Use S3 logs module

README.md

@@ -46,7 +46,9 @@ In order to run all checks at any point run the following command:
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_s3_logs_bucket"></a> [s3\_logs\_bucket](#module\_s3\_logs\_bucket) | cn-terraform/logs-s3-bucket/aws | 1.0.1 |
 
 ## Resources
 
@@ -60,20 +62,14 @@ No modules.
 | [aws_route53_record.website_cloudfront_record](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.www_website_record](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_zone.hosted_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
-| [aws_s3_bucket.log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_acl.log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_acl.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_cors_configuration.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
 | [aws_s3_bucket_logging.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
-| [aws_s3_bucket_policy.log_bucket_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_policy.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_public_access_block.log_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_public_access_block.website_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_versioning.log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_versioning.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_website_configuration.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
-| [aws_iam_policy_document.log_bucket_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 

main.tf

@@ -7,81 +7,30 @@ locals {
 }
 
 #------------------------------------------------------------------------------
-# S3 Bucket for logs
+# S3 BUCKET - For access logs
 #------------------------------------------------------------------------------
-#tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging
-resource "aws_s3_bucket" "log_bucket" {
-  provider = aws.main
+#tfsec:ignore:aws-s3-enable-versioning
+module "s3_logs_bucket" {
+  providers = {
+    aws = aws.main
+  }
 
-  bucket = "${var.name_prefix}-log-bucket"
+  source  = "cn-terraform/logs-s3-bucket/aws"
+  version = "1.0.1"
+  # source  = "../terraform-aws-logs-s3-bucket"
+
+  name_prefix                   = "${var.name_prefix}-log-bucket"
+  aws_principals_identifiers    = formatlist("arn:aws:iam::%s:root", var.aws_accounts_with_read_view_log_bucket)
+  block_s3_bucket_public_access = true
+  # enable_s3_bucket_server_side_encryption        = var.enable_s3_bucket_server_side_encryption
+  # s3_bucket_server_side_encryption_sse_algorithm = var.s3_bucket_server_side_encryption_sse_algorithm
+  # s3_bucket_server_side_encryption_key           = var.s3_bucket_server_side_encryption_key
 
   tags = merge({
     Name = "${var.name_prefix}-logs"
   }, var.tags)
 }
 
-resource "aws_s3_bucket_acl" "log_bucket" {
-  provider = aws.main
-
-  bucket = aws_s3_bucket.log_bucket.id
-  acl    = "log-delivery-write"
-}
-
-resource "aws_s3_bucket_versioning" "log_bucket" {
-  provider = aws.main
-
-  bucket = aws_s3_bucket.log_bucket.id
-  versioning_configuration {
-    status     = var.log_bucket_versioning_status
-    mfa_delete = var.log_bucket_versioning_mfa_delete
-  }
-}
-
-resource "aws_s3_bucket_public_access_block" "log_bucket_public_access_block" {
-  provider = aws.main
-
-  bucket                  = aws_s3_bucket.log_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-data "aws_iam_policy_document" "log_bucket_access_policy" {
-  provider = aws.main
-
-  statement {
-    sid = "Allow access to logs bucket to current account"
-
-    actions = [
-      "s3:List*",
-      "s3:Get*",
-    ]
-
-    resources = [
-      aws_s3_bucket.log_bucket.arn,
-      "${aws_s3_bucket.log_bucket.arn}/*",
-    ]
-
-    principals {
-      type        = "AWS"
-      identifiers = formatlist("arn:aws:iam::%s:root", var.aws_accounts_with_read_view_log_bucket)
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "log_bucket_access_policy" {
-  provider = aws.main
-
-  # Dependency to avoid writing bucket policy and public access block at the same time
-  depends_on = [
-    aws_s3_bucket_public_access_block.log_bucket_public_access_block,
-  ]
-
-  bucket = aws_s3_bucket.log_bucket.id
-  policy = data.aws_iam_policy_document.log_bucket_access_policy.json
-}
-
 #------------------------------------------------------------------------------
 # Route53 Hosted Zone
 #------------------------------------------------------------------------------

website.tf

@@ -68,7 +68,7 @@ resource "aws_s3_bucket_logging" "website" {
   provider = aws.main
 
   bucket        = aws_s3_bucket.website.id
-  target_bucket = aws_s3_bucket.log_bucket.id
+  target_bucket = module.s3_logs_bucket.s3_bucket_id
   target_prefix = "website/"
 }
 
@@ -156,7 +156,7 @@ resource "aws_cloudfront_distribution" "website" { # tfsec:ignore:AWS045
 
   logging_config {
     include_cookies = false
-    bucket          = aws_s3_bucket.log_bucket.bucket_domain_name
+    bucket          = module.s3_logs_bucket.s3_bucket_domain_name
     prefix          = "cloudfront_website"
   }