From 972da8cc12f9678abdc050fd8e566eb9eb261a12 Mon Sep 17 00:00:00 2001 From: Jakub Rosa Date: Fri, 11 Jun 2021 18:19:58 +0200 Subject: [PATCH] Add possible disable logs for s3 (#63) * add possibility to disable access logs for s3 --- README.md | 129 ++++++++++++++++++++++++++-------------------- docs/terraform.md | 123 ++++++++++++++++++++++++------------------- main.tf | 10 ++-- variables.tf | 6 +++ 4 files changed, 157 insertions(+), 111 deletions(-) diff --git a/README.md b/README.md index b13154a..ddb0746 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ + # terraform-aws-s3-website [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-s3-website.svg)](https://github.com/cloudposse/terraform-aws-s3-website/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) @@ -30,7 +31,6 @@ Terraform module to provision S3-backed Websites. **IMPORTANT:** This module provisions a globally accessible S3 bucket for unauthenticated users because it is designed for hosting public static websites. Normally, AWS recommends that S3 buckets should not publicly accessible in order to protect S3 data from unauthorized users. - --- This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps. @@ -61,7 +61,6 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are - ## Security & Compliance [](https://bridgecrew.io/) Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance. @@ -154,73 +153,92 @@ Available targets: | Name | Version | |------|---------| -| terraform | >= 0.13.0 | -| aws | >= 2.0 | -| local | >= 1.2 | +| [terraform](#requirement\_terraform) | >= 0.13.0 | +| [aws](#requirement\_aws) | >= 2.0 | +| [local](#requirement\_local) | >= 1.2 | ## Providers | Name | Version | |------|---------| -| aws | >= 2.0 | +| [aws](#provider\_aws) | >= 2.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [default\_label](#module\_default\_label) | cloudposse/label/null | 0.24.1 | +| [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.12.0 | +| [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.20.0 | +| [this](#module\_this) | cloudposse/label/null | 0.24.1 | + +## Resources + +| Name | Type | +|------|------| +| [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| additional\_tag\_map | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | -| attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | -| context | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {}
}
| no | -| cors\_allowed\_headers | List of allowed headers | `list(string)` | 
[
  "*"
]
| no | -| cors\_allowed\_methods | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) | `list(string)` | 
[
  "GET"
]
| no | -| cors\_allowed\_origins | List of allowed origins (e.g. example.com, test.com) | `list(string)` | 
[
  "*"
]
| no | -| cors\_expose\_headers | List of expose header in the response | `list(string)` | 
[
  "ETag"
]
| no | -| cors\_max\_age\_seconds | Time in seconds that browser can cache the response | `number` | `3600` | no | -| delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| deployment\_actions | List of actions to permit deployment ARNs to perform | `list(string)` | 
[
  "s3:PutObject",
  "s3:PutObjectAcl",
  "s3:GetObject",
  "s3:DeleteObject",
  "s3:ListBucket",
  "s3:ListBucketMultipartUploads",
  "s3:GetBucketLocation",
  "s3:AbortMultipartUpload"
]
| no | -| deployment\_arns | (Optional) Map of deployment ARNs to lists of S3 path prefixes to grant `deployment_actions` permissions | `map(any)` | `{}` | no | -| enabled | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| encryption\_enabled | When set to 'true' the resource will have AES256 encryption enabled by default | `bool` | `false` | no | -| environment | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| error\_document | An absolute path to the document to return in case of a 4XX error | `string` | `"404.html"` | no | -| force\_destroy | Delete all objects from the bucket so that the bucket can be destroyed without error (e.g. `true` or `false`) | `bool` | `false` | no | -| hostname | Name of website bucket in `fqdn` format (e.g. `test.example.com`). IMPORTANT! Do not add trailing dot (`.`) | `string` | n/a | yes | -| id\_length\_limit | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | -| index\_document | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders | `string` | `"index.html"` | no | -| label\_key\_case | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| label\_order | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | -| label\_value\_case | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | -| lifecycle\_rule\_enabled | Enable or disable lifecycle rule | `bool` | `false` | no | -| logs\_expiration\_days | Number of days after which to expunge the objects | `number` | `90` | no | -| logs\_glacier\_transition\_days | Number of days after which to move the data to the glacier storage tier | `number` | `60` | no | -| logs\_standard\_transition\_days | Number of days to persist in the standard storage