Improve module versions + add alb access logs example (#3)

Author: marcincuber

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v2.5.0
+  rev: v3.2.0
   hooks:
   - id: check-added-large-files
     args: ['--maxkb=500']
@@ -18,7 +18,7 @@ repos:
     args: ['--allow-missing-credentials']
   - id: trailing-whitespace
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.29.0
+  rev: v1.31.0
   hooks:
   - id: terraform_fmt
   - id: terraform_docs

README.md

@@ -18,7 +18,7 @@ Terraform 0.12. Pin module version to `~> v1.0`. Submit pull-requests to `master
 ```hcl
 module "alb" {
   source = "umotif-public/alb/aws"
-  version = "~> 1.2.0"
+  version = "~> 1.2.1"
 
   name_prefix = "complete-alb"
 
@@ -43,7 +43,7 @@ module "alb" {
 ```hcl
 module "nlb" {
   source = "umotif-public/alb/aws"
-  version = "~> 1.2.0"
+  version = "~> 1.2.1"
 
   name = "complete-nlb"
 
@@ -70,6 +70,8 @@ Module is to be used with Terraform > 0.12.
 ## Examples
 
 * [Application Load Balancer ALB](https://github.com/umotif-public/terraform-aws-alb/tree/master/examples/alb)
+* [Application Load Balancer ALB with S3 access logs](https://github.com/umotif-public/terraform-aws-alb/tree/master/examples/alb-with-s3-access-logs)
+* [Application Load Balancer NLB](https://github.com/umotif-public/terraform-aws-alb/tree/master/examples/nlb)
 
 ## Authors
 
@@ -80,14 +82,14 @@ Module managed by [Marcin Cuber](https://github.com/marcincuber) [linkedin](http
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 0.12.6 |
-| aws | ~> 2.45 |
+| terraform | >= 0.12.6, < 0.14 |
+| aws | >= 2.45, < 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | ~> 2.45 |
+| aws | >= 2.45, < 4.0 |
 
 ## Inputs
 

examples/alb-with-s3-access-logs/data.tf

@@ -0,0 +1,3 @@
+data "aws_availability_zones" "available" {}
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}

examples/alb-with-s3-access-logs/main.tf

@@ -0,0 +1,150 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+#####
+# VPC and subnets
+#####
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "2.44.0"
+
+  name = "simple-vpc"
+
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_nat_gateway = false
+
+  tags = {
+    Environment = "test"
+  }
+}
+
+#####
+# Application Load Balancer
+#####
+module "alb" {
+  source = "../../"
+
+  name_prefix = "example-with-access-logs"
+
+  load_balancer_type = "application"
+
+  internal = false
+  vpc_id   = module.vpc.vpc_id
+  subnets  = flatten([module.vpc.public_subnets])
+
+  enable_http_to_https_redirect = true
+  cidr_blocks_redirect          = ["10.10.0.0/16"]
+
+  access_logs = {
+    bucket  = aws_s3_bucket.alb_access_logs.bucket
+    prefix  = "example-with-access-logs-alb"
+    enabled = true
+  }
+
+  tags = {
+    Project = "Test"
+  }
+}
+
+#####
+# ALB listener
+#####
+resource "aws_lb_listener" "alb_80_redirect_to_443" {
+  load_balancer_arn = module.alb.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+#####
+# SGs
+#####
+resource "aws_security_group_rule" "alb_ingress_443" {
+  security_group_id = module.alb.security_group_id
+  type              = "ingress"
+  protocol          = "tcp"
+  from_port         = 443
+  to_port           = 443
+  cidr_blocks       = ["0.0.0.0/0"]
+  ipv6_cidr_blocks  = ["::/0"]
+}
+
+#####
+# S3 bucket storing ALB access logs
+#####
+locals {
+  alb_root_account_id = "156460612806" # valid account id for Ireland Region. Full list -> https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
+}
+
+resource "aws_s3_bucket" "alb_access_logs" {
+  bucket = "example-alb-access-logs-bucket"
+  acl    = "private"
+  region = data.aws_region.current.name
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowELBRootAccount",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::${local.alb_root_account_id}:root"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::example-alb-access-logs-bucket/*"
+    },
+    {
+      "Sid": "AWSLogDeliveryWrite",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "delivery.logs.amazonaws.com"
+      },
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::example-alb-access-logs-bucket/*",
+      "Condition": {
+        "StringEquals": {
+          "s3:x-amz-acl": "bucket-owner-full-control"
+        }
+      }
+    },
+    {
+      "Sid": "AWSLogDeliveryAclCheck",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "delivery.logs.amazonaws.com"
+      },
+      "Action": "s3:GetBucketAcl",
+      "Resource": "arn:aws:s3:::example-alb-access-logs-bucket"
+    }
+  ]
+}
+POLICY
+
+  tags = {
+    Environment = "test"
+  }
+}

versions.tf

@@ -1,7 +1,7 @@
 terraform {
-  required_version = "~> 0.12.6"
+  required_version = ">= 0.12.6, < 0.14"
 
   required_providers {
-    aws = "~> 2.45"
+    aws = ">= 2.45, < 4.0"
   }
 }