Add access logging for load-balancer

Author: manics

ecs-cluster/keycloak.tf

@@ -84,6 +84,62 @@ resource "aws_security_group" "ecs-task-keycloak" {
   }
 }
 
+# Load balancer logs
+resource "aws_s3_bucket" "alb-logs" {
+  bucket_prefix = "${var.name}-logs-"
+}
+
+data "aws_iam_policy_document" "alb-logs" {
+  statement {
+    principals {
+      type        = var.loadbalancer-logging-iam-principal.type
+      identifiers = [var.loadbalancer-logging-iam-principal.identifier]
+    }
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${aws_s3_bucket.alb-logs.arn}/access-logs/*"
+    ]
+  }
+}
+
+resource "aws_s3_bucket_policy" "alb-logs" {
+  bucket = aws_s3_bucket.alb-logs.id
+  policy = data.aws_iam_policy_document.alb-logs.json
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "alb-logs-encryption" {
+  bucket = aws_s3_bucket.alb-logs.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_versioning" "alb-logs" {
+  bucket = aws_s3_bucket.alb-logs.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "alb-logs" {
+  bucket = aws_s3_bucket.alb-logs.id
+  rule {
+    id = "delete-access-logs-${var.expire-access-logs-days}-days"
+    filter {
+      prefix = "access-logs/"
+    }
+    expiration {
+      days = var.expire-access-logs-days
+    }
+    status = "Enabled"
+  }
+}
+
 # Load balancer
 
 resource "aws_lb" "keycloak" {
@@ -96,6 +152,12 @@ resource "aws_lb" "keycloak" {
   enable_deletion_protection = true
 
   preserve_host_header = true
+
+  access_logs {
+    bucket  = aws_s3_bucket.alb-logs.id
+    prefix  = "access-logs"
+    enabled = true
+  }
 }
 
 resource "aws_alb_target_group" "keycloak" {

ecs-cluster/variables.tf

@@ -87,6 +87,24 @@ variable "desired-count" {
   default     = 1
 }
 
+variable "loadbalancer-logging-iam-principal" {
+  type        = map(string)
+  description = "IAM principal type and identifier for the elastic load balancer logger. This is complicated, see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html#attach-bucket-policy"
+
+  # For eu-west-2 this is a hard-coded AWS account ID belonging to AWS
+  # and not Service: logdelivery.elasticloadbalancing.amazonaws.com
+  default = {
+    type       = "AWS"
+    identifier = "arn:aws:iam::652711504416:root"
+  }
+}
+
+variable "expire-access-logs-days" {
+  type        = number
+  description = "Automatically delete access logs after this number of days"
+  default     = 3653
+}
+
 variable "default-tags" {
   type = map(any)
   default = {