feat: Cloudfront logging

.terraform-docs.yml

@@ -24,9 +24,14 @@ content: |-
   {{- end }}
 
   # Examples
-    ### Basic Example
+    ### ALB Logs
     ```hcl
-    {{ include "examples/basic-example/main.tf" }}
+    {{ include "examples/alb-access-logs/main.tf" }}
+    ```
+
+    ### Cloudfront Logs
+    ```hcl
+    {{ include "examples/cloudfront-access-logs/main.tf" }}
     ```
 
 output:

README.md

@@ -61,6 +61,8 @@ tracking activity in your ALB or Cognito.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_allow_cloudfront_write_access_logs"></a> [allow\_cloudfront\_write\_access\_logs](#input\_allow\_cloudfront\_write\_access\_logs) | Enable ACL for CloudFront to write access logs. | `bool` | `false` | no |
+| <a name="input_allow_elb_write_access_logs"></a> [allow\_elb\_write\_access\_logs](#input\_allow\_elb\_write\_access\_logs) | Attach a policy to allow Elastic Load Balancing to write access logs. | `bool` | `true` | no |
 | <a name="input_deny_non_secure_transport"></a> [deny\_non\_secure\_transport](#input\_deny\_non\_secure\_transport) | Whether to attach a policy to the bucket to deny all non-SSL requests. | `bool` | `true` | no |
 | <a name="input_expiration"></a> [expiration](#input\_expiration) | The number of days after which to expunge the objects. | `number` | `365` | no |
 | <a name="input_mfa"></a> [mfa](#input\_mfa) | MFA device ARN including a TOTP token to enable MFA delete. | `string` | `null` | no |
@@ -77,6 +79,7 @@ tracking activity in your ALB or Cognito.
 | Name | Description |
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | The arn of the bucket. |
+| <a name="output_domain_name"></a> [domain\_name](#output\_domain\_name) | The domain name of the bucket. |
 | <a name="output_id"></a> [id](#output\_id) | The id of the bucket. |
 
 ## Providers
@@ -88,22 +91,37 @@ tracking activity in your ALB or Cognito.
 ## Resources
 
 - resource.aws_s3_bucket.main (main.tf#21)
-- resource.aws_s3_bucket_lifecycle_configuration.main (main.tf#62)
-- resource.aws_s3_bucket_metric.main (main.tf#95)
+- resource.aws_s3_bucket_acl.main (main.tf#113)
+- resource.aws_s3_bucket_lifecycle_configuration.main (main.tf#63)
+- resource.aws_s3_bucket_metric.main (main.tf#98)
+- resource.aws_s3_bucket_ownership_controls.main (main.tf#103)
 - resource.aws_s3_bucket_policy.main (main.tf#37)
-- resource.aws_s3_bucket_public_access_block.main (main.tf#42)
-- resource.aws_s3_bucket_server_side_encryption_configuration.main (main.tf#51)
+- resource.aws_s3_bucket_public_access_block.main (main.tf#43)
+- resource.aws_s3_bucket_server_side_encryption_configuration.main (main.tf#52)
 - resource.aws_s3_bucket_versioning.main (main.tf#27)
-- data source.aws_elb_service_account.main (data.tf#1)
-- data source.aws_iam_policy_document.main (data.tf#3)
+- data source.aws_canonical_user_id.main (data.tf#1)
+- data source.aws_elb_service_account.main (data.tf#2)
+- data source.aws_iam_policy_document.main (data.tf#4)
 
 # Examples
-### Basic Example
+### ALB Logs
 ```hcl
-module "basic-example" {
+module "alb_logs" {
   source = "../../"
 
-  name = "my-access-logs"
+  name = "my-alb-access-logs-s3"
+}
+```
+
+### Cloudfront Logs
+```hcl
+module "cloudfront_logs" {
+  source = "../../"
+
+  name = "my-cloudfront-access-logs-s3"
+
+  allow_cloudfront_write_access_logs = true
+  allow_elb_write_access_logs        = false
 }
 ```
 <!-- END_TF_DOCS -->

data.tf

@@ -1,7 +1,7 @@
+data "aws_canonical_user_id" "main" {}
 data "aws_elb_service_account" "main" {}
 
 data "aws_iam_policy_document" "main" {
-
   dynamic "statement" {
     for_each = var.deny_non_secure_transport ? [1] : []
 
