Enable access and connection logs for AWS ALB module

OlamideOl1 · OlamideOl1 · commit 5564e5662b87 · 2025-03-26T11:35:39.000+01:00
diff --git a/modules/alb/main.tf b/modules/alb/main.tf
@@ -1,8 +1,35 @@
 resource "aws_alb" "this" {
   name            = var.name
   security_groups = [aws_security_group.this.id]
-  subnets         = var.subnet_ids
-  tags            = var.tags
+
+  dynamic "connection_logs" {
+    for_each = var.enable_connection_logs ? [1] : []
+    content {
+      bucket  = var.s3_bucket_name != "" ? var.s3_bucket_name : aws_s3_bucket.lb_logs[0].id
+      prefix  = "connectionlogs"
+      enabled = true
+    }
+  }
+
+  dynamic "access_logs" {
+    for_each = var.enable_access_logs ? [1] : []
+    content {
+      bucket  = var.s3_bucket_name != "" ? var.s3_bucket_name : aws_s3_bucket.lb_logs[0].id
+      prefix  = "accesslogs"
+      enabled = true
+    }
+  }
+  subnets = var.subnet_ids
+  tags    = var.tags
+}
+
+resource "aws_s3_bucket" "lb_logs" {
+  count  = var.s3_bucket_name == "" ? 1 : 0
+  bucket = var.s3_bucket_name == "" ? "${var.name}-alb-logs-${random_id.suffix.hex}" : var.s3_bucket_name
+}
+
+resource "random_id" "suffix" {
+  byte_length = 4
 }
 
 resource "aws_security_group" "this" {
diff --git a/modules/alb/variables.tf b/modules/alb/variables.tf
@@ -3,11 +3,29 @@ variable "description" {
   type        = string
 }
 
+variable "enable_access_logs" {
+  type        = bool
+  default     = false
+  description = "Enable or disable ALB access logs. If set to true, logs will be stored in an S3 bucket."
+}
+
+variable "enable_connection_logs" {
+  type        = bool
+  default     = false
+  description = "Enable or disable ALB connection logs. If set to true, logs will be stored in an S3 bucket."
+}
+
 variable "name" {
   description = "Name for this load balancer"
   type        = string
 }
 
+variable "s3_bucket_name" {
+  type        = string
+  default     = ""
+  description = "Optional S3 bucket name for storing ALB access logs. If not provided, a new bucket will be created."
+}
+
 variable "security_group_name" {
   type        = string
   description = "Name for the load balancer security group; defaults to name"
