From 6ddae2457a85f4bf28593870cf0caf065df1205a Mon Sep 17 00:00:00 2001 From: pjdufour-truss Date: Wed, 23 Oct 2019 08:36:59 -0400 Subject: [PATCH] fix to properly support ALB customizations (#33) --- .circleci/config.yml | 2 +- README.md | 30 ++++++++++++++++++++++++++++-- main.tf | 17 ++++++++++++++++- variables.tf | 14 ++++---------- 4 files changed, 49 insertions(+), 14 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index d603c0d..967947b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,7 +2,7 @@ version: 2 jobs: validate: docker: - - image: trussworks/circleci-docker-primary:93fe471597189fed29f1ab2f517fc4c3370f2a77 + - image: trussworks/circleci-docker-primary:782c370a89564e10e7ee00f6a6ad5c32309c11d5 steps: - checkout - restore_cache: diff --git a/README.md b/README.md index 55984fb..5ef9163 100644 --- a/README.md +++ b/README.md @@ -66,12 +66,26 @@ Logging from the following services is supported for both cases: cloudtrail_accounts = ["${data.aws_caller_identity.current.account_id}", "${aws_organizations_account.example.id}"] } +## Usage for a single log bucket storing logs from multiple application load balancers + + module "aws_logs" { + source = "trussworks/logs/aws" + s3_bucket_name = "my-company-aws-logs-alb" + region = "us-west-2" + default_allow = false + allow_alb = true + alb_logs_prefixes = formatlist(format("alb/%%s/AWSLogs/%s", data.aws_caller_identity.current.account_id), [ + "hello-world-prod", + "hello-world-staging", + "hello-world-experimental", + ]) + } + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| alb\_accounts | List of accounts for ALB logs. By default limits to the current account. | list | `[]` | no | -| alb\_logs\_prefix | S3 prefix for ALB logs. | string | `"alb"` | no | +| alb\_logs\_prefixes | S3 key prefixes for ALB logs. | list | `[ "alb" ]` | no | | allow\_alb | Allow ALB service to log to bucket. | string | `"false"` | no | | allow\_cloudtrail | Allow Cloudtrail service to log to bucket. | string | `"false"` | no | | allow\_cloudwatch | Allow Cloudwatch service to export logs to bucket. | string | `"false"` | no | @@ -109,6 +123,18 @@ Logging from the following services is supported for both cases: ## Upgrade Paths +### Upgrading from 3.4.0 to 3.5.x + +Version 3.5.0 removed the `alb_logs_prefix` and `alb_accounts` variables and now uses one `alb_logs_prefixes` list as input. If you had not set the `alb_logs_prefix` or `alb_accounts` variables, then the default behavior does not change. If you had set `alb_logs_prefix`, then simply pass the original value as a 1 item list to `alb_logs_prefixes` (while watching that path separators are not duplicated). For example, `alb_logs_prefixes = ["logs/alb"]`. + +Use the `format` and `formatlist` functions in the caller module to support more complex logging that does limit by account id. For example: + + alb_logs_prefixes = formatlist(format("alb/%%s/AWSLogs/%s", data.aws_caller_identity.current.account_id), [ + "hello-world-prod", + "hello-world-staging", + "hello-world-experimental", + ]) + ### Upgrading from 2.1.X to 3.X.X Before upgrading you will want to make sure you are on the latest version of 2.1.X. diff --git a/main.tf b/main.tf index b9701d3..e5fc6c4 100644 --- a/main.tf +++ b/main.tf @@ -65,6 +65,21 @@ * allow_cloudtrail = true * cloudtrail_accounts = ["${data.aws_caller_identity.current.account_id}", "${aws_organizations_account.example.id}"] * } + * + * ## Usage for a single log bucket storing logs from multiple application load balancers + * + * module "aws_logs" { + * source = "trussworks/logs/aws" + * s3_bucket_name = "my-company-aws-logs-alb" + * region = "us-west-2" + * default_allow = false + * allow_alb = true + * alb_logs_prefixes = formatlist(format("alb/%%s/AWSLogs/%s", data.aws_caller_identity.current.account_id), [ + * "hello-world-prod", + * "hello-world-staging", + * "hello-world-experimental", + * ]) + * } */ # Get the account id of the AWS ELB service account in a given region for the @@ -227,7 +242,7 @@ JSON bucket_arn = "${format("arn:aws:s3:::%s", var.s3_bucket_name)}" alb_principal = "${data.aws_elb_service_account.main.arn}" alb_effect = "${(var.default_allow || var.allow_alb) ? "Allow" : "Deny"}" - alb_resources = "${length(var.alb_accounts) > 0 ? jsonencode(formatlist(format("arn:aws:s3:::%s/%s/AWSLogs/%%s/*", var.s3_bucket_name, var.alb_logs_prefix), var.alb_accounts)) : jsonencode(format("arn:aws:s3:::%s/%s/AWSLogs/%s/*", var.s3_bucket_name, var.alb_logs_prefix, data.aws_caller_identity.current.account_id))}" + alb_resources = "${jsonencode(formatlist(format("arn:aws:s3:::%s/%%s/*", var.s3_bucket_name), var.alb_logs_prefixes))}" cloudwatch_effect = "${(var.default_allow || var.allow_cloudwatch) ? "Allow" : "Deny"}" cloudwatch_resources = "${jsonencode(format("arn:aws:s3:::%s/%s/*", var.s3_bucket_name, var.cloudwatch_logs_prefix))}" cloudtrail_effect = "${(var.default_allow || var.allow_cloudtrail) ? "Allow" : "Deny"}" diff --git a/variables.tf b/variables.tf index 6ecb535..8077b59 100644 --- a/variables.tf +++ b/variables.tf @@ -26,10 +26,10 @@ variable "elb_logs_prefix" { type = "string" } -variable "alb_logs_prefix" { - description = "S3 prefix for ALB logs." - default = "alb" - type = "string" +variable "alb_logs_prefixes" { + description = "S3 key prefixes for ALB logs." + default = ["alb"] + type = "list" } variable "nlb_logs_prefix" { @@ -129,12 +129,6 @@ variable "config_accounts" { type = "list" } -variable "alb_accounts" { - description = "List of accounts for ALB logs. By default limits to the current account." - default = [] - type = "list" -} - variable "elb_accounts" { description = "List of accounts for ELB logs. By default limits to the current account." default = []