@@ -28,19 +28,22 @@ data "aws_iam_policy_document" "main" {
     }
   }
 
-  statement {
-    actions = ["s3:PutObject"]
-    effect  = "Allow"
-    sid     = "AllowElasticLoadBalancerToWriteAccessLogs"
+  dynamic "statement" {
+    for_each = var.allow_elb_write_access_logs ? [1] : []
 
+    content {
+      actions = ["s3:PutObject"]
+      effect  = "Allow"
+      sid     = "AllowElasticLoadBalancerToWriteAccessLogs"
 
-    resources = [
-      "${aws_s3_bucket.main.arn}/*"
-    ]
+      resources = [
+        "${aws_s3_bucket.main.arn}/AWSLogs/*"
+      ]
 
-    principals {
-      type        = "AWS"
-      identifiers = [data.aws_elb_service_account.main.arn]
+      principals {
+        type        = "AWS"
+        identifiers = [data.aws_elb_service_account.main.arn]
+      }
     }
   }
 }

examples/alb-access-logs/main.tf

@@ -0,0 +1,5 @@
+module "alb_logs" {
+  source = "../../"
+
+  name = "my-alb-access-logs-s3"
+}

examples/cloudfront-access-logs/main.tf

@@ -0,0 +1,8 @@
+module "cloudfront_logs" {
+  source = "../../"
+
+  name = "my-cloudfront-access-logs-s3"
+
+  allow_cloudfront_write_access_logs = true
+  allow_elb_write_access_logs        = false
+}

main.tf

@@ -36,6 +36,7 @@ resource "aws_s3_bucket_versioning" "main" {
 
 resource "aws_s3_bucket_policy" "main" {
   bucket = aws_s3_bucket.main.id
+
   policy = data.aws_iam_policy_document.main.json
 }
 
@@ -68,6 +69,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "main" {
 
     dynamic "transition" {
       for_each = coalesce(var.transitions, [])
+
       content {
         days          = transition.value.days
         storage_class = transition.value.storage_class
@@ -76,6 +78,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "main" {
 
     dynamic "noncurrent_version_transition" {
       for_each = coalesce(var.noncurrent_version_transitions, [])
+
       content {
         noncurrent_days = noncurrent_version_transition.value.noncurrent_days
         storage_class   = noncurrent_version_transition.value.storage_class
@@ -96,3 +99,44 @@ resource "aws_s3_bucket_metric" "main" {
   bucket = aws_s3_bucket.main.bucket
   name   = "EntireBucket"
 }
+
+resource "aws_s3_bucket_ownership_controls" "main" {
+  count = var.allow_cloudfront_write_access_logs ? 1 : 0
+
+  bucket = aws_s3_bucket.main.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "main" {
+  count = var.allow_cloudfront_write_access_logs ? 1 : 0
+
+  bucket = aws_s3_bucket.main.bucket
+
+  access_control_policy {
+    owner {
+      id = data.aws_canonical_user_id.main.id
+    }
+
+    grant {
+      grantee {
+        id   = data.aws_canonical_user_id.main.id
+        type = "CanonicalUser"
+      }
+      permission = "FULL_CONTROL"
+    }
+
+    grant {
+      # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership
+      grantee {
+        id   = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
+        type = "CanonicalUser"
+      }
+      permission = "FULL_CONTROL"
+    }
+  }
+
+  depends_on = [aws_s3_bucket_ownership_controls.main]
+}

outputs.tf

@@ -7,3 +7,8 @@ output "arn" {
   description = "The arn of the bucket."
   value       = aws_s3_bucket.main.arn
 }
+
+output "domain_name" {
+  description = "The domain name of the bucket."
+  value       = aws_s3_bucket.main.bucket_domain_name
+}

variables.tf

@@ -82,3 +82,15 @@ variable "deny_non_secure_transport" {
   description = "Whether to attach a policy to the bucket to deny all non-SSL requests."
   type        = bool
 }
+
+variable "allow_elb_write_access_logs" {
+  description = "Attach a policy to allow Elastic Load Balancing to write access logs."
+  default     = true
+  type        = bool
+}
+
+variable "allow_cloudfront_write_access_logs" {
+  description = "Enable ACL for CloudFront to write access logs."
+  default     = false
+  type        = bool
+}