Merge pull request #55 from tablexi/va-support-access-logs-for-applic…

…ation-load-balancers Support access logs in application_load_balancer module
tablexi · May 16, 2018 · f6c5976 · f6c5976
2 parents 6c79366 + 1b68eee
commit f6c5976
Show file tree

Hide file tree

Showing 8 changed files with 673 additions and 320 deletions.
diff --git a/aws/application_load_balancer/__examples__/.planshots.txt b/aws/application_load_balancer/__examples__/.planshots.txt
diff --git a/aws/application_load_balancer/__examples__/with_access_logs.tf b/aws/application_load_balancer/__examples__/with_access_logs.tf
@@ -0,0 +1,14 @@
+module "initech_production_load_balancer" {
+  source = "../"
+
+  environment = "production"
+  name        = "initech"
+
+  access_logs_enabled          = true
+  certificate_arn              = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+  instances                    = ["i-09731747ba5296355", "i-0354a7616ba0dc1af"]
+  instances_count              = 2
+  security_group_for_instances = "sg-c94a8777"
+  subnets                      = ["subnet-6fbdeeb3", "subnet-9ce530b1"]
+  vpc_id                       = "vpc-eed63643"
+}
diff --git a/aws/application_load_balancer/load_balancer/main.tf b/aws/application_load_balancer/load_balancer/main.tf
@@ -0,0 +1,87 @@
+locals {
+  # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
+  elastic_load_balancing_account_ids = {
+    ap-northeast-1 = "582318560864"
+    ap-northeast-2 = "600734575887"
+    ap-northeast-3 = "383597477331"
+    ap-south-1     = "718504428378"
+    ap-southeast-1 = "114774131450"
+    ap-southeast-2 = "783225319266"
+    ca-central-1   = "985666609251"
+    eu-central-1   = "054676820928"
+    eu-west-1      = "156460612806"
+    eu-west-2      = "652711504416"
+    eu-west-3      = "009996457667"
+    sa-east-1      = "507241528517"
+    us-east-1      = "127311923021"
+    us-east-2      = "033677994240"
+    us-west-1      = "027434742980"
+    us-west-2      = "797873946194"
+  }
+
+  access_logs_glacier_transition_days = 365
+}
+
+resource "aws_alb" "load_balancer" {
+  count           = "${var.access_logs_enabled ? 0 : 1}"
+  name            = "${var.name}"
+  internal        = "${var.internal}"
+  security_groups = ["${var.security_groups}"]
+  subnets         = ["${var.subnets}"]
+}
+
+resource "aws_alb" "load_balancer_with_access_logs" {
+  count           = "${var.access_logs_enabled ? 1 : 0}"
+  name            = "${var.name}"
+  internal        = "${var.internal}"
+  security_groups = ["${var.security_groups}"]
+  subnets         = ["${var.subnets}"]
+
+  access_logs {
+    bucket  = "${aws_s3_bucket.load_balancer_access_logs.id}"
+    enabled = true
+  }
+}
+
+data "aws_caller_identity" "aws_account" {
+  count = "${var.access_logs_enabled ? 1 : 0}"
+}
+
+resource "aws_s3_bucket" "load_balancer_access_logs" {
+  bucket = "${var.name}-logs"
+  count  = "${var.access_logs_enabled ? 1 : 0}"
+
+  lifecycle_rule {
+    enabled = true
+
+    transition {
+      days          = "${local.access_logs_glacier_transition_days}"
+      storage_class = "GLACIER"
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "load_balancer_access_logs" {
+  bucket = "${aws_s3_bucket.load_balancer_access_logs.id}"
+  count  = "${var.access_logs_enabled ? 1 : 0}"
+
+  policy = <<-JSON
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "s3:PutObject"
+          ],
+          "Effect": "Allow",
+          "Resource": "${aws_s3_bucket.load_balancer_access_logs.arn}/AWSLogs/${data.aws_caller_identity.aws_account.account_id}/*",
+          "Principal": {
+            "AWS": [
+              "arn:aws:iam::${lookup(local.elastic_load_balancing_account_ids, aws_s3_bucket.load_balancer_access_logs.region)}:root"
+            ]
+          }
+        }
+      ]
+    }
+    JSON
+}
diff --git a/aws/application_load_balancer/load_balancer/outputs.tf b/aws/application_load_balancer/load_balancer/outputs.tf
@@ -0,0 +1,11 @@
+output "arn" {
+  value = "${element(coalescelist(aws_alb.load_balancer.*.arn, aws_alb.load_balancer_with_access_logs.*.arn), 0)}"
+}
+
+output "dns_name" {
+  value = "${element(coalescelist(aws_alb.load_balancer.*.dns_name, aws_alb.load_balancer_with_access_logs.*.dns_name), 0)}"
+}
+
+output "zone_id" {
+  value = "${element(coalescelist(aws_alb.load_balancer.*.zone_id, aws_alb.load_balancer_with_access_logs.*.zone_id), 0)}"
+}
diff --git a/aws/application_load_balancer/load_balancer/variables.tf b/aws/application_load_balancer/load_balancer/variables.tf
@@ -0,0 +1,24 @@
+variable "name" {
+  description = "(Required) The name of this load balancer."
+  type        = "string"
+}
+
+variable "security_groups" {
+  description = "(Required) A list of security group IDs to attach to the load balancer."
+  type        = "list"
+}
+
+variable "subnets" {
+  description = "(Required) A list of subnet IDs to attach to the load balancer."
+  type        = "list"
+}
+
+variable "access_logs_enabled" {
+  description = "(Optional) Boolean to enable / disable access_logs. Defaults to false."
+  default     = false
+}
+
+variable "internal" {
+  description = "(Optional) If true, the LB will be internal. Default false."
+  default     = false
+}
diff --git a/aws/application_load_balancer/main.tf b/aws/application_load_balancer/main.tf
@@ -1,4 +1,6 @@
 locals {
+  access_logs_glacier_transition_days = 365
+
   http_deregistration_delay = 30
   http_health_check_matcher = "200,301"
   http_health_check_timeout = 5
@@ -14,11 +16,14 @@ locals {
   name_prefix = "${var.name}-${var.environment}"
 }
 
