From e9414830d684d00f7c725ffed89425b977e6b069 Mon Sep 17 00:00:00 2001 From: adoami Date: Thu, 2 Jul 2020 17:18:17 -0700 Subject: [PATCH 01/22] Enable logging with private s3 bucket --- aws-s3-private-bucket/main.tf | 4 +++- aws-s3-private-bucket/variables.tf | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/aws-s3-private-bucket/main.tf b/aws-s3-private-bucket/main.tf index 7cd55fd0..6f649ba7 100755 --- a/aws-s3-private-bucket/main.tf +++ b/aws-s3-private-bucket/main.tf @@ -1,6 +1,8 @@ locals { # If grants are defined, we use `grant` to grant permissions, otherwise it will use the `acl` to grant permissions - acl = length(var.grants) == 0 ? "private" : null + acl = length(var.grants) == 0 ? "private" : ( + var.log_delivery_write_acl_enable ? "log-delivery-write" : null + ) tags = { project = var.project diff --git a/aws-s3-private-bucket/variables.tf b/aws-s3-private-bucket/variables.tf index c8cf484e..16c32d14 100755 --- a/aws-s3-private-bucket/variables.tf +++ b/aws-s3-private-bucket/variables.tf @@ -68,3 +68,9 @@ variable grants { default = [] description = "A list of canonical user ID to permissions pairs. Used when we want to grant permissions to AWS accounts via the S3 ACL system." } + +variable log_delivery_write_acl_enable { + type = bool + default = true + description = "Enables logging" +} From c73ead2eb90cf42a6a1748d3e8c28bda2f615514 Mon Sep 17 00:00:00 2001 From: adoami Date: Thu, 2 Jul 2020 18:02:53 -0700 Subject: [PATCH 02/22] redo condition --- aws-s3-private-bucket/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aws-s3-private-bucket/main.tf b/aws-s3-private-bucket/main.tf index 6f649ba7..cb4db800 100755 --- a/aws-s3-private-bucket/main.tf +++ b/aws-s3-private-bucket/main.tf @@ -1,8 +1,8 @@ locals { # If grants are defined, we use `grant` to grant permissions, otherwise it will use the `acl` to grant permissions - acl = length(var.grants) == 0 ? "private" : ( - var.log_delivery_write_acl_enable ? "log-delivery-write" : null - ) + private_acl = length(var.grants) == 0 ? "private" : null + log_delivery_write_acl = var.log_delivery_write_acl_enable ? "log-delivery-write" : null + acl = try(coalesce(private_acl, log_delivery_write_acl), null) tags = { project = var.project From 9c33658d625c8908dc3a6b51344f9785cebb9db4 Mon Sep 17 00:00:00 2001 From: adoami Date: Thu, 2 Jul 2020 18:13:16 -0700 Subject: [PATCH 03/22] spacing --- aws-s3-private-bucket/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws-s3-private-bucket/main.tf b/aws-s3-private-bucket/main.tf index cb4db800..daece78c 100755 --- a/aws-s3-private-bucket/main.tf +++ b/aws-s3-private-bucket/main.tf @@ -1,8 +1,8 @@ locals { # If grants are defined, we use `grant` to grant permissions, otherwise it will use the `acl` to grant permissions - private_acl = length(var.grants) == 0 ? "private" : null + private_acl = length(var.grants) == 0 ? "private" : null log_delivery_write_acl = var.log_delivery_write_acl_enable ? "log-delivery-write" : null - acl = try(coalesce(private_acl, log_delivery_write_acl), null) + acl = try(coalesce(private_acl, log_delivery_write_acl), null) tags = { project = var.project From dc45c964981dadb3586fd69707c9e34ee7202a7c Mon Sep 17 00:00:00 2001 From: adoami Date: Thu, 2 Jul 2020 18:18:06 -0700 Subject: [PATCH 04/22] local ref --- aws-s3-private-bucket/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-s3-private-bucket/main.tf b/aws-s3-private-bucket/main.tf index daece78c..8b35acbe 100755 --- a/aws-s3-private-bucket/main.tf +++ b/aws-s3-private-bucket/main.tf @@ -2,7 +2,7 @@ locals { # If grants are defined, we use `grant` to grant permissions, otherwise it will use the `acl` to grant permissions private_acl = length(var.grants) == 0 ? "private" : null log_delivery_write_acl = var.log_delivery_write_acl_enable ? "log-delivery-write" : null - acl = try(coalesce(private_acl, log_delivery_write_acl), null) + acl = try(coalesce(local.private_acl, local.log_delivery_write_acl), null) tags = { project = var.project From 0bf38681a70577c394fa68ba2951715ccfb5e9ce Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 10:24:51 -0700 Subject: [PATCH 05/22] default to false --- aws-s3-private-bucket/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-s3-private-bucket/variables.tf b/aws-s3-private-bucket/variables.tf index 16c32d14..927873e2 100755 --- a/aws-s3-private-bucket/variables.tf +++ b/aws-s3-private-bucket/variables.tf @@ -71,6 +71,6 @@ variable grants { variable log_delivery_write_acl_enable { type = bool - default = true + default = false description = "Enables logging" } From 91368e68ca83dcdee951b96a2f9f6a064fa30aa7 Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 11:30:00 -0700 Subject: [PATCH 06/22] change order of coalesce vars --- aws-s3-private-bucket/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-s3-private-bucket/main.tf b/aws-s3-private-bucket/main.tf index 8b35acbe..07075063 100755 --- a/aws-s3-private-bucket/main.tf +++ b/aws-s3-private-bucket/main.tf @@ -2,7 +2,7 @@ locals { # If grants are defined, we use `grant` to grant permissions, otherwise it will use the `acl` to grant permissions private_acl = length(var.grants) == 0 ? "private" : null log_delivery_write_acl = var.log_delivery_write_acl_enable ? "log-delivery-write" : null - acl = try(coalesce(local.private_acl, local.log_delivery_write_acl), null) + acl = try(coalesce(local.log_delivery_write_acl, local.private_acl), null) tags = { project = var.project From b34831676d02437c7fee752132f18ea0da705b11 Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 12:47:05 -0700 Subject: [PATCH 07/22] modify descr --- aws-s3-private-bucket/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-s3-private-bucket/variables.tf b/aws-s3-private-bucket/variables.tf index 927873e2..04fbebc3 100755 --- a/aws-s3-private-bucket/variables.tf +++ b/aws-s3-private-bucket/variables.tf @@ -72,5 +72,5 @@ variable grants { variable log_delivery_write_acl_enable { type = bool default = false - description = "Enables logging" + description = "Enables CloudFront to save logs in your distribution's S3 bucket" } From cdb0ec268446d00c7112cb7b226789fc73da09d1 Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 15:34:58 -0700 Subject: [PATCH 08/22] made new module --- .github/workflows/ci.yml | 1 + aws-s3-logs-bucket/README.md | 17 ++++++++ aws-s3-logs-bucket/main.tf | 32 ++++++++++++++ aws-s3-logs-bucket/module_test.go | 14 +++++++ aws-s3-logs-bucket/outputs.tf | 1 + aws-s3-logs-bucket/variables.tf | 70 +++++++++++++++++++++++++++++++ 6 files changed, 135 insertions(+) create mode 100755 aws-s3-logs-bucket/README.md create mode 100644 aws-s3-logs-bucket/main.tf create mode 100644 aws-s3-logs-bucket/module_test.go create mode 100755 aws-s3-logs-bucket/outputs.tf create mode 100755 aws-s3-logs-bucket/variables.tf diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2832bb1d..e86233b2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -65,6 +65,7 @@ jobs: aws-params-secrets-setup, aws-params-writer, aws-redis-node, + aws-s3-logs-bucket, aws-s3-private-bucket, aws-single-page-static-site, aws-ssm-params, diff --git a/aws-s3-logs-bucket/README.md b/aws-s3-logs-bucket/README.md new file mode 100755 index 00000000..1218929f --- /dev/null +++ b/aws-s3-logs-bucket/README.md @@ -0,0 +1,17 @@ +# Module template + +## Example + +```hcl +module "group" { + source = "github.com/chanzuckerberg/cztack/...?ref=v0.14.0" +} + +output "..." { + value = "${...}" +} +``` + + + + diff --git a/aws-s3-logs-bucket/main.tf b/aws-s3-logs-bucket/main.tf new file mode 100644 index 00000000..2fddfcb5 --- /dev/null +++ b/aws-s3-logs-bucket/main.tf @@ -0,0 +1,32 @@ +locals { + # Define the grant ACL for the Cloudfront logging S3 bucket, + # In order for the awslogsdelivery account to write log files to the bucket, + # we need to grant the AWS log delivery group the FULL_CONTROL access to the logging bucket + # LP's AWS account also has the FULL_CONTROL access to the bucket, this is specified by the canonical user id + # More details in https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#ChangeSettings + grants = [ + { + canonical_user_id : data.aws_canonical_user_id.current_user.id + permissions : ["FULL_CONTROL"] + + }, + { + canonical_user_id : "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" # AWS log delivery group's canonical user id + permissions : ["FULL_CONTROL"] + + } + ] +} + +data "aws_canonical_user_id" "current_user" {} + +module "aws-s3-logs-bucket" { + source = "../aws-s3-private-bucket" + bucket_name = "${var.project}-${var.env}-${var.service}-cloudfront-logs" + log_delivery_write_acl_enable = true + grants = local.grants + env = var.env + owner = var.owner + project = var.project + service = var.service +} diff --git a/aws-s3-logs-bucket/module_test.go b/aws-s3-logs-bucket/module_test.go new file mode 100644 index 00000000..fb22945b --- /dev/null +++ b/aws-s3-logs-bucket/module_test.go @@ -0,0 +1,14 @@ +package test + +import ( + "testing" + + "github.com/gruntwork-io/terratest/modules/terraform" +) + +func TestModule(t *testing.T) { + options := &terraform.Options{ + TerraformDir: ".", + } + terraform.Init(t, options) +} diff --git a/aws-s3-logs-bucket/outputs.tf b/aws-s3-logs-bucket/outputs.tf new file mode 100755 index 00000000..8b137891 --- /dev/null +++ b/aws-s3-logs-bucket/outputs.tf @@ -0,0 +1 @@ + diff --git a/aws-s3-logs-bucket/variables.tf b/aws-s3-logs-bucket/variables.tf new file mode 100755 index 00000000..c8cf484e --- /dev/null +++ b/aws-s3-logs-bucket/variables.tf @@ -0,0 +1,70 @@ +variable "bucket_name" { + type = string +} + +variable "bucket_policy" { + type = string + default = "" +} + +variable "project" { + type = string +} + +variable "env" { + type = string +} + +variable "service" { + type = string +} + +variable "owner" { + type = string +} + +variable "enable_versioning" { + type = bool + description = "Keep old versions of overwritten S3 objects." + default = true +} + +variable "abort_incomplete_multipart_upload_days" { + type = number + description = "Number of days after which an incomplete multipart upload is canceled." + default = 14 +} + +variable "lifecycle_rules" { + description = "List of maps containing configuration of object lifecycle management." + type = any + default = [ + { + enabled = true + + expiration = { + expired_object_delete_marker = true + } + + noncurrent_version_transition = { + days = 30 + storage_class = "STANDARD_IA" + } + + noncurrent_version_expiration = { + days = 365 + } + } + ] +} + +variable public_access_block { + type = bool + default = true +} + +variable grants { + type = list(object({ canonical_user_id : string, permissions : list(string) })) + default = [] + description = "A list of canonical user ID to permissions pairs. Used when we want to grant permissions to AWS accounts via the S3 ACL system." +} From 113fb9df3f049df587b032871562aa3ff819740a Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 15:58:22 -0700 Subject: [PATCH 09/22] updates --- aws-s3-logs-bucket/README.md | 50 ++++++++++++++++++++++++++++----- aws-s3-logs-bucket/main.tf | 21 ++++++++------ aws-s3-logs-bucket/variables.tf | 6 ---- 3 files changed, 56 insertions(+), 21 deletions(-) diff --git a/aws-s3-logs-bucket/README.md b/aws-s3-logs-bucket/README.md index 1218929f..a906d1e1 100755 --- a/aws-s3-logs-bucket/README.md +++ b/aws-s3-logs-bucket/README.md @@ -1,17 +1,53 @@ -# Module template +# aws-s3-logs-bucket + +This module uses the `aws-s3-private-bucket` module as its source and enables logging for Cloudfront to the specified S3 bucket. We include the grant to `aws-logs-delivery` whose canonical id is `c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0`, documentation for this can be found here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership. ## Example ```hcl -module "group" { - source = "github.com/chanzuckerberg/cztack/...?ref=v0.14.0" -} - -output "..." { - value = "${...}" +module "s3-bucket" { + source = "github.com/chanzuckerberg/cztack/aws-s3-logs-bucket?ref=v0.33.1" + bucket_name = "..." + env = var.env + owner = var.owner + project = var.project + service = var.component } ``` +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| abort\_incomplete\_multipart\_upload\_days | Number of days after which an incomplete multipart upload is canceled. | `number` | `14` | no | +| bucket\_name | n/a | `string` | n/a | yes | +| bucket\_policy | n/a | `string` | `""` | no | +| enable\_versioning | Keep old versions of overwritten S3 objects. | `bool` | `true` | no | +| env | n/a | `string` | n/a | yes | +| lifecycle\_rules | List of maps containing configuration of object lifecycle management. | `any` | 
[
  {
    "enabled": true,
    "expiration": {
      "expired_object_delete_marker": true
    },
    "noncurrent_version_expiration": {
      "days": 365
    },
    "noncurrent_version_transition": {
      "days": 30,
      "storage_class": "STANDARD_IA"
    }
  }
]
