From 0335aa459dea327fc1263cbbc570e5eb1379e5f6 Mon Sep 17 00:00:00 2001
From: Dudi Zimberknopf <zimber.dudi@gmail.com>
Date: Thu, 7 Nov 2024 16:12:43 +0200
Subject: [PATCH] add access logs bucket

---
 tofu/aws/3-application_plane/main.tf      | 49 +++++++++++++++++------
 tofu/aws/3-application_plane/variables.tf |  8 +++-
 2 files changed, 43 insertions(+), 14 deletions(-)

diff --git a/tofu/aws/3-application_plane/main.tf b/tofu/aws/3-application_plane/main.tf
index f6696486..a02b2bf8 100644
--- a/tofu/aws/3-application_plane/main.tf
+++ b/tofu/aws/3-application_plane/main.tf
@@ -15,8 +15,8 @@ locals {
     }),
     {}
   )
-  app_plane_account           = local.workload_accounts[var.app_plane_account_name]
-  app_plane_trail_bucket_name = nonsensitive("${lower(replace(var.app_plane_account_name, " ", "-"))}-cloudtrail-${random_bytes.suffix.hex}")
+  app_plane_account                 = local.workload_accounts[var.app_plane_account_name]
+  app_plane_trail_bucket_name       = nonsensitive("${lower(replace(var.app_plane_account_name, " ", "-"))}-cloudtrail-${random_bytes.suffix.hex}")
   app_plane_access_logs_bucket_name = nonsensitive("${lower(replace(var.app_plane_account_name, " ", "-"))}-access-logs-${random_bytes.suffix.hex}")
 }
 
@@ -69,29 +69,52 @@ module "aws-s3-bucket" {
   }
 }
 
+data "aws_iam_policy_document" "access_logs_bucket_policy" {
+
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:GetBucketAcl"]
+    resources = ["arn:aws:s3:::${local.app_plane_access_logs_bucket_name}"]
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["s3:PutObject"]
+    resources = ["arn:aws:s3:::${local.app_plane_access_logs_bucket_name}/*"]
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+  }
+}
+
 module "aws-s3-bucket-access-logs" {
   source                   = "trussworks/s3-private-bucket/aws"
   bucket                   = local.app_plane_access_logs_bucket_name
   use_account_alias_prefix = false
   enable_analytics         = false
 
-  custom_bucket_policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
+  custom_bucket_policy = data.aws_iam_policy_document.access_logs_bucket_policy.json
 
   providers = {
     aws = aws.app-plane-account
   }
 }
 
-module "cloudtrail" {
-  source  = "trussworks/cloudtrail/aws"
-  version = "5.2.0"
+# module "cloudtrail" {
+#   source  = "trussworks/cloudtrail/aws"
+#   version = "5.2.0"
 
-  s3_bucket_name     = module.aws-s3-bucket.id
-  log_retention_days = var.cloudtrail_retention_days
+#   s3_bucket_name     = module.aws-s3-bucket.id
+#   log_retention_days = var.cloudtrail_retention_days
 
-  providers = {
-    aws = aws.app-plane-account
-  }
+#   providers = {
+#     aws = aws.app-plane-account
+#   }
 
-  depends_on = [module.aws-s3-bucket, data.aws_iam_policy_document.cloudtrail_bucket_policy]
-}
+#   depends_on = [module.aws-s3-bucket, data.aws_iam_policy_document.cloudtrail_bucket_policy]
+# }
diff --git a/tofu/aws/3-application_plane/variables.tf b/tofu/aws/3-application_plane/variables.tf
index fc63747a..226259a4 100644
--- a/tofu/aws/3-application_plane/variables.tf
+++ b/tofu/aws/3-application_plane/variables.tf
@@ -17,4 +17,10 @@ variable "cloudtrail_retention_days" {
   type        = number
   description = "Number of days to retain CloudTrail logs"
   default     = 90
-}
\ No newline at end of file
+}
+
+variable "app_plane_lb_bucket_access_allow_list" {
+  type        = list(string)
+  description = "List of ARNs of load balancers that are allowed to write to the access logs bucket"
+  default     = []
+}