configure alb logs with a dedicated variable

jwa-lab · Mar 21, 2023 · 5022e87 · 5022e87
1 parent cb99cfb
commit 5022e87
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 8 deletions.
diff --git a/alb-logs-bucket.tf b/alb-logs-bucket.tf
@@ -1,12 +1,12 @@
 resource "aws_s3_bucket" "alb_logs_bucket" {
-  count = var.production ? 1 : 0
+  count = var.alb_logs ? 1 : 0
 
   bucket = "${var.env_name}-alb-logs"
-  force_destroy = true
+  force_destroy = var.production ? false : true
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "alb_logs_bucket_encryption" {
-  count = var.production ? 1 : 0
+  count = var.alb_logs ? 1 : 0
 
   bucket = aws_s3_bucket.alb_logs_bucket[0].id
   expected_bucket_owner = local.account_id
@@ -18,7 +18,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "alb_logs_bucket_e
 }
 
 resource "aws_s3_bucket_public_access_block" "alb_logs_bucket_pab" {
-  count = var.production ? 1 : 0
+  count = var.alb_logs ? 1 : 0
 
   bucket = aws_s3_bucket.alb_logs_bucket[0].id
   block_public_acls = true
@@ -28,15 +28,15 @@ resource "aws_s3_bucket_public_access_block" "alb_logs_bucket_pab" {
 }
 
 resource "aws_s3_bucket_policy" "alb_logs_bucket_policy" {
-  count = var.production ? 1 : 0
+  count = var.alb_logs ? 1 : 0
 
   bucket = aws_s3_bucket.alb_logs_bucket[0].id
   policy = data.aws_iam_policy_document.alb_logs_bucket_policy[0].json
 }
 
 # see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy
 data "aws_iam_policy_document" "alb_logs_bucket_policy" {
-  count = var.production ? 1 : 0
+  count = var.alb_logs ? 1 : 0
 
   statement {
     sid = "ALBAllowWriteLogs"
@@ -52,7 +52,7 @@ data "aws_iam_policy_document" "alb_logs_bucket_policy" {
 # Versioning should not be needed as ALB will never update or overwrite files
 # but it allows to ensure that the log files have not been altered
 resource "aws_s3_bucket_versioning" "alb_logs_bucket_versioning" {
-  count = var.production ? 1 : 0
+  count = var.alb_logs ? 1 : 0
 
   bucket = aws_s3_bucket.alb_logs_bucket[0].id
   expected_bucket_owner = local.account_id

diff --git a/settings.tf b/settings.tf
@@ -205,7 +205,7 @@ locals {
       name = "SSLCertificateArns"
       value = aws_acm_certificate.certificate.arn
     },
-    var.production ? {
+    var.alb_logs ? {
       namespace = "aws:elbv2:loadbalancer"
       name = "AccessLogsS3Bucket"
       value = aws_s3_bucket.alb_logs_bucket[0].id

diff --git a/variables.tf b/variables.tf
@@ -23,6 +23,12 @@ variable "ha" {
   default = false
 }
 
+variable "alb_logs" {
+  type = bool
+  default = false
+  description = "Enable the ALB Logs in S3, stored in a dedicated bucket"
+}
+
 variable "beanstalk_env_vars" {
   type = list(object({
     name: string,