Mon Sep 17 00:00:00 2001 From: janvt Date: Fri, 26 May 2023 14:01:39 +0200 Subject: [PATCH] initial commit --- .editorconfig | 19 +++ .github/.templatesyncignore | 9 ++ .github/pull_request-template.md | 21 +++ .github/workflows/linter.yaml | 122 ++++++++++++++ .github/workflows/release.yaml | 96 +++++++++++ .github/workflows/semantic-pr.yaml | 73 +++++++++ .github/workflows/sync-templates.yaml | 63 ++++++++ .github/workflows/validate.yaml | 46 ++++++ .gitignore | 32 ++++ .pre-commit-config.yaml | 16 ++ .terraform-docs.yml | 46 ++++++ .tflint.hcl | 10 ++ LICENSE | 201 ++++++++++++++++++++++++ Makefile | 43 +++++ README.md | 127 +++++++++++++++ data.tf | 49 ++++++ docs/10-header.md | 1 + docs/20-badges.md | 36 +++++ examples/alb-access-logs/main.tf | 5 + examples/cloudfront-access-logs/main.tf | 8 + main.tf | 142 +++++++++++++++++ outputs.tf | 14 ++ test/.gitignore | 0 variables.tf | 96 +++++++++++ versions.tf | 10 ++ 25 files changed, 1285 insertions(+) create mode 100644 .editorconfig create mode 100644 .github/.templatesyncignore create mode 100644 .github/pull_request-template.md create mode 100644 .github/workflows/linter.yaml create mode 100644 .github/workflows/release.yaml create mode 100644 .github/workflows/semantic-pr.yaml create mode 100644 .github/workflows/sync-templates.yaml create mode 100644 .github/workflows/validate.yaml create mode 100644 .gitignore create mode 100644 .pre-commit-config.yaml create mode 100644 .terraform-docs.yml create mode 100644 .tflint.hcl create mode 100644 LICENSE create mode 100644 Makefile create mode 100644 README.md create mode 100644 data.tf create mode 100644 docs/10-header.md create mode 100644 docs/20-badges.md create mode 100644 examples/alb-access-logs/main.tf create mode 100644 examples/cloudfront-access-logs/main.tf create mode 100644 main.tf create mode 100644 outputs.tf create mode 100644 test/.gitignore create mode 100644 variables.tf create mode 100644 versions.tf diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..2705490 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,19 @@ +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +charset = utf-8 +end_of_line = lf +indent_size = 2 +indent_style = space +insert_final_newline = true +max_line_length = 120 +trim_trailing_whitespace = true + +[*.md] +max_line_length = 0 +trim_trailing_whitespace = false + +[{Makefile,**.mk}] +indent_style = tab diff --git a/.github/.templatesyncignore b/.github/.templatesyncignore new file mode 100644 index 0000000..775d81f --- /dev/null +++ b/.github/.templatesyncignore @@ -0,0 +1,9 @@ +README.md +.github/workflows/* +.terraform-docs.yml +docs/20-badges.md +docs/assets/logo.svg +*.tf +test/* +go.mod +go.sum diff --git a/.github/pull_request-template.md b/.github/pull_request-template.md new file mode 100644 index 0000000..60761ad --- /dev/null +++ b/.github/pull_request-template.md @@ -0,0 +1,21 @@ + + + +## What it solves + +... + +## How this PR fixes it + +... + +## Readiness Checklist + +### Author/Contributor +- [ ] If documentation is needed for this change, has that been included in this pull request +- [ ] Pull request title is brief and descriptive (for a changelog entry) + +### Reviewing Maintainer +- [ ] Label as `breaking` if this is a large fundamental change +- [ ] Label as either `automation`, `bug`, `documentation`, or `enhancement` +- [ ] Label as `bump:patch`, `bump:minor`, or `bump:major` if this PR should create a new release diff --git a/.github/workflows/linter.yaml b/.github/workflows/linter.yaml new file mode 100644 index 0000000..79f6699 --- /dev/null +++ b/.github/workflows/linter.yaml @@ -0,0 +1,122 @@ +--- +################ +## Run linter ## +################ + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +name: Lint +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +########################## +# Prevent duplicate jobs # +########################## +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +permissions: + contents: read + pull-requests: write + +############### +# Run the job # +############### +jobs: + ########## + # TF fmt # + ########## + tf-fmt: + name: FMT + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ##################### + # Run Terraform fmt # + ##################### + - name: Terraform fmt + uses: dflook/terraform-fmt-check@v1.29.1 + + ########## + # TFLint # + ########## + tf-lint: + name: TFLint + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ################# + # Cache plugins # + ################# + - name: Cache plugin dir + uses: actions/cache@v3.0.11 + with: + path: ~/.tflint.d/plugins + key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }} + + ################ + # Setup TFLint # + ################ + - name: Setup TFLint + uses: terraform-linters/setup-tflint@v2 + with: + tflint_version: v0.42.2 + + ############### + # Init TFLint # + ############### + - name: Init TFLint + run: tflint --init + + ############## + # Run TFLint # + ############## + - name: Run TFLint + run: tflint -f compact + + ########### + # TF docs # + ########### + tf-docs: + name: Docs + if: ${{ github.event_name == 'pull_request' }} + permissions: + contents: write + pull-requests: write + + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + with: + ref: ${{ github.event.pull_request.head.ref }} + + #################### + # Update README.md # + #################### + - name: Terraform docs + uses: terraform-docs/gh-actions@v1.0.0 + with: + ref: ${{ github.event.pull_request.head.ref }} + config-file: .terraform-docs.yml + git-push: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..a66b5c7 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,96 @@ +--- +##################### +## Create releases ## +##################### + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +name: Release +on: + push: + branches: [ main ] + tags: [ 'v*.*.*' ] + pull_request: + types: [ labeled ] + +################# +# Start the job # +################# +jobs: + ############### + # Steps below # + ############### + create-release: + name: Create Release + if: github.event.action != 'labeled' + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ################################### + # Bump version depending on label # + ################################### + - name: Bump version + if: "!startsWith(github.ref, 'refs/tags/')" + id: bumpr + uses: haya14busa/action-bumpr@v1 + + ################### + # Update the tags # + ################### + - name: Update tag + if: "!steps.bumpr.outputs.skip" + uses: haya14busa/action-update-semver@v1 + with: + tag: ${{ steps.bumpr.outputs.next_version }} + + ################ + # Get tag name # + ################ + - name: Get tag name + id: tag + uses: haya14busa/action-cond@v1 + with: + cond: "${{ startsWith(github.ref, 'refs/tags/') }}" + if_true: ${{ github.ref }} + if_false: ${{ steps.bumpr.outputs.next_version }} + + ################## + # Create release # + ################## + - name: Create release + uses: softprops/action-gh-release@v1 + if: "steps.tag.outputs.value != ''" + with: + name: Release ${{ steps.tag.outputs.value }} + body: ${{ steps.bumpr.outputs.message }} + tag_name: ${{ steps.tag.outputs.value }} + draft: false + prerelease: false + + ########################### + # Release preview comment # + ########################### + release-check: + if: github.event.action == 'labeled' + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ####################### + # Post status comment # + ####################### + - name: Post bumpr status comment + uses: haya14busa/action-bumpr@v1 diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml new file mode 100644 index 0000000..528ee15 --- /dev/null +++ b/.github/workflows/semantic-pr.yaml @@ -0,0 +1,73 @@ +--- +##################### +## Run Semantic PR ## +##################### + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +name: Semantic PR +on: + pull_request: + types: [ opened, edited, synchronize ] + +########################## +# Prevent duplicate jobs # +########################## +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +permissions: + contents: read + pull-requests: write + +############### +# Run the job # +############### +jobs: + ############### + # Semantic PR # + ############### + semantic-pr: + name: Validate PR + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + ############ + # Check PR # + ############ + - name: Check PR + id: lint-pr-title + uses: amannn/action-semantic-pull-request@v5.