| no | +| owner | n/a | `string` | n/a | yes | +| project | n/a | `string` | n/a | yes | +| public\_access\_block | n/a | `bool` | `true` | no | +| service | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| arn | n/a | +| domain\_name | n/a | +| id | n/a | +| name | HACK(el): we do this to hint TF dependency graph since modules can't depend\_on | diff --git a/aws-s3-logs-bucket/main.tf b/aws-s3-logs-bucket/main.tf index 2fddfcb5..1c78fe04 100644 --- a/aws-s3-logs-bucket/main.tf +++ b/aws-s3-logs-bucket/main.tf @@ -21,12 +21,17 @@ locals { data "aws_canonical_user_id" "current_user" {} module "aws-s3-logs-bucket" { - source = "../aws-s3-private-bucket" - bucket_name = "${var.project}-${var.env}-${var.service}-cloudfront-logs" - log_delivery_write_acl_enable = true - grants = local.grants - env = var.env - owner = var.owner - project = var.project - service = var.service + source = "../aws-s3-private-bucket" + log_delivery_write_acl_enable = true + grants = local.grants + env = var.env + owner = var.owner + project = var.project + service = var.service + bucket_name = var.bucket_name + bucket_policy = var.bucket_policy + enable_versioning = var.enable_versioning + abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days + public_access_block = var.public_access_block + lifecycle_rules = var.lifecycle_rules } diff --git a/aws-s3-logs-bucket/variables.tf b/aws-s3-logs-bucket/variables.tf index c8cf484e..d06a262a 100755 --- a/aws-s3-logs-bucket/variables.tf +++ b/aws-s3-logs-bucket/variables.tf @@ -62,9 +62,3 @@ variable public_access_block { type = bool default = true } - -variable grants { - type = list(object({ canonical_user_id : string, permissions : list(string) })) - default = [] - description = "A list of canonical user ID to permissions pairs. Used when we want to grant permissions to AWS accounts via the S3 ACL system." -} From c50b54a0feeb87e9292a1b3cc57bc1f754161344 Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 16:00:25 -0700 Subject: [PATCH 10/22] link --- aws-s3-logs-bucket/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-s3-logs-bucket/README.md b/aws-s3-logs-bucket/README.md index a906d1e1..322303f8 100755 --- a/aws-s3-logs-bucket/README.md +++ b/aws-s3-logs-bucket/README.md @@ -1,6 +1,6 @@ # aws-s3-logs-bucket -This module uses the `aws-s3-private-bucket` module as its source and enables logging for Cloudfront to the specified S3 bucket. We include the grant to `aws-logs-delivery` whose canonical id is `c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0`, documentation for this can be found here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership. +This module uses the `aws-s3-private-bucket` module as its source and enables logging for Cloudfront to the specified S3 bucket. We include the grant to `aws-logs-delivery` whose canonical id is `c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0`, documentation for this can be found [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership). ## Example From 23d0ebe56053ee3993a8c8890e7d08dee270ea25 Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 16:29:25 -0700 Subject: [PATCH 11/22] test --- aws-s3-logs-bucket/module_test.go | 53 ++++++++++++++++++++++++++++--- 1 file changed, 49 insertions(+), 4 deletions(-) diff --git a/aws-s3-logs-bucket/module_test.go b/aws-s3-logs-bucket/module_test.go index fb22945b..6ee2c50a 100644 --- a/aws-s3-logs-bucket/module_test.go +++ b/aws-s3-logs-bucket/module_test.go @@ -3,12 +3,57 @@ package test import ( "testing" + "github.com/aws/aws-sdk-go/service/s3" + "github.com/chanzuckerberg/cztack/testutil" + "github.com/gruntwork-io/terratest/modules/aws" "github.com/gruntwork-io/terratest/modules/terraform" + "github.com/stretchr/testify/require" ) -func TestModule(t *testing.T) { - options := &terraform.Options{ - TerraformDir: ".", +func TestPrivateBucketDefaults(t *testing.T) { + + test := &testutil.Test{ + Options: func(t *testing.T) *terraform.Options { + project := testutil.UniqueId() + env := testutil.UniqueId() + service := testutil.UniqueId() + owner := testutil.UniqueId() + + bucketName := testutil.UniqueId() + + return testutil.Options( + testutil.DefaultRegion, + map[string]interface{}{ + "project": project, + "env": env, + "service": service, + "owner": owner, + + "bucket_name": bucketName, + }, + ) + }, + + Validate: func(t *testing.T, options *terraform.Options) { + r := require.New(t) + region := options.EnvVars["AWS_DEFAULT_REGION"] + bucket := options.Vars["bucket_name"].