Upgraded to 5.x compatibility + refactored S3 bucket for ALB (#8)

Mohammed-afk91 · Ohid25 · web-flow · commit 721450c96caa · 2023-07-31T12:34:59.000+01:00
* Upgraded to 5.x compatibility + refactored S3 bucket for ALB security logs

* Changed the AWS version back to the original minimum version

* Update main.tf

Co-authored-by: Abdul Wahid &lt;wahid.abdul.m@gmail.com&gt;

* Update versions.tf

Co-authored-by: Abdul Wahid &lt;wahid.abdul.m@gmail.com&gt;

* Update examples/alb-with-s3-access-logs/versions.tf

Co-authored-by: Abdul Wahid &lt;wahid.abdul.m@gmail.com&gt;

* Update examples/alb/versions.tf

Co-authored-by: Abdul Wahid &lt;wahid.abdul.m@gmail.com&gt;

* Update examples/nlb/versions.tf

Co-authored-by: Abdul Wahid &lt;wahid.abdul.m@gmail.com&gt;

---------

Co-authored-by: Abdul Wahid &lt;wahid.abdul.m@gmail.com&gt;
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,10 +1,9 @@
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.4.0
+  rev: v4.4.0
   hooks:
   - id: check-added-large-files
     args: ['--maxkb=500']
-  - id: check-executables-have-shebangs
   - id: pretty-format-json
     args: ['--autofix', '--no-sort-keys', '--indent=2']
   - id: check-byte-order-marker
@@ -17,8 +16,8 @@ repos:
   - id: detect-aws-credentials
     args: ['--allow-missing-credentials']
   - id: trailing-whitespace
-- repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.50.0
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.81.0
   hooks:
   - id: terraform_fmt
   - id: terraform_docs
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 <a name="unreleased"></a>
 ## [Unreleased]
 
+- Upgraded to 5.x compatibility + refactored S3 bucket for ALB security logs
+
+
+<a name="2.1.0"></a>
+## [2.1.0] - 2021-05-14
+
+- Add tags to alb listener ([#6](https://github.com/umotif-public/terraform-aws-alb/issues/6))
 - Update README.md
 
 
@@ -53,16 +60,31 @@ All notable changes to this project will be documented in this file.
 
 
 <a name="1.0.2"></a>
-## 1.0.2 - 2019-12-12
+## [1.0.2] - 2019-12-12
 
 - Add default redirect and nlb example
 
 
-[Unreleased]: https://github.com/umotif-public/terraform-aws-alb/compare/2.0.0...HEAD
+<a name="1.0.1"></a>
+## [1.0.1] - 2019-12-11
+
+- add documentation
+
+
+<a name="1.0.0"></a>
+## 1.0.0 - 2019-12-11
+
+- initial module push
+
+
+[Unreleased]: https://github.com/umotif-public/terraform-aws-alb/compare/2.1.0...HEAD
+[2.1.0]: https://github.com/umotif-public/terraform-aws-alb/compare/2.0.0...2.1.0
 [2.0.0]: https://github.com/umotif-public/terraform-aws-alb/compare/1.2.2...2.0.0
 [1.2.2]: https://github.com/umotif-public/terraform-aws-alb/compare/1.2.1...1.2.2
 [1.2.1]: https://github.com/umotif-public/terraform-aws-alb/compare/1.2.0...1.2.1
 [1.2.0]: https://github.com/umotif-public/terraform-aws-alb/compare/1.1.0...1.2.0
 [1.1.0]: https://github.com/umotif-public/terraform-aws-alb/compare/1.0.4...1.1.0
 [1.0.4]: https://github.com/umotif-public/terraform-aws-alb/compare/1.0.3...1.0.4
 [1.0.3]: https://github.com/umotif-public/terraform-aws-alb/compare/1.0.2...1.0.3
+[1.0.2]: https://github.com/umotif-public/terraform-aws-alb/compare/1.0.1...1.0.2
+[1.0.1]: https://github.com/umotif-public/terraform-aws-alb/compare/1.0.0...1.0.1
diff --git a/README.md b/README.md
@@ -72,21 +72,23 @@ module "nlb" {
 