-resource "aws_alb" "load_balancer" {
-  name            = "${local.name_prefix}"
-  internal        = "${var.internal}"
-  security_groups = ["${aws_security_group.security_group_on_load_balancer.id}"]
-  subnets         = ["${var.subnets}"]
+module "load_balancer" {
+  source = "./load_balancer"
+
+  access_logs_enabled = "${var.access_logs_enabled}"
+  name                = "${local.name_prefix}"
+  internal            = "${var.internal}"
+  security_groups     = ["${aws_security_group.security_group_on_load_balancer.id}"]
+  subnets             = ["${var.subnets}"]
 }
 
 resource "aws_security_group" "security_group_on_load_balancer" {
@@ -55,7 +60,7 @@ resource "aws_security_group" "security_group_on_load_balancer" {
 }
 
 resource "aws_alb_listener" "http_listener" {
-  load_balancer_arn = "${aws_alb.load_balancer.arn}"
+  load_balancer_arn = "${module.load_balancer.arn}"
   port              = "${local.http_port_for_listener}"
   protocol          = "HTTP"
 
@@ -98,7 +103,7 @@ resource "aws_security_group_rule" "http_ingress_on_instances_from_load_balancer
 
 resource "aws_alb_listener" "https_listener" {
   certificate_arn   = "${var.certificate_arn}"
-  load_balancer_arn = "${aws_alb.load_balancer.arn}"
+  load_balancer_arn = "${module.load_balancer.arn}"
   port              = "${local.https_port_for_listener}"
   protocol          = "HTTPS"
   ssl_policy        = "${var.ssl_policy}"

diff --git a/aws/application_load_balancer/outputs.tf b/aws/application_load_balancer/outputs.tf
@@ -1,7 +1,7 @@
 output "dns_name" {
-  value = "${aws_alb.load_balancer.dns_name}"
+  value = "${module.load_balancer.dns_name}"
 }
 
 output "zone_id" {
-  value = "${aws_alb.load_balancer.zone_id}"
+  value = "${module.load_balancer.zone_id}"
 }
diff --git a/aws/application_load_balancer/variables.tf b/aws/application_load_balancer/variables.tf
@@ -38,6 +38,11 @@ variable "vpc_id" {
   type        = "string"
 }
 
+variable "access_logs_enabled" {
+  description = "(Optional) Boolean to enable / disable access_logs. Defaults to false."
+  default     = false
+}
+
 variable "health_check_path" {
   description = "(Optional) The destination for the health check request. Default /healthz."
   default     = "/healthz"