tier before moving to the glacier tier | `number` | `30` | no | -| name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | -| namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| noncurrent\_version\_expiration\_days | Specifies when noncurrent object versions expire | `number` | `90` | no | -| noncurrent\_version\_transition\_days | Number of days to persist in the standard storage tier before moving to the glacier tier infrequent access tier | `number` | `30` | no | -| parent\_zone\_id | ID of the hosted zone to contain the record | `string` | `""` | no | -| parent\_zone\_name | Name of the hosted zone to contain the record | `string` | `""` | no | -| prefix | Prefix identifying one or more objects to which the rule applies | `string` | `""` | no | -| redirect\_all\_requests\_to | A hostname to redirect all website requests for this bucket to. If this is set `index_document` will be ignored | `string` | `""` | no | -| regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| replication\_source\_principal\_arns | (Optional) List of principal ARNs to grant replication access from different AWS accounts | `list(string)` | `[]` | no | -| routing\_rules | A json array containing routing rules describing redirect behavior and when redirects are applied | `string` | `""` | no | -| stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | -| versioning\_enabled | Enable or disable versioning | `bool` | `true` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {}
}
| no | +| [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | List of allowed headers | `list(string)` | 
[
  "*"
]
| no | +| [cors\_allowed\_methods](#input\_cors\_allowed\_methods) | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) | `list(string)` | 
[
  "GET"
]
| no | +| [cors\_allowed\_origins](#input\_cors\_allowed\_origins) | List of allowed origins (e.g. example.com, test.com) | `list(string)` | 
[
  "*"
]
| no | +| [cors\_expose\_headers](#input\_cors\_expose\_headers) | List of expose header in the response | `list(string)` | 
[
  "ETag"
]
| no | +| [cors\_max\_age\_seconds](#input\_cors\_max\_age\_seconds) | Time in seconds that browser can cache the response | `number` | `3600` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [deployment\_actions](#input\_deployment\_actions) | List of actions to permit deployment ARNs to perform | `list(string)` | 
[
  "s3:PutObject",
  "s3:PutObjectAcl",
  "s3:GetObject",
  "s3:DeleteObject",
  "s3:ListBucket",
  "s3:ListBucketMultipartUploads",
  "s3:GetBucketLocation",
  "s3:AbortMultipartUpload"
]
| no | +| [deployment\_arns](#input\_deployment\_arns) | (Optional) Map of deployment ARNs to lists of S3 path prefixes to grant `deployment_actions` permissions | `map(any)` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [encryption\_enabled](#input\_encryption\_enabled) | When set to 'true' the resource will have AES256 encryption enabled by default | `bool` | `false` | no | +| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [error\_document](#input\_error\_document) | An absolute path to the document to return in case of a 4XX error | `string` | `"404.html"` | no | +| [force\_destroy](#input\_force\_destroy) | Delete all objects from the bucket so that the bucket can be destroyed without error (e.g. `true` or `false`) | `bool` | `false` | no | +| [hostname](#input\_hostname) | Name of website bucket in `fqdn` format (e.g. `test.example.com`). IMPORTANT! Do not add trailing dot (`.`) | `string` | n/a | yes | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [index\_document](#input\_index\_document) | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders | `string` | `"index.html"` | no | +| [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | +| [lifecycle\_rule\_enabled](#input\_lifecycle\_rule\_enabled) | Enable or disable lifecycle rule | `bool` | `false` | no | +| [logs\_enabled](#input\_logs\_enabled) | Enable logs for s3 bucket | `bool` | `true` | no | +| [logs\_expiration\_days](#input\_logs\_expiration\_days) | Number of days after which to expunge the objects | `number` | `90` | no | +| [logs\_glacier\_transition\_days](#input\_logs\_glacier\_transition\_days) | Number of days after which to move the data to the glacier storage tier | `number` | `60` | no | +| [logs\_standard\_transition\_days](#input\_logs\_standard\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier tier | `number` | `30` | no | +| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | +| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| [noncurrent\_version\_expiration\_days](#input\_noncurrent\_version\_expiration\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no | +| [noncurrent\_version\_transition\_days](#input\_noncurrent\_version\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier tier infrequent access tier | `number` | `30` | no | +| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain the record | `string` | `""` | no | +| [parent\_zone\_name](#input\_parent\_zone\_name) | Name of the hosted zone to contain the record | `string` | `""` | no | +| [prefix](#input\_prefix) | Prefix identifying one or more objects to which the rule applies | `string` | `""` | no | +| [redirect\_all\_requests\_to](#input\_redirect\_all\_requests\_to) | A hostname to redirect all website requests for this bucket to. If this is set `index_document` will be ignored | `string` | `""` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [replication\_source\_principal\_arns](#input\_replication\_source\_principal\_arns) | (Optional) List of principal ARNs to grant replication access from different AWS accounts | `list(string)` | `[]` | no | +| [routing\_rules](#input\_routing\_rules) | A json array containing routing rules describing redirect behavior and when redirects are applied | `string` | `""` | no | +| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| [versioning\_enabled](#input\_versioning\_enabled) | Enable or disable versioning | `bool` | `true` | no | ## Outputs | Name | Description | |------|-------------| -| hostname | Bucket hostname | -| s3\_bucket\_arn | ARN identifier of the website bucket | -| s3\_bucket\_domain\_name | Name of the website bucket | -| s3\_bucket\_hosted\_zone\_id | The Route 53 Hosted Zone ID for this bucket's region | -| s3\_bucket\_name | DNS record of the website bucket | -| s3\_bucket\_website\_domain | The domain of the website endpoint | -| s3\_bucket\_website\_endpoint | The website endpoint URL | - +| [hostname](#output\_hostname) | Bucket hostname | +| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | ARN identifier of the website bucket | +| [s3\_bucket\_domain\_name](#output\_s3\_bucket\_domain\_name) | Name of the website bucket | +| [s3\_bucket\_hosted\_zone\_id](#output\_s3\_bucket\_hosted\_zone\_id) | The Route 53 Hosted Zone ID for this bucket's region | +| [s3\_bucket\_name](#output\_s3\_bucket\_name) | DNS record of the website bucket | +| [s3\_bucket\_website\_domain](#output\_s3\_bucket\_website\_domain) | The domain of the website endpoint | +| [s3\_bucket\_website\_endpoint](#output\_s3\_bucket\_website\_endpoint) | The website endpoint URL | @@ -232,6 +250,7 @@ Like this project? Please give it a ★ on [our GitHub](https://github.com/cloud Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =) + ## Related Projects Check out these related projects. @@ -243,8 +262,6 @@ Check out these related projects. - [terraform-aws-lb-s3-bucket](https://github.com/cloudposse/terraform-aws-lb-s3-bucket) - Terraform module to provision an S3 bucket with built in IAM policy to allow AWS Load Balancers to ship access logs - - ## References For additional context, refer to some of these links. diff --git a/docs/terraform.md b/docs/terraform.md index eed0c31..74a4260 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -3,71 +3,90 @@ | Name | Version | |------|---------| -| terraform | >= 0.13.0 | -| aws | >= 2.0 | -| local | >= 1.2 | +| [terraform](#requirement\_terraform) | >= 0.13.0 | +| [aws](#requirement\_aws) | >= 2.0 | +| [local](#requirement\_local) | >= 1.2 | ## Providers | Name | Version | |------|---------| -| aws | >= 2.0 | +| [aws](#provider\_aws) | >= 2.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [default\_label](#module\_default\_label) | cloudposse/label/null | 0.24.1 | +| [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.12.0 | +| [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.20.0 | +| [this](#module\_this) | cloudposse/label/null | 0.24.1 | + +## Resources + +| Name | Type | +|------|------| +| [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| additional\_tag\_map | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | -| attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | -| context | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {}
}
| no | -| cors\_allowed\_headers | List of allowed headers | `list(string)` | 
[
  "*"
]
| no | -| cors\_allowed\_methods | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) | `list(string)` | 
[
  "GET"
]
| no | -| cors\_allowed\_origins | List of allowed origins (e.g. example.com, test.com) | `list(string)` | 
[
  "*"
]
| no | -| cors\_expose\_headers | List of expose header in the response | `list(string)` | 
[
  "ETag"
]
| no | -| cors\_max\_age\_seconds | Time in seconds that browser can cache the response | `number` | `3600` | no | -| delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| deployment\_actions | List of actions to permit deployment ARNs to perform | `list(string)` | 
[
  "s3:PutObject",
  "s3:PutObjectAcl",
  "s3:GetObject",
  "s3:DeleteObject",
  "s3:ListBucket",
  "s3:ListBucketMultipartUploads",
  "s3:GetBucketLocation",
  "s3:AbortMultipartUpload"
]