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + ############################# + # Add PR comment with error # + ############################# + - name: Add PR error comment + uses: marocchino/sticky-pull-request-comment@v2.3.0 + if: always() && (steps.lint-pr-title.outputs.error_message != null) + with: + header: pr-title-lint-error + message: | + We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. + + Details: + + ``` + ${{ steps.lint-pr-title.outputs.error_message }} + ``` + + ################################ + # Delete PR comment with error # + ################################ + - name: Delete PR error comment + uses: marocchino/sticky-pull-request-comment@v2.3.0 + if: ${{ steps.lint_pr_title.outputs.error_message == null }} + with: + header: pr-title-lint-error + delete: true diff --git a/.github/workflows/sync-templates.yaml b/.github/workflows/sync-templates.yaml new file mode 100644 index 0000000..dfa10ab --- /dev/null +++ b/.github/workflows/sync-templates.yaml @@ -0,0 +1,63 @@ +--- +######################### +## Sync template files ## +######################### + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +name: Sync templates +on: + workflow_dispatch: # Trigger manually + schedule: + - cron: "0 0 1 * *" # Run at 00:00 on the first day of every month + +########################## +# Prevent duplicate jobs # +########################## +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +############### +# Run the job # +############### +jobs: + ############### + # Sync labels # + ############### + sync-labels: + name: Sync labels + runs-on: ubuntu-latest + steps: + ################################## + # Sync labels with template Repo # + ################################## + - name: Sync labels + uses: EndBug/label-sync@v2.3.1 + with: + config-file: https://gist.githubusercontent.com/Ic3w0lf/f5520c5f19d7098966f692c120f7a197/raw/75b134f76fbc55e2e64bd66f04e571d6d74b815e/terraform-aws-module-labels.yaml + + ####################### + # Sync template files # + ####################### + sync-template-files: + name: Sync template files + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ####################### + # Sync template files # + ####################### + - name: actions-template-sync + uses: AndreasAugustin/actions-template-sync@v0.7.3 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + source_repo_path: geekcell/terraform-aws-module-template diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml new file mode 100644 index 0000000..1d0cd87 --- /dev/null +++ b/.github/workflows/validate.yaml @@ -0,0 +1,46 @@ +--- +################## +## Run validate ## +################## + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +name: Validate +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +########################## +# Prevent duplicate jobs # +########################## +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +############### +# Run the job # +############### +jobs: + ############### + # TF validate # + ############### + tf-validate: + name: Validate + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ########################## + # Run Terraform validate # + ########################## + - name: Terraform validate + uses: dflook/terraform-validate@v1.29.1 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2485c8f --- /dev/null +++ b/.gitignore @@ -0,0 +1,32 @@ +# Local .terraform directories +**/.terraform + +# Terraform lockfile +.terraform.lock.hcl + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Exclude all .tfvars files, which are likely to contain sentitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Ignore CLI configuration files +.terraformrc +terraform.rc + +# IDE +.idea diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..e7c9291 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,16 @@ +repos: + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.76.0 + hooks: + - id: terraform_docs + - id: terraform_fmt + - id: terraform_validate + exclude: '^[^/]+$' + - id: terraform_tflint + exclude: ^examples/ + + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer diff --git a/.terraform-docs.yml b/.terraform-docs.yml new file mode 100644 index 0000000..7b6c10c --- /dev/null +++ b/.terraform-docs.yml @@ -0,0 +1,46 @@ +formatter: "md table" +header-from: main.tf + +recursive: + # Enable this if your module has submodules + enabled: false + +content: |- + {{ include "docs/10-header.md" }} + + {{ include "docs/20-badges.md" }} + + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} + + {{ .Providers }} + + ## Resources + {{ range .Module.Resources }} + - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }}) + {{- end }} + + # Examples + ### ALB Logs + ```hcl + {{ include "examples/alb-access-logs/main.tf" }} + ``` + + ### Cloudfront Logs + ```hcl + {{ include "examples/cloudfront-access-logs/main.tf" }} + ``` + +output: + file: "README.md" + mode: inject + template: |- + + {{ .Content }} + + +settings: + lockfile: false diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..db94b46 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,10 @@ +plugin "terraform" { + enabled = true + preset = "all" +} + +plugin "aws" { + enabled = true + version = "0.18.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c844c70 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2017-2020 Cloud Posse, LLC + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..8567b26 --- /dev/null +++ b/Makefile @@ -0,0 +1,43 @@ +.DEFAULT_GOAL = help + +TEMPLATE_REPO := https://github.com/geekcell/template-terraform-module.git +UPDATABLE_TEMPLATE_FILES := .github/ docs/logo.md .editorconfig .gitignore .pref-commit-config.yaml .terraform-docs.yml .tflint.hcl LICENSE Makefile + +######### +# SETUP # +######### +.PHONY: setup/run +setup/run: setup/install-tools pre-commit/install-hooks ## Install and setup necessary tools + +.PHONY: setup/install-tools +setup/install-tools: # Install required tools +ifeq (, $(shell which brew)) + @echo "No brew in $$PATH. Currently only brew is supported for installing tools." +else + @brew install pre-commit terraform terraform-docs tflint +endif + +.PHONY: setup/update-template +setup/update-template: ## Pull the latest template files from the main repo + @git config remote.terraform-module-template.url >&- || git remote add terraform-module-template $(TEMPLATE_REPO) + @git fetch terraform-module-template main + @git checkout -p terraform-module-template/main $(UPDATABLE_TEMPLATE_FILES) + +############## +# PRE-COMMIT # +############## +.PHONY: pre-commit/install-hooks +pre-commit/install-hooks: ## Install pre-commit git hooks script + @git init + @pre-commit install + +.PHONY: pre-commit/run-all +pre-commit/run-all: ## Run pre-commit against all files + @pre-commit run -a + +######## +# HELP # +######## +.PHONY: help +help: ## Shows this help + @awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_\-\.\/]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) diff --git a/README.md b/README.md new file mode 100644 index 0000000..42ad8bb --- /dev/null +++ b/README.md @@ -0,0 +1,127 @@ + +[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/) + +### Code Quality +[![License](https://img.shields.io/github/license/geekcell/terraform-aws-s3-access-log-bucket)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/blob/master/LICENSE) +[![GitHub release (latest tag)](https://img.shields.io/github/v/release/geekcell/terraform-aws-s3-access-log-bucket?logo=github&sort=semver)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/releases) +[![Release](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/release.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/release.yaml) +[![Validate](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml) +[![Lint](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml) + + + +# Terraform AWS S3 Access Log Bucket + +This Terraform module provides a preconfigured solution for setting up S3 +access logs in your AWS account to store logs from your Application Load +Balancer (ALB) or Cognito User Pool. S3 access logs track requests made to +an S3 bucket or to your ALB or Cognito, allowing you to monitor activity +and analyze trends in your data. With this Terraform module, you can easily +and efficiently set up and manage S3 access logs for your ALB or Cognito, +ensuring that you have a complete picture of the activity in your +environment. + +Our team has extensive experience working with S3 and has optimized this +module to provide the best possible experience for users. The module +encapsulates all necessary configurations, making it easy to use and +integrate into your existing AWS environment. Whether you are just getting +started with S3 access logs or looking for a more efficient way to manage +your logs, this Terraform module provides a preconfigured solution for +tracking activity in your ALB or Cognito. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [allow\_cloudfront\_write\_access\_logs](#input\_allow\_cloudfront\_write\_access\_logs) | Enable ACL for CloudFront to write access logs. | `bool` | `false` | no | +| [allow\_elb\_write\_access\_logs](#input\_allow\_elb\_write\_access\_logs) | Attach a policy to allow Elastic Load Balancing to write access logs. | `bool` | `true` | no | +| [deny\_non\_secure\_transport](#input\_deny\_non\_secure\_transport) | Whether to attach a policy to the bucket to deny all non-SSL requests. | `bool` | `true` | no | +| [expiration](#input\_expiration) | The number of days after which to expunge the objects. | `number` | `365` | no | +| [mfa](#input\_mfa) | MFA device ARN including a TOTP token to enable MFA delete. | `string` | `null` | no | +| [mfa\_delete](#input\_mfa\_delete) | Specifies whether MFA delete is enabled in the bucket. | `string` | `"Disabled"` | no | +| [name](#input\_name) | The name of the bucket. | `string` | n/a | yes | +| [noncurrent\_version\_expiration](#input\_noncurrent\_version\_expiration) | The number of days after which to delete the noncurrent object. | `number` | `90` | no | +| [noncurrent\_version\_transitions](#input\_noncurrent\_version\_transitions) | Transition to another storage class for noncurrent\_versions. | 
list(object({
    noncurrent_days = number
    storage_class   = string
  }))
| 
[
  {
    "noncurrent_days": 30,
    "storage_class": "STANDARD_IA"
  }
]
| no | +| [tags](#input\_tags) | Tags to add to the AWS Customer Managed Key. | `map(any)` | `{}` | no | +| [transitions](#input\_transitions) | Transition to another storage class. | 
list(object({
    days          = number
    storage_class = string
  }))
| 
[
  {
    "days": 30,
    "storage_class": "STANDARD_IA"
  },
  {
    "days": 60,
    "storage_class": "GLACIER"
  },
  {
    "days": 180,
    "storage_class": "DEEP_ARCHIVE"
  }
]
| no | +| [versioning](#input\_versioning) | Enables versioning of objects in the bucket. | `string` | `"Enabled"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | The arn of the bucket. | +| [domain\_name](#output\_domain\_name) | The domain name of the bucket. | +| [id](#output\_id) | The id of the bucket. | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.40 | + +## Resources + +- resource.aws_s3_bucket.main (main.tf#21) +- resource.aws_s3_bucket_acl.main (main.tf#113) +- resource.aws_s3_bucket_lifecycle_configuration.main (main.tf#63) +- resource.aws_s3_bucket_metric.main (main.tf#98) +- resource.aws_s3_bucket_ownership_controls.main (main.tf#103) +- resource.aws_s3_bucket_policy.main (main.tf#37) +- resource.aws_s3_bucket_public_access_block.main (main.tf#43) +- resource.aws_s3_bucket_server_side_encryption_configuration.main (main.tf#52) +- resource.aws_s3_bucket_versioning.main (main.tf#27) +- data source.aws_canonical_user_id.main (data.tf#1) +- data source.aws_elb_service_account.main (data.tf#2) +- data source.aws_iam_policy_document.main (data.tf#4) + +# Examples +### ALB Logs +```hcl +module "alb_logs" { + source = "../../" + + name = "my-alb-access-logs-s3" +} +``` + +### Cloudfront Logs +```hcl +module "cloudfront_logs" { + source = "../../" + + name = "my-cloudfront-access-logs-s3" + + allow_cloudfront_write_access_logs = true + allow_elb_write_access_logs = false +} +``` + diff --git a/data.tf b/data.tf new file mode 100644 index 0000000..847fe94 --- /dev/null +++ b/data.tf @@ -0,0 +1,49 @@ +data "aws_canonical_user_id" "main" {} +data "aws_elb_service_account" "main" {} + +data "aws_iam_policy_document" "main" { + dynamic "statement" { + for_each = var.deny_non_secure_transport ? [1] : [] + + content { + actions = ["s3:*"] + effect = "Deny" + sid = "DenyNonSecureTransport" + + resources = [ + aws_s3_bucket.main.arn, + "${aws_s3_bucket.main.arn}/*" + ] + + principals { + type = "*" + identifiers = ["*"] + } + + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + } + } + + dynamic "statement" { + for_each = var.allow_elb_write_access_logs ? [1] : [] + + content { + actions = ["s3:PutObject"] + effect = "Allow" + sid = "AllowElasticLoadBalancerToWriteAccessLogs" + + resources = [ + "${aws_s3_bucket.main.arn}/AWSLogs/*" + ] + + principals { + type = "AWS" + identifiers = [data.aws_elb_service_account.main.arn] + } + } + } +} diff --git a/docs/10-header.md b/docs/10-header.md new file mode 100644 index 0000000..3843bbf --- /dev/null +++ b/docs/10-header.md @@ -0,0 +1 @@ +[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/) diff --git a/docs/20-badges.md b/docs/20-badges.md new file mode 100644 index 0000000..588f6b9 --- /dev/null +++ b/docs/20-badges.md @@ -0,0 +1,36 @@ +### Code Quality +[![License](https://img.shields.io/github/license/geekcell/terraform-aws-s3-access-log-bucket)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/blob/master/LICENSE) +[![GitHub release (latest tag)](https://img.shields.io/github/v/release/geekcell/terraform-aws-s3-access-log-bucket?logo=github&sort=semver)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/releases) +[![Release](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/release.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/release.yaml) +[![Validate](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml) +[![Lint](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml) + + diff --git a/examples/alb-access-logs/main.tf b/examples/alb-access-logs/main.tf new file mode 100644 index 0000000..38f0692 --- /dev/null +++ b/examples/alb-access-logs/main.tf @@ -0,0 +1,5 @@ +module "alb_logs" { + source = "../../" + + name = "my-alb-access-logs-s3" +} diff --git a/examples/cloudfront-access-logs/main.tf b/examples/cloudfront-access-logs/main.tf new file mode 100644 index 0000000..de63293 --- /dev/null +++ b/examples/cloudfront-access-logs/main.tf @@ -0,0 +1,8 @@ +module "cloudfront_logs" { + source = "../../" + + name = "my-cloudfront-access-logs-s3" + + allow_cloudfront_write_access_logs = true + allow_elb_write_access_logs = false +} diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..b9bba9b --- /dev/null +++ b/main.tf @@ -0,0 +1,142 @@ +/** + * # Terraform AWS S3 Access Log Bucket + * + * This Terraform module provides a preconfigured solution for setting up S3 + * access logs in your AWS account to store logs from your Application Load + * Balancer (ALB) or Cognito User Pool. S3 access logs track requests made to + * an S3 bucket or to your ALB or Cognito, allowing you to monitor activity + * and analyze trends in your data. With this Terraform module, you can easily + * and efficiently set up and manage S3 access logs for your ALB or Cognito, + * ensuring that you have a complete picture of the activity in your + * environment. + * + * Our team has extensive experience working with S3 and has optimized this + * module to provide the best possible experience for users. The module + * encapsulates all necessary configurations, making it easy to use and + * integrate into your existing AWS environment. Whether you are just getting + * started with S3 access logs or looking for a more efficient way to manage + * your logs, this Terraform module provides a preconfigured solution for + * tracking activity in your ALB or Cognito. + */ +resource "aws_s3_bucket" "main" { + bucket = var.name + + tags = var.tags +} + +resource "aws_s3_bucket_versioning" "main" { + bucket = aws_s3_bucket.main.id + mfa = var.mfa + + versioning_configuration { + status = var.versioning + mfa_delete = var.mfa_delete + } +} + +resource "aws_s3_bucket_policy" "main" { + bucket = aws_s3_bucket.main.id + + policy = data.aws_iam_policy_document.main.json +} + +resource "aws_s3_bucket_public_access_block" "main" { + bucket = aws_s3_bucket.main.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "main" { + bucket = aws_s3_bucket.main.