 ## Authors
 
-Module managed by [Marcin Cuber](https://github.com/marcincuber) [LinkedIn](https://www.linkedin.com/in/marcincuber/).
+## Authors
+
+Module managed by [uMotif](https://github.com/umotif-public/).
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.6 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.40 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0.11 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.40.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.40 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.40.0 |
 
 ## Modules
 
diff --git a/examples/alb-with-s3-access-logs/main.tf b/examples/alb-with-s3-access-logs/main.tf
@@ -1,17 +1,17 @@
-provider "aws" {
-  region = "eu-west-1"
-}
-
 #####
 # VPC and subnets
 #####
 data "aws_vpc" "default" {
   default = true
 }
 
-data "aws_subnet_ids" "all" {
-  vpc_id = data.aws_vpc.default.id
+data "aws_subnets" "all" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
 }
+
 #####
 # Application Load Balancer
 #####
@@ -24,7 +24,7 @@ module "alb" {
 
   internal = false
   vpc_id   = data.aws_vpc.default.id
-  subnets  = data.aws_subnet_ids.all.ids
+  subnets  = data.aws_subnets.all.ids
 
   enable_http_to_https_redirect = true
   cidr_blocks_redirect          = ["10.10.0.0/16"]
@@ -76,62 +76,74 @@ resource "aws_security_group_rule" "alb_ingress_443" {
 # S3 bucket storing ALB access logs
 #####
 locals {
-  alb_root_account_id = "156460612806" # valid account id for Ireland Region. Full list -> https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
+  alb_root_account_id = "156460612806" # valid account id for Ireland Region. Full list -> https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html
 }
 
 resource "aws_s3_bucket" "alb_access_logs" {
   bucket = "example-alb-access-logs-bucket"
-  acl    = "private"
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
+  tags = {
+    Environment = "test"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "alb_access_logs_encryption" {
+  bucket = aws_s3_bucket.alb_access_logs.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
     }
   }
+}
 
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Sid": "AllowELBRootAccount",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::${local.alb_root_account_id}:root"
+resource "aws_s3_bucket_policy" "alb_access_logs_bucket_policy" {
+  bucket = aws_s3_bucket.alb_access_logs.id
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "AllowELBRootAccount",
+        "Effect" : "Allow",
+        "Action" : "s3:PutObject",
+        "Resource" : "arn:aws:s3:::example-alb-access-logs-bucket/*",
+        "Principal" : {
+          "AWS" : "arn:aws:iam::${local.alb_root_account_id}:root"
+        }
       },
-      "Action": "s3:PutObject",
-      "Resource": "arn:aws:s3:::example-alb-access-logs-bucket/*"
-    },
-    {
-      "Sid": "AWSLogDeliveryWrite",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "delivery.logs.amazonaws.com"
+      {
+        "Sid" : "AWSLogDeliveryWrite",
+        "Effect" : "Allow",
+        "Action" : "s3:PutObject",
+        "Resource" : "arn:aws:s3:::example-alb-access-logs-bucket/*",
+        "Condition" : {
+          "StringEquals" : {
+            "s3:x-amz-acl" : "bucket-owner-full-control"
+          }
+        },
+        "Principal" : {
+          "Service" : "delivery.logs.amazonaws.com"
+        }
       },
-      "Action": "s3:PutObject",
-      "Resource": "arn:aws:s3:::example-alb-access-logs-bucket/*",
-      "Condition": {
-        "StringEquals": {
-          "s3:x-amz-acl": "bucket-owner-full-control"
+      {
+        "Sid" : "AWSLogDeliveryAclCheck",
+        "Effect" : "Allow",
+        "Action" : "s3:GetBucketAcl",
+        "Resource" : "arn:aws:s3:::example-alb-access-logs-bucket",
+        "Principal" : {
+          "Service" : "delivery.logs.amazonaws.com"
         }
-      }
-    },
-    {
-      "Sid": "AWSLogDeliveryAclCheck",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "delivery.logs.amazonaws.com"
       },
-      "Action": "s3:GetBucketAcl",
-      "Resource": "arn:aws:s3:::example-alb-access-logs-bucket"
-    }
-  ]
-}
-POLICY
-
-  tags = {
-    Environment = "test"
-  }
-}
+      {
+        "Sid" : "AllowALBAccess",
+        "Effect" : "Allow",
+        "Action" : "s3:PutObject",
+        "Resource" : "arn:aws:s3:::example-alb-access-logs-bucket/*",
+        "Principal" : {
+          "Service" : "elasticloadbalancing.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
diff --git a/examples/alb-with-s3-access-logs/versions.tf b/examples/alb-with-s3-access-logs/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0.11"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  region = "eu-west-1"
+}
diff --git a/examples/alb/main.tf b/examples/alb/main.tf
@@ -1,16 +1,19 @@
-provider "aws" {
-  region = "eu-west-1"
-}
-
 #####
 # VPC and subnets
 #####
 data "aws_vpc" "default" {
   default = true
 }
 