| no | -| deployment\_arns | (Optional) Map of deployment ARNs to lists of S3 path prefixes to grant `deployment_actions` permissions | `map(any)` | `{}` | no | -| enabled | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| encryption\_enabled | When set to 'true' the resource will have AES256 encryption enabled by default | `bool` | `false` | no | -| environment | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| error\_document | An absolute path to the document to return in case of a 4XX error | `string` | `"404.html"` | no | -| force\_destroy | Delete all objects from the bucket so that the bucket can be destroyed without error (e.g. `true` or `false`) | `bool` | `false` | no | -| hostname | Name of website bucket in `fqdn` format (e.g. `test.example.com`). IMPORTANT! Do not add trailing dot (`.`) | `string` | n/a | yes | -| id\_length\_limit | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | -| index\_document | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders | `string` | `"index.html"` | no | -| label\_key\_case | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| label\_order | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | -| label\_value\_case | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | -| lifecycle\_rule\_enabled | Enable or disable lifecycle rule | `bool` | `false` | no | -| logs\_expiration\_days | Number of days after which to expunge the objects | `number` | `90` | no | -| logs\_glacier\_transition\_days | Number of days after which to move the data to the glacier storage tier | `number` | `60` | no | -| logs\_standard\_transition\_days | Number of days to persist in the standard storage tier before moving to the glacier tier | `number` | `30` | no | -| name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | -| namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| noncurrent\_version\_expiration\_days | Specifies when noncurrent object versions expire | `number` | `90` | no | -| noncurrent\_version\_transition\_days | Number of days to persist in the standard storage tier before moving to the glacier tier infrequent access tier | `number` | `30` | no | -| parent\_zone\_id | ID of the hosted zone to contain the record | `string` | `""` | no | -| parent\_zone\_name | Name of the hosted zone to contain the record | `string` | `""` | no | -| prefix | Prefix identifying one or more objects to which the rule applies | `string` | `""` | no | -| redirect\_all\_requests\_to | A hostname to redirect all website requests for this bucket to. If this is set `index_document` will be ignored | `string` | `""` | no | -| regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| replication\_source\_principal\_arns | (Optional) List of principal ARNs to grant replication access from different AWS accounts | `list(string)` | `[]` | no | -| routing\_rules | A json array containing routing rules describing redirect behavior and when redirects are applied | `string` | `""` | no | -| stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | -| versioning\_enabled | Enable or disable versioning | `bool` | `true` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {}
}
| no | +| [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | List of allowed headers | `list(string)` | 
[
  "*"
]
| no | +| [cors\_allowed\_methods](#input\_cors\_allowed\_methods) | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) | `list(string)` | 
[
  "GET"
]
| no | +| [cors\_allowed\_origins](#input\_cors\_allowed\_origins) | List of allowed origins (e.g. example.com, test.com) | `list(string)` | 
[
  "*"
]
| no | +| [cors\_expose\_headers](#input\_cors\_expose\_headers) | List of expose header in the response | `list(string)` | 
[
  "ETag"
]
| no | +| [cors\_max\_age\_seconds](#input\_cors\_max\_age\_seconds) | Time in seconds that browser can cache the response | `number` | `3600` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [deployment\_actions](#input\_deployment\_actions) | List of actions to permit deployment ARNs to perform | `list(string)` | 
[
  "s3:PutObject",
  "s3:PutObjectAcl",
  "s3:GetObject",
  "s3:DeleteObject",
  "s3:ListBucket",
  "s3:ListBucketMultipartUploads",
  "s3:GetBucketLocation",
  "s3:AbortMultipartUpload"
]
| no | +| [deployment\_arns](#input\_deployment\_arns) | (Optional) Map of deployment ARNs to lists of S3 path prefixes to grant `deployment_actions` permissions | `map(any)` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [encryption\_enabled](#input\_encryption\_enabled) | When set to 'true' the resource will have AES256 encryption enabled by default | `bool` | `false` | no | +| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [error\_document](#input\_error\_document) | An absolute path to the document to return in case of a 4XX error | `string` | `"404.html"` | no | +| [force\_destroy](#input\_force\_destroy) | Delete all objects from the bucket so that the bucket can be destroyed without error (e.g. `true` or `false`) | `bool` | `false` | no | +| [hostname](#input\_hostname) | Name of website bucket in `fqdn` format (e.g. `test.example.com`). IMPORTANT! Do not add trailing dot (`.