(string) + + // get a client to query for other assertions + s3Client := aws.NewS3Client(t, region) + + acl, err := s3Client.GetBucketAcl(&s3.GetBucketAclInput{ + Bucket: &bucket, + }) + + r.NoError(err) + r.Len(acl.Grants, 2) + + r.Equal("CanonicalUser", *acl.Grants[0].Grantee.Type) + r.Equal("FULL_CONTROL", *acl.Grants[0].Permission) + r.Equal("c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0", *acl.Grants[1].Grantee.ID) + r.Equal("FULL_CONTROL", *acl.Grants[1].Permission) + }, } - terraform.Init(t, options) + test.Run(t) } From c6640c6ca2f17af573d4e168701258d4dd4d3ee1 Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 16:39:19 -0700 Subject: [PATCH 12/22] remove acl cuz grants and canned acl conflict ugh --- aws-s3-logs-bucket/main.tf | 1 - aws-s3-private-bucket/main.tf | 4 +--- aws-s3-private-bucket/variables.tf | 6 ------ 3 files changed, 1 insertion(+), 10 deletions(-) diff --git a/aws-s3-logs-bucket/main.tf b/aws-s3-logs-bucket/main.tf index 1c78fe04..be6687b1 100644 --- a/aws-s3-logs-bucket/main.tf +++ b/aws-s3-logs-bucket/main.tf @@ -22,7 +22,6 @@ data "aws_canonical_user_id" "current_user" {} module "aws-s3-logs-bucket" { source = "../aws-s3-private-bucket" - log_delivery_write_acl_enable = true grants = local.grants env = var.env owner = var.owner diff --git a/aws-s3-private-bucket/main.tf b/aws-s3-private-bucket/main.tf index 07075063..7cd55fd0 100755 --- a/aws-s3-private-bucket/main.tf +++ b/aws-s3-private-bucket/main.tf @@ -1,8 +1,6 @@ locals { # If grants are defined, we use `grant` to grant permissions, otherwise it will use the `acl` to grant permissions - private_acl = length(var.grants) == 0 ? "private" : null - log_delivery_write_acl = var.log_delivery_write_acl_enable ? "log-delivery-write" : null - acl = try(coalesce(local.log_delivery_write_acl, local.private_acl), null) + acl = length(var.grants) == 0 ? "private" : null tags = { project = var.project diff --git a/aws-s3-private-bucket/variables.tf b/aws-s3-private-bucket/variables.tf index 04fbebc3..c8cf484e 100755 --- a/aws-s3-private-bucket/variables.tf +++ b/aws-s3-private-bucket/variables.tf @@ -68,9 +68,3 @@ variable grants { default = [] description = "A list of canonical user ID to permissions pairs. Used when we want to grant permissions to AWS accounts via the S3 ACL system." } - -variable log_delivery_write_acl_enable { - type = bool - default = false - description = "Enables CloudFront to save logs in your distribution's S3 bucket" -} From bfda448650e3fe4fc11d8015c97c5d40313d4d73 Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 16:49:09 -0700 Subject: [PATCH 13/22] name change to reflect cloudwatch enabling --- .github/workflows/ci.yml | 2 +- {aws-s3-logs-bucket => aws-cloudwatch-logs-bucket}/README.md | 4 ++-- {aws-s3-logs-bucket => aws-cloudwatch-logs-bucket}/main.tf | 2 +- .../module_test.go | 0 {aws-s3-logs-bucket => aws-cloudwatch-logs-bucket}/outputs.tf | 0 .../variables.tf | 0 6 files changed, 4 insertions(+), 4 deletions(-) rename {aws-s3-logs-bucket => aws-cloudwatch-logs-bucket}/README.md (94%) rename {aws-s3-logs-bucket => aws-cloudwatch-logs-bucket}/main.tf (97%) rename {aws-s3-logs-bucket => aws-cloudwatch-logs-bucket}/module_test.go (100%) rename {aws-s3-logs-bucket => aws-cloudwatch-logs-bucket}/outputs.tf (100%) rename {aws-s3-logs-bucket => aws-cloudwatch-logs-bucket}/variables.tf (100%) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e86233b2..2cf3a181 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -37,6 +37,7 @@ jobs: aws-aurora, aws-aurora-mysql, aws-aurora-postgres, + aws-cloudfront-logs-bucket, aws-cloudwatch-log-group, aws-default-vpc-security, aws-ecs-job, @@ -65,7 +66,6 @@ jobs: aws-params-secrets-setup, aws-params-writer, aws-redis-node, - aws-s3-logs-bucket, aws-s3-private-bucket, aws-single-page-static-site, aws-ssm-params, diff --git a/aws-s3-logs-bucket/README.md b/aws-cloudwatch-logs-bucket/README.md similarity index 94% rename from aws-s3-logs-bucket/README.md rename to aws-cloudwatch-logs-bucket/README.md index 322303f8..b13ff849 100755 --- a/aws-s3-logs-bucket/README.md +++ b/aws-cloudwatch-logs-bucket/README.md @@ -1,4 +1,4 @@ -# aws-s3-logs-bucket +# aws-cloudwatch-logs-bucket This module uses the `aws-s3-private-bucket` module as its source and enables logging for Cloudfront to the specified S3 bucket. We include the grant to `aws-logs-delivery` whose canonical id is `c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0`, documentation for this can be found [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership). @@ -6,7 +6,7 @@ This module uses the `aws-s3-private-bucket` module as its source and enables lo ```hcl module "s3-bucket" { - source = "github.com/chanzuckerberg/cztack/aws-s3-logs-bucket?ref=v0.33.1" + source = "github.com/chanzuckerberg/cztack/aws-cloudwatch-logs-bucket?ref=v0.33.1" bucket_name = "..." env = var.env owner = var.owner diff --git a/aws-s3-logs-bucket/main.tf b/aws-cloudwatch-logs-bucket/main.tf similarity index 97% rename from aws-s3-logs-bucket/main.tf rename to aws-cloudwatch-logs-bucket/main.tf index be6687b1..849af8ec 100644 --- a/aws-s3-logs-bucket/main.tf +++ b/aws-cloudwatch-logs-bucket/main.tf @@ -20,7 +20,7 @@ locals { data "aws_canonical_user_id" "current_user" {} -module "aws-s3-logs-bucket" { +module "aws-cloudwatch-logs-bucket" { source = "../aws-s3-private-bucket" grants = local.grants env = var.env diff --git a/aws-s3-logs-bucket/module_test.go b/aws-cloudwatch-logs-bucket/module_test.go similarity index 100% rename from aws-s3-logs-bucket/module_test.go rename to aws-cloudwatch-logs-bucket/module_test.go diff --git a/aws-s3-logs-bucket/outputs.tf b/aws-cloudwatch-logs-bucket/outputs.tf similarity index 100% rename from aws-s3-logs-bucket/outputs.tf rename to aws-cloudwatch-logs-bucket/outputs.tf diff --git a/aws-s3-logs-bucket/variables.tf b/aws-cloudwatch-logs-bucket/variables.tf similarity index 100% rename from aws-s3-logs-bucket/variables.tf rename to aws-cloudwatch-logs-bucket/variables.tf From 347eb5c2aaece7c30700150814de61b8a84be496 Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 16:50:59 -0700 Subject: [PATCH 14/22] update readme --- aws-cloudwatch-logs-bucket/README.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/aws-cloudwatch-logs-bucket/README.md b/aws-cloudwatch-logs-bucket/README.md index b13ff849..9f0b781a 100755 --- a/aws-cloudwatch-logs-bucket/README.md +++ b/aws-cloudwatch-logs-bucket/README.md @@ -1,6 +1,17 @@ # aws-cloudwatch-logs-bucket -This module uses the `aws-s3-private-bucket` module as its source and enables logging for Cloudfront to the specified S3 bucket. We include the grant to `aws-logs-delivery` whose canonical id is `c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0`, documentation for this can be found [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership). +This module uses the `aws-s3-private-bucket` module as its source and enables logging for Cloudfront to the specified S3 bucket. We include the grant to `aws-logs-delivery` whose canonical id is `c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0`, documentation for this can be found [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership). The suggestion is found here: + +``` +Restoring the ACL for the bucket +If you remove permissions for the awslogsdelivery account, CloudFront won't be able to save logs to the S3 bucket. To enable CloudFront to start saving logs for your distribution again, restore the ACL permission by doing one of the following: + +... + +Add the ACL permission for awslogsdelivery manually by navigating to the S3 bucket in the Amazon S3 console and adding permission. To add the ACL for awslogsdelivery, you must provide the canonical ID for the account, which is the following: + +c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0 +``` ## Example From 9fba513e72f5851c782ca1b4b3db729cf571598a Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 16:53:51 -0700 Subject: [PATCH 15/22] whoops cloudwatch to cloudfront --- .../README.md | 4 ++-- .../main.tf | 2 +- .../module_test.go | 0 .../outputs.tf | 0 .../variables.tf | 0 5 files changed, 3 insertions(+), 3 deletions(-) rename {aws-cloudwatch-logs-bucket => aws-cloudfront-logs-bucket}/README.md (96%) rename {aws-cloudwatch-logs-bucket => aws-cloudfront-logs-bucket}/main.tf (97%) rename {aws-cloudwatch-logs-bucket => aws-cloudfront-logs-bucket}/module_test.go (100%) rename {aws-cloudwatch-logs-bucket => aws-cloudfront-logs-bucket}/outputs.tf (100%) rename {aws-cloudwatch-logs-bucket => aws-cloudfront-logs-bucket}/variables.tf (100%) diff --git a/aws-cloudwatch-logs-bucket/README.md b/aws-cloudfront-logs-bucket/README.md similarity index 96% rename from aws-cloudwatch-logs-bucket/README.md rename to aws-cloudfront-logs-bucket/README.md index 9f0b781a..f6fba2a4 100755 --- a/aws-cloudwatch-logs-bucket/README.md +++ b/aws-cloudfront-logs-bucket/README.md @@ -1,4 +1,4 @@ -# aws-cloudwatch-logs-bucket +# aws-cloudfront-logs-bucket This module uses the `aws-s3-private-bucket` module as its source and enables logging for Cloudfront to the specified S3 bucket. We include the grant to `aws-logs-delivery` whose canonical id is `c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0`, documentation for this can be found [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership). The suggestion is found here: @@ -17,7 +17,7 @@ c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0 ```hcl module "s3-bucket" { - source = "github.com/chanzuckerberg/cztack/aws-cloudwatch-logs-bucket?ref=v0.33.1" + source = "github.com/chanzuckerberg/cztack/aws-cloudfront-logs-bucket?ref=v0.33.1" bucket_name = "..." env = var.env owner = var.owner diff --git a/aws-cloudwatch-logs-bucket/main.tf