fix to properly support ALB customizations (#33)

trussworks · Oct 23, 2019 · 6ddae24 · 6ddae24
1 parent 51a34c4
commit 6ddae24
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 14 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -2,7 +2,7 @@ version: 2
 jobs:
   validate:
     docker:
-      - image: trussworks/circleci-docker-primary:93fe471597189fed29f1ab2f517fc4c3370f2a77
+      - image: trussworks/circleci-docker-primary:782c370a89564e10e7ee00f6a6ad5c32309c11d5
     steps:
       - checkout
       - restore_cache:

diff --git a/README.md b/README.md
@@ -66,12 +66,26 @@ Logging from the following services is supported for both cases:
       cloudtrail_accounts = ["${data.aws_caller_identity.current.account_id}", "${aws_organizations_account.example.id}"]
     }
 
+## Usage for a single log bucket storing logs from multiple application load balancers
+
+    module "aws_logs" {
+      source         = "trussworks/logs/aws"
+      s3_bucket_name = "my-company-aws-logs-alb"
+      region         = "us-west-2"
+      default_allow  = false
+      allow_alb      = true
+      alb_logs_prefixes = formatlist(format("alb/%%s/AWSLogs/%s", data.aws_caller_identity.current.account_id), [
+       "hello-world-prod",
+       "hello-world-staging",
+       "hello-world-experimental",
+      ])
+    }
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| alb\_accounts | List of accounts for ALB logs.  By default limits to the current account. | list | `[]` | no |
-| alb\_logs\_prefix | S3 prefix for ALB logs. | string | `"alb"` | no |
+| alb\_logs\_prefixes | S3 key prefixes for ALB logs. | list | `[ "alb" ]` | no |
 | allow\_alb | Allow ALB service to log to bucket. | string | `"false"` | no |
 | allow\_cloudtrail | Allow Cloudtrail service to log to bucket. | string | `"false"` | no |
 | allow\_cloudwatch | Allow Cloudwatch service to export logs to bucket. | string | `"false"` | no |
@@ -109,6 +123,18 @@ Logging from the following services is supported for both cases:
 
 ## Upgrade Paths
 
+### Upgrading from 3.4.0 to 3.5.x
+
+Version 3.5.0 removed the `alb_logs_prefix` and `alb_accounts` variables and now uses one `alb_logs_prefixes` list as input.  If you had not set the `alb_logs_prefix` or `alb_accounts` variables, then the default behavior does not change.  If you had set `alb_logs_prefix`, then simply pass the original value as a 1 item list to `alb_logs_prefixes` (while watching that path separators are not duplicated).  For example, `alb_logs_prefixes = ["logs/alb"]`.
+
+Use the `format` and `formatlist` functions in the caller module to support more complex logging that does limit by account id.  For example:
+
+    alb_logs_prefixes = formatlist(format("alb/%%s/AWSLogs/%s", data.aws_caller_identity.current.account_id), [
+      "hello-world-prod",
+      "hello-world-staging",
+      "hello-world-experimental",
+    ])
+
 ### Upgrading from 2.1.X to 3.X.X
 
 Before upgrading you will want to make sure you are on the latest version of 2.1.X.

diff --git a/main.tf b/main.tf
@@ -65,6 +65,21 @@
  *       allow_cloudtrail      = true
  *       cloudtrail_accounts = ["${data.aws_caller_identity.current.account_id}", "${aws_organizations_account.example.id}"]
  *     }
+ *
+ * ## Usage for a single log bucket storing logs from multiple application load balancers
+ *
+ *     module "aws_logs" {
+ *       source         = "trussworks/logs/aws"
+ *       s3_bucket_name = "my-company-aws-logs-alb"
+ *       region         = "us-west-2"
+ *       default_allow  = false
+ *       allow_alb      = true
+ *       alb_logs_prefixes = formatlist(format("alb/%%s/AWSLogs/%s", data.aws_caller_identity.current.account_id), [
+ *        "hello-world-prod",
+ *        "hello-world-staging",
+ *        "hello-world-experimental",
+ *       ])
+ *     }
  */
 
 # Get the account id of the AWS ELB service account in a given region for the
@@ -227,7 +242,7 @@ JSON
     bucket_arn           = "${format("arn:aws:s3:::%s", var.s3_bucket_name)}"
     alb_principal        = "${data.aws_elb_service_account.main.arn}"
     alb_effect           = "${(var.default_allow || var.allow_alb) ? "Allow" : "Deny"}"
-    alb_resources        = "${length(var.alb_accounts) > 0 ? jsonencode(formatlist(format("arn:aws:s3:::%s/%s/AWSLogs/%%s/*", var.s3_bucket_name, var.alb_logs_prefix), var.alb_accounts)) : jsonencode(format("arn:aws:s3:::%s/%s/AWSLogs/%s/*", var.s3_bucket_name, var.alb_logs_prefix, data.aws_caller_identity.current.account_id))}"
+    alb_resources        = "${jsonencode(formatlist(format("arn:aws:s3:::%s/%%s/*", var.s3_bucket_name), var.alb_logs_prefixes))}"
     cloudwatch_effect    = "${(var.default_allow || var.allow_cloudwatch) ? "Allow" : "Deny"}"
     cloudwatch_resources = "${jsonencode(format("arn:aws:s3:::%s/%s/*", var.s3_bucket_name, var.cloudwatch_logs_prefix))}"
     cloudtrail_effect    = "${(var.default_allow || var.allow_cloudtrail) ? "Allow" : "Deny"}"

diff --git a/variables.tf b/variables.tf
@@ -26,10 +26,10 @@ variable "elb_logs_prefix" {
   type        = "string"
 }
 
-variable "alb_logs_prefix" {
-  description = "S3 prefix for ALB logs."
-  default     = "alb"
-  type        = "string"
+variable "alb_logs_prefixes" {
+  description = "S3 key prefixes for ALB logs."
+  default     = ["alb"]
+  type        = "list"
 }
 
 variable "nlb_logs_prefix" {
@@ -129,12 +129,6 @@ variable "config_accounts" {
   type        = "list"
 }
 
-variable "alb_accounts" {
-  description = "List of accounts for ALB logs.  By default limits to the current account."
-  default     = []
-  type        = "list"
-}
-
 variable "elb_accounts" {
   description = "List of accounts for ELB logs.  By default limits to the current account."
   default     = []