`) | `string` | n/a | yes | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [index\_document](#input\_index\_document) | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders | `string` | `"index.html"` | no | +| [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | +| [lifecycle\_rule\_enabled](#input\_lifecycle\_rule\_enabled) | Enable or disable lifecycle rule | `bool` | `false` | no | +| [logs\_enabled](#input\_logs\_enabled) | Enable logs for s3 bucket | `bool` | `true` | no | +| [logs\_expiration\_days](#input\_logs\_expiration\_days) | Number of days after which to expunge the objects | `number` | `90` | no | +| [logs\_glacier\_transition\_days](#input\_logs\_glacier\_transition\_days) | Number of days after which to move the data to the glacier storage tier | `number` | `60` | no | +| [logs\_standard\_transition\_days](#input\_logs\_standard\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier tier | `number` | `30` | no | +| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | +| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| [noncurrent\_version\_expiration\_days](#input\_noncurrent\_version\_expiration\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no | +| [noncurrent\_version\_transition\_days](#input\_noncurrent\_version\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier tier infrequent access tier | `number` | `30` | no | +| [parent\_zone\_id](#input\_parent\_zone\_id) | ID of the hosted zone to contain the record | `string` | `""` | no | +| [parent\_zone\_name](#input\_parent\_zone\_name) | Name of the hosted zone to contain the record | `string` | `""` | no | +| [prefix](#input\_prefix) | Prefix identifying one or more objects to which the rule applies | `string` | `""` | no | +| [redirect\_all\_requests\_to](#input\_redirect\_all\_requests\_to) | A hostname to redirect all website requests for this bucket to. If this is set `index_document` will be ignored | `string` | `""` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [replication\_source\_principal\_arns](#input\_replication\_source\_principal\_arns) | (Optional) List of principal ARNs to grant replication access from different AWS accounts | `list(string)` | `[]` | no | +| [routing\_rules](#input\_routing\_rules) | A json array containing routing rules describing redirect behavior and when redirects are applied | `string` | `""` | no | +| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| [versioning\_enabled](#input\_versioning\_enabled) | Enable or disable versioning | `bool` | `true` | no | ## Outputs | Name | Description | |------|-------------| -| hostname | Bucket hostname | -| s3\_bucket\_arn | ARN identifier of the website bucket | -| s3\_bucket\_domain\_name | Name of the website bucket | -| s3\_bucket\_hosted\_zone\_id | The Route 53 Hosted Zone ID for this bucket's region | -| s3\_bucket\_name | DNS record of the website bucket | -| s3\_bucket\_website\_domain | The domain of the website endpoint | -| s3\_bucket\_website\_endpoint | The website endpoint URL | - +| [hostname](#output\_hostname) | Bucket hostname | +| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | ARN identifier of the website bucket | +| [s3\_bucket\_domain\_name](#output\_s3\_bucket\_domain\_name) | Name of the website bucket | +| [s3\_bucket\_hosted\_zone\_id](#output\_s3\_bucket\_hosted\_zone\_id) | The Route 53 Hosted Zone ID for this bucket's region | +| [s3\_bucket\_name](#output\_s3\_bucket\_name) | DNS record of the website bucket | +| [s3\_bucket\_website\_domain](#output\_s3\_bucket\_website\_domain) | The domain of the website endpoint | +| [s3\_bucket\_website\_endpoint](#output\_s3\_bucket\_website\_endpoint) | The website endpoint URL | diff --git a/main.tf b/main.tf index 0161a6b..40a667b 100644 --- a/main.tf +++ b/main.tf @@ -19,6 +19,7 @@ module "logs" { source = "cloudposse/s3-log-storage/aws" version = "0.20.0" attributes = ["logs"] + enabled = var.logs_enabled standard_transition_days = var.logs_standard_transition_days glacier_transition_days = var.logs_glacier_transition_days expiration_days = var.logs_expiration_days @@ -43,9 +44,12 @@ resource "aws_s3_bucket" "default" { tags = module.default_label.tags force_destroy = var.force_destroy - logging { - target_bucket = module.logs.bucket_id - target_prefix = module.logs.prefix + dynamic "logging" { + for_each = var.logs_enabled ? ["true"] : [] + content { + target_bucket = module.logs.bucket_id + target_prefix = module.logs.prefix + } } dynamic "website" { diff --git a/variables.tf b/variables.tf index 983f6e8..b51ae20 100644 --- a/variables.tf +++ b/variables.tf @@ -69,6 +69,12 @@ variable "cors_max_age_seconds" { description = "Time in seconds that browser can cache the response" } +variable "logs_enabled" { + type = bool + description = "Enable logs for s3 bucket" + default = true +} + variable "logs_standard_transition_days" { type = number description = "Number of days to persist in the standard storage tier before moving to the glacier tier"