Merge pull request #50 from mdr-engineering/feature/ftd_MSOCI-1364_ALB_Logging

Fixes S3 Bucket for ALB Logging

base/account_standards_c2/elb_bucket.tf

@@ -1,4 +1,6 @@
 # The centralized bucket for ELB Logging
+data "aws_elb_service_account" "main" {} # ELB logs use a single aws account to place logs
+
 module "elb_logging_logging_bucket" {
   source = "../../thirdparty/terraform-aws-s3logging-bucket"
 
@@ -12,7 +14,7 @@ module "elb_logging_logging_bucket" {
       noncurrent_version_expiration = 30
       abort_incomplete_multipart_upload_days = 7
   })
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(var.standard_tags, var.tags, { "Note" = "ELB Logging Does Not Support SSE-KMS. Only SSE-S3 is supported." } )
   versioning_enabled = true
 }
 
@@ -33,8 +35,7 @@ resource "aws_s3_bucket" "elb_logging_bucket" {
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
-        sse_algorithm = "aws:kms"
-        kms_master_key_id = aws_kms_key.elb_encryption.arn
+        sse_algorithm = "AES256" # ELB logging only supports SSE-S3
       }
     }
   }
@@ -53,9 +54,13 @@ data "aws_iam_policy_document" "aws_elb_bucket_policy" {
     effect  = "Allow"
     actions = ["s3:PutObject"]
 
+    #    principals {
+    #      type        = "AWS"
+    #  identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
+    #}
     principals {
-      type        = "AWS"
-      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
+      type = "AWS"
+      identifiers = [ data.aws_elb_service_account.main.arn ] 
     }
 
     resources = ["arn:${var.aws_partition}:s3:::${aws_s3_bucket.elb_logging_bucket.bucket}/*"]
@@ -95,74 +100,6 @@ resource "aws_s3_bucket_policy" "aws_elb_bucket_policy" {
   depends_on = [ aws_s3_bucket_public_access_block.aws_elb_bucket_block_public_access ]
 }
 
-resource "aws_kms_key" "elb_encryption" {
-  description             = "This key is used to encrypt ELB Logs"
-  deletion_window_in_days = 30
-  policy = data.aws_iam_policy_document.elb_encryption_key_policy.json
-  enable_key_rotation = true
-  tags = merge(var.standard_tags, var.tags)
-}
-
-resource "aws_kms_alias" "elb_encryption" {
-  name          = "alias/aws_elb_logs"
-  target_key_id = aws_kms_key.elb_encryption.key_id
-}
-
-data "aws_iam_policy_document" "elb_encryption_key_policy" {
-  statement {
-    actions   = ["kms:*"]
-    effect    = "Allow"
-    resources = ["*"]
-
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
-    }
-  }
-
-  statement {
-    actions = [
-      "kms:Encrypt*",
-      "kms:GenerateDataKey*",
-    ]
-    effect    = "Allow"
-    resources = ["*"]
-
-    principals {
-      type        = "AWS"
-      identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
-    }
-  }
-
-  statement {
-    actions = [
-      "kms:Encrypt*",
-      "kms:Decrypt*",
-      "kms:ReEncrypt*",
-      "kms:GenerateDataKey*",
-      "kms:Describe*",
-    ]
-    effect    = "Allow"
-    resources = ["*"]
-
-    principals {
-      type        = "Service"
-      identifiers = [ "delivery.logs.amazonaws.com"]
-    }
-  }
-
-  statement {
-    actions   = ["kms:Describe*"]
-    effect    = "Allow"
-    resources = ["*"]
-
-    principals {
-      type        = "Service"
-      identifiers = [ "delivery.logs.amazonaws.com" ]
-    }
-  }
-}
-
 #### SQS Queue for Splunk
 resource "aws_s3_bucket_notification" "on_new_elb_log" {
   bucket = aws_s3_bucket.elb_logging_bucket.bucket