-data "aws_subnet_ids" "all" {
-  vpc_id = data.aws_vpc.default.id
+#####
+# VPC and subnets
+#####
+
+data "aws_subnets" "all" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
 }
 #####
 # Application Load Balancer
@@ -24,7 +27,7 @@ module "alb" {
 
   internal = false
   vpc_id   = data.aws_vpc.default.id
-  subnets  = data.aws_subnet_ids.all.ids
+  subnets  = data.aws_subnets.all.ids
 
   enable_http_to_https_redirect = true
   cidr_blocks_redirect          = ["10.10.0.0/16"]
diff --git a/examples/alb/versions.tf b/examples/alb/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0.11"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  region = "eu-west-1"
+}
diff --git a/examples/nlb/main.tf b/examples/nlb/main.tf
@@ -1,17 +1,17 @@
-provider "aws" {
-  region = "eu-west-1"
-}
-
 #####
 # VPC and subnets
 #####
 data "aws_vpc" "default" {
   default = true
 }
 
-data "aws_subnet_ids" "all" {
-  vpc_id = data.aws_vpc.default.id
+data "aws_subnets" "all" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
 }
+
 # resource "aws_eip" "main" {
 #   count = length(module.vpc.public_subnets)
 
@@ -29,7 +29,7 @@ module "nlb" {
   load_balancer_type = "network"
 
   vpc_id  = data.aws_vpc.default.id
-  subnets = data.aws_subnet_ids.all.ids
+  subnets = data.aws_subnets.all.ids
 
   //  Use `subnet_mapping` to attach EIPs and comment out `subnets`
   // subnet_mapping = [for i, eip in aws_eip.main : { allocation_id : eip.id, subnet_id : tolist(module.vpc.public_subnets)[i] }]
diff --git a/examples/nlb/versions.tf b/examples/nlb/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0.11"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  region = "eu-west-1"
+}
diff --git a/main.tf b/main.tf
@@ -4,7 +4,7 @@ resource "aws_lb" "main" {
   load_balancer_type = var.load_balancer_type
   internal           = var.internal
   subnets            = var.subnets
-  security_groups    = aws_security_group.main.*.id
+  security_groups    = aws_security_group.main[0].id
 
   idle_timeout                     = var.idle_timeout
   enable_deletion_protection       = var.enable_deletion_protection
diff --git a/versions.tf b/versions.tf
@@ -1,7 +1,10 @@
 terraform {
-  required_version = ">= 0.12.6"
+  required_version = ">= 1.0.11"
 
   required_providers {
-    aws = ">= 3.40"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.40.0"
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,10 @@`
`1`	`1`	`terraform {`
`2`		`- required_version = ">= 0.12.6"`
	`2`	`+ required_version = ">= 1.0.11"`
`3`	`3`
`4`	`4`	`required_providers {`
`5`		`- aws = ">= 3.40"`
	`5`	`+ aws = {`
	`6`	`+ source = "hashicorp/aws"`
	`7`	`+ version = ">= 3.40.0"`
	`8`	`+ }`
`6`	`9`	`}`
`7`	`10`	`}`