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + bucket_key_enabled = true + } +} + +resource "aws_s3_bucket_lifecycle_configuration" "main" { + bucket = aws_s3_bucket.main.bucket + + rule { + id = "transitions" + status = "Enabled" + + dynamic "transition" { + for_each = coalesce(var.transitions, []) + + content { + days = transition.value.days + storage_class = transition.value.storage_class + } + } + + dynamic "noncurrent_version_transition" { + for_each = coalesce(var.noncurrent_version_transitions, []) + + content { + noncurrent_days = noncurrent_version_transition.value.noncurrent_days + storage_class = noncurrent_version_transition.value.storage_class + } + } + + expiration { + days = var.expiration + } + + noncurrent_version_expiration { + noncurrent_days = var.noncurrent_version_expiration + } + } +} + +resource "aws_s3_bucket_metric" "main" { + bucket = aws_s3_bucket.main.bucket + name = "EntireBucket" +} + +resource "aws_s3_bucket_ownership_controls" "main" { + count = var.allow_cloudfront_write_access_logs ? 1 : 0 + + bucket = aws_s3_bucket.main.id + + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "main" { + count = var.allow_cloudfront_write_access_logs ? 1 : 0 + + bucket = aws_s3_bucket.main.bucket + + access_control_policy { + owner { + id = data.aws_canonical_user_id.main.id + } + + grant { + grantee { + id = data.aws_canonical_user_id.main.id + type = "CanonicalUser" + } + permission = "FULL_CONTROL" + } + + grant { + # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership + grantee { + id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" + type = "CanonicalUser" + } + permission = "FULL_CONTROL" + } + } + + depends_on = [aws_s3_bucket_ownership_controls.main] +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..429bd10 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,14 @@ +output "id" { + description = "The id of the bucket." + value = aws_s3_bucket.main.id +} + +output "arn" { + description = "The arn of the bucket." + value = aws_s3_bucket.main.arn +} + +output "domain_name" { + description = "The domain name of the bucket." + value = aws_s3_bucket.main.bucket_domain_name +} diff --git a/test/.gitignore b/test/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..2bd3055 --- /dev/null +++ b/variables.tf @@ -0,0 +1,96 @@ +# Context +variable "tags" { + default = {} + description = "Tags to add to the AWS Customer Managed Key." + type = map(any) +} + +# AWS S3 +variable "expiration" { + default = 365 + description = "The number of days after which to expunge the objects." + type = number +} + +variable "name" { + description = "The name of the bucket." + type = string +} + +variable "noncurrent_version_expiration" { + default = 90 + description = "The number of days after which to delete the noncurrent object." + type = number +} + +variable "noncurrent_version_transitions" { + default = [ + { + noncurrent_days = 30 + storage_class = "STANDARD_IA" + } + ] + description = "Transition to another storage class for noncurrent_versions." + type = list(object({ + noncurrent_days = number + storage_class = string + })) +} + +variable "transitions" { + default = [ + { + days = 30 + storage_class = "STANDARD_IA" + }, + { + days = 60 + storage_class = "GLACIER" + }, + { + days = 180 + storage_class = "DEEP_ARCHIVE" + } + ] + description = "Transition to another storage class." + type = list(object({ + days = number + storage_class = string + })) +} + +variable "versioning" { + default = "Enabled" + description = "Enables versioning of objects in the bucket." + type = string +} + +variable "mfa_delete" { + default = "Disabled" + description = "Specifies whether MFA delete is enabled in the bucket." + type = string +} + +variable "mfa" { + default = null + description = "MFA device ARN including a TOTP token to enable MFA delete." + type = string +} + +variable "deny_non_secure_transport" { + default = true + description = "Whether to attach a policy to the bucket to deny all non-SSL requests." + type = bool +} + +variable "allow_elb_write_access_logs" { + description = "Attach a policy to allow Elastic Load Balancing to write access logs." + default = true + type = bool +} + +variable "allow_cloudfront_write_access_logs" { + description = "Enable ACL for CloudFront to write access logs." + default = false + type = bool +} diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..2e79970 --- /dev/null +++ b/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.40" + } + } +}