|
|
@@ -1,4 +1,6 @@
|
|
|
# The centralized bucket for ELB Logging
|
|
|
+data "aws_elb_service_account" "main" {} # ELB logs use a single aws account to place logs
|
|
|
+
|
|
|
module "elb_logging_logging_bucket" {
|
|
|
source = "../../thirdparty/terraform-aws-s3logging-bucket"
|
|
|
|
|
|
@@ -12,7 +14,7 @@ module "elb_logging_logging_bucket" {
|
|
|
noncurrent_version_expiration = 30
|
|
|
abort_incomplete_multipart_upload_days = 7
|
|
|
})
|
|
|
- tags = merge(var.standard_tags, var.tags)
|
|
|
+ tags = merge(var.standard_tags, var.tags, { "Note" = "ELB Logging Does Not Support SSE-KMS. Only SSE-S3 is supported." } )
|
|
|
versioning_enabled = true
|
|
|
}
|
|
|
|
|
|
@@ -33,8 +35,7 @@ resource "aws_s3_bucket" "elb_logging_bucket" {
|
|
|
server_side_encryption_configuration {
|
|
|
rule {
|
|
|
apply_server_side_encryption_by_default {
|
|
|
- sse_algorithm = "aws:kms"
|
|
|
- kms_master_key_id = aws_kms_key.elb_encryption.arn
|
|
|
+ sse_algorithm = "AES256" # ELB logging only supports SSE-S3
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
@@ -53,9 +54,13 @@ data "aws_iam_policy_document" "aws_elb_bucket_policy" {
|
|
|
effect = "Allow"
|
|
|
actions = ["s3:PutObject"]
|
|
|
|
|
|
+ # principals {
|
|
|
+ # type = "AWS"
|
|
|
+ # identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
|
|
|
+ #}
|
|
|
principals {
|
|
|
- type = "AWS"
|
|
|
- identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
|
|
|
+ type = "AWS"
|
|
|
+ identifiers = [ data.aws_elb_service_account.main.arn ]
|
|
|
}
|
|
|
|
|
|
resources = ["arn:${var.aws_partition}:s3:::${aws_s3_bucket.elb_logging_bucket.bucket}/*"]
|
|
|
@@ -95,74 +100,6 @@ resource "aws_s3_bucket_policy" "aws_elb_bucket_policy" {
|
|
|
depends_on = [ aws_s3_bucket_public_access_block.aws_elb_bucket_block_public_access ]
|
|
|
}
|
|
|
|
|
|
-resource "aws_kms_key" "elb_encryption" {
|
|
|
- description = "This key is used to encrypt ELB Logs"
|
|
|
- deletion_window_in_days = 30
|
|
|
- policy = data.aws_iam_policy_document.elb_encryption_key_policy.json
|
|
|
- enable_key_rotation = true
|
|
|
- tags = merge(var.standard_tags, var.tags)
|
|
|
-}
|
|
|
-
|
|
|
-resource "aws_kms_alias" "elb_encryption" {
|
|
|
- name = "alias/aws_elb_logs"
|
|
|
- target_key_id = aws_kms_key.elb_encryption.key_id
|
|
|
-}
|
|
|
-
|
|
|
-data "aws_iam_policy_document" "elb_encryption_key_policy" {
|
|
|
- statement {
|
|
|
- actions = ["kms:*"]
|
|
|
- effect = "Allow"
|
|
|
- resources = ["*"]
|
|
|
-
|
|
|
- principals {
|
|
|
- type = "AWS"
|
|
|
- identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- statement {
|
|
|
- actions = [
|
|
|
- "kms:Encrypt*",
|
|
|
- "kms:GenerateDataKey*",
|
|
|
- ]
|
|
|
- effect = "Allow"
|
|
|
- resources = ["*"]
|
|
|
-
|
|
|
- principals {
|
|
|
- type = "AWS"
|
|
|
- identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- statement {
|
|
|
- actions = [
|
|
|
- "kms:Encrypt*",
|
|
|
- "kms:Decrypt*",
|
|
|
- "kms:ReEncrypt*",
|
|
|
- "kms:GenerateDataKey*",
|
|
|
- "kms:Describe*",
|
|
|
- ]
|
|
|
- effect = "Allow"
|
|
|
- resources = ["*"]
|
|
|
-
|
|
|
- principals {
|
|
|
- type = "Service"
|
|
|
- identifiers = [ "delivery.logs.amazonaws.com"]
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- statement {
|
|
|
- actions = ["kms:Describe*"]
|
|
|
- effect = "Allow"
|
|
|
- resources = ["*"]
|
|
|
-
|
|
|
- principals {
|
|
|
- type = "Service"
|
|
|
- identifiers = [ "delivery.logs.amazonaws.com" ]
|
|
|
- }
|
|
|
- }
|
|
|
-}
|
|
|
-
|
|
|
#### SQS Queue for Splunk
|
|
|
resource "aws_s3_bucket_notification" "on_new_elb_log" {
|
|
|
bucket = aws_s3_bucket.elb_logging_bucket.bucket
|
Frederick Damstra