b/aws-cloudfront-logs-bucket/main.tf similarity index 97% rename from aws-cloudwatch-logs-bucket/main.tf rename to aws-cloudfront-logs-bucket/main.tf index 849af8ec..de128506 100644 --- a/aws-cloudwatch-logs-bucket/main.tf +++ b/aws-cloudfront-logs-bucket/main.tf @@ -20,7 +20,7 @@ locals { data "aws_canonical_user_id" "current_user" {} -module "aws-cloudwatch-logs-bucket" { +module "aws-cloudfront-logs-bucket" { source = "../aws-s3-private-bucket" grants = local.grants env = var.env diff --git a/aws-cloudwatch-logs-bucket/module_test.go b/aws-cloudfront-logs-bucket/module_test.go similarity index 100% rename from aws-cloudwatch-logs-bucket/module_test.go rename to aws-cloudfront-logs-bucket/module_test.go diff --git a/aws-cloudwatch-logs-bucket/outputs.tf b/aws-cloudfront-logs-bucket/outputs.tf similarity index 100% rename from aws-cloudwatch-logs-bucket/outputs.tf rename to aws-cloudfront-logs-bucket/outputs.tf diff --git a/aws-cloudwatch-logs-bucket/variables.tf b/aws-cloudfront-logs-bucket/variables.tf similarity index 100% rename from aws-cloudwatch-logs-bucket/variables.tf rename to aws-cloudfront-logs-bucket/variables.tf From b9999f19963e5d331accbee54f074356cc508d4a Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 17:16:08 -0700 Subject: [PATCH 16/22] outputs --- aws-cloudfront-logs-bucket/outputs.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/aws-cloudfront-logs-bucket/outputs.tf b/aws-cloudfront-logs-bucket/outputs.tf index 8b137891..9b951450 100755 --- a/aws-cloudfront-logs-bucket/outputs.tf +++ b/aws-cloudfront-logs-bucket/outputs.tf @@ -1 +1,16 @@ +// HACK(el): we do this to hint TF dependency graph since modules can't depend_on +output "name" { + value = var.bucket_name +} +output "domain_name" { + value = aws-cloudfront-logs-bucket.aws_s3_bucket.bucket.bucket_domain_name +} + +output "arn" { + value = aws-cloudfront-logs-bucket.aws_s3_bucket.bucket.arn +} + +output "id" { + value = aws-cloudfront-logs-bucket.aws_s3_bucket.bucket.id +} From af31aba094b78025ed91006806afd2f0435c112e Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 17:25:50 -0700 Subject: [PATCH 17/22] change output --- aws-cloudfront-logs-bucket/main.tf | 3 +++ aws-cloudfront-logs-bucket/outputs.tf | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/aws-cloudfront-logs-bucket/main.tf b/aws-cloudfront-logs-bucket/main.tf index de128506..a9781e44 100644 --- a/aws-cloudfront-logs-bucket/main.tf +++ b/aws-cloudfront-logs-bucket/main.tf @@ -28,6 +28,9 @@ module "aws-cloudfront-logs-bucket" { project = var.project service = var.service bucket_name = var.bucket_name + domain_name = aws_s3_bucket.bucket.bucket_domain_name + bucket_arn = aws_s3_bucket.bucket.arn + bucket_id = aws_s3_bucket.bucket.id bucket_policy = var.bucket_policy enable_versioning = var.enable_versioning abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days diff --git a/aws-cloudfront-logs-bucket/outputs.tf b/aws-cloudfront-logs-bucket/outputs.tf index 9b951450..c123261a 100755 --- a/aws-cloudfront-logs-bucket/outputs.tf +++ b/aws-cloudfront-logs-bucket/outputs.tf @@ -1,16 +1,16 @@ // HACK(el): we do this to hint TF dependency graph since modules can't depend_on output "name" { - value = var.bucket_name + value = module.aws-cloudfront-logs-bucket.bucket_name } output "domain_name" { - value = aws-cloudfront-logs-bucket.aws_s3_bucket.bucket.bucket_domain_name + value = module.aws-cloudfront-logs-bucket.bucket_domain_name } output "arn" { - value = aws-cloudfront-logs-bucket.aws_s3_bucket.bucket.arn + value = module.aws-cloudfront-logs-bucket.bucket_arn } output "id" { - value = aws-cloudfront-logs-bucket.aws_s3_bucket.bucket.id + value = module.aws-cloudfront-logs-bucket.bucket_id } From 747466ee729d88715c6a2a93385f6cfe406b2229 Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 17:42:53 -0700 Subject: [PATCH 18/22] change output refs --- aws-cloudfront-logs-bucket/main.tf | 6 +++--- aws-cloudfront-logs-bucket/outputs.tf | 16 ---------------- 2 files changed, 3 insertions(+), 19 deletions(-) diff --git a/aws-cloudfront-logs-bucket/main.tf b/aws-cloudfront-logs-bucket/main.tf index a9781e44..16620776 100644 --- a/aws-cloudfront-logs-bucket/main.tf +++ b/aws-cloudfront-logs-bucket/main.tf @@ -28,9 +28,9 @@ module "aws-cloudfront-logs-bucket" { project = var.project service = var.service bucket_name = var.bucket_name - domain_name = aws_s3_bucket.bucket.bucket_domain_name - bucket_arn = aws_s3_bucket.bucket.arn - bucket_id = aws_s3_bucket.bucket.id + domain_name = module.aws-s3-private-bucket.domain_name + bucket_arn = module.aws-s3-private-bucket.arn + bucket_id = module.aws-s3-private-bucket.id bucket_policy = var.bucket_policy enable_versioning = var.enable_versioning abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days diff --git a/aws-cloudfront-logs-bucket/outputs.tf b/aws-cloudfront-logs-bucket/outputs.tf index c123261a..e69de29b 100755 --- a/aws-cloudfront-logs-bucket/outputs.tf +++ b/aws-cloudfront-logs-bucket/outputs.tf @@ -1,16 +0,0 @@ -// HACK(el): we do this to hint TF dependency graph since modules can't depend_on -output "name" { - value = module.aws-cloudfront-logs-bucket.bucket_name -} - -output "domain_name" { - value = module.aws-cloudfront-logs-bucket.bucket_domain_name -} - -output "arn" { - value = module.aws-cloudfront-logs-bucket.bucket_arn -} - -output "id" { - value = module.aws-cloudfront-logs-bucket.bucket_id -} From 5f4aa06dca8065e2ea95ccd554d75555ea5adaad Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 21:27:51 -0700 Subject: [PATCH 19/22] remove outputs --- aws-cloudfront-logs-bucket/main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/aws-cloudfront-logs-bucket/main.tf b/aws-cloudfront-logs-bucket/main.tf index 16620776..de128506 100644 --- a/aws-cloudfront-logs-bucket/main.tf +++ b/aws-cloudfront-logs-bucket/main.tf @@ -28,9 +28,6 @@ module "aws-cloudfront-logs-bucket" { project = var.project service = var.service bucket_name = var.bucket_name - domain_name = module.aws-s3-private-bucket.domain_name - bucket_arn = module.aws-s3-private-bucket.arn - bucket_id = module.aws-s3-private-bucket.id bucket_policy = var.bucket_policy enable_versioning = var.enable_versioning abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days From 20d379e5c768464601a321380ab451d40339c93b Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 21:35:57 -0700 Subject: [PATCH 20/22] fix output values --- aws-cloudfront-logs-bucket/outputs.tf | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/aws-cloudfront-logs-bucket/outputs.tf b/aws-cloudfront-logs-bucket/outputs.tf index e69de29b..1e6599fe 100755 --- a/aws-cloudfront-logs-bucket/outputs.tf +++ b/aws-cloudfront-logs-bucket/outputs.tf @@ -0,0 +1,16 @@ +// HACK(el): we do this to hint TF dependency graph since modules can't depend_on +output "name" { + value = module.aws-s3-private-bucket.name +} + +output "domain_name" { + value = module.aws-s3-private-bucket.domain_name +} + +output "arn" { + value = module.aws-s3-private-bucket.arn +} + +output "id" { + value = module.aws-s3-private-bucket.id +} From 9cbd7bd1b3437b1c54b7d769343978bb725035ae Mon Sep 17 00:00:00 2001 From: adoami Date: Tue, 7 Jul 2020 21:48:09 -0700 Subject: [PATCH 21/22] outputs --- aws-cloudfront-logs-bucket/outputs.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/aws-cloudfront-logs-bucket/outputs.tf b/aws-cloudfront-logs-bucket/outputs.tf index 1e6599fe..1e639259 100755 --- a/aws-cloudfront-logs-bucket/outputs.tf +++ b/aws-cloudfront-logs-bucket/outputs.tf @@ -1,16 +1,16 @@ // HACK(el): we do this to hint TF dependency graph since modules can't depend_on output "name" { - value = module.aws-s3-private-bucket.name + value = module.aws-cloudfront-logs-bucket.name } output "domain_name" { - value = module.aws-s3-private-bucket.domain_name + value = module.aws-cloudfront-logs-bucket.domain_name } output "arn" { - value = module.aws-s3-private-bucket.arn + value = module.aws-cloudfront-logs-bucket.arn } output "id" { - value = module.aws-s3-private-bucket.id + value = module.aws-cloudfront-logs-bucket.id } From 50c9322dd7e25a583d7b9a0115ca08014d97666e Mon Sep 17 00:00:00 2001 From: adoami Date: Wed, 8 Jul 2020 09:40:28 -0700 Subject: [PATCH 22/22] remove comment --- aws-cloudfront-logs-bucket/main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/aws-cloudfront-logs-bucket/main.tf b/aws-cloudfront-logs-bucket/main.tf index de128506..6281d7b8 100644 --- a/aws-cloudfront-logs-bucket/main.tf +++ b/aws-cloudfront-logs-bucket/main.tf @@ -2,8 +2,6 @@ locals { # Define the grant ACL for the Cloudfront logging S3 bucket, # In order for the awslogsdelivery account to write log files to the bucket, # we need to grant the AWS log delivery group the FULL_CONTROL access to the logging bucket - # LP's AWS account also has the FULL_CONTROL access to the bucket, this is specified by the canonical user id - # More details in https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#ChangeSettings grants = [ { canonical_user_id : data.aws_canonical_user_id.current_user.id