nozaq · guangie88 · Apr 1, 2024
diff --git a/bucket.tf b/bucket.tf
@@ -39,6 +39,7 @@ module "audit_log_bucket" {
   log_bucket_name                   = var.audit_log_bucket_access_logs_name != "" ? var.audit_log_bucket_access_logs_name : "${var.audit_log_bucket_name}-access-logs"
   lifecycle_glacier_transition_days = var.audit_log_lifecycle_glacier_transition_days
   force_destroy                     = var.audit_log_bucket_force_destroy
+  use_external_log_bucket_policy    = var.use_external_audit_access_log_bucket_policy
 
   tags = var.tags
 
@@ -248,7 +249,7 @@ data "aws_iam_policy_document" "audit_log" {
 }
 
 resource "aws_s3_bucket_policy" "audit_log" {
-  count = local.use_external_bucket ? 0 : 1
+  count = local.use_external_bucket || var.use_external_audit_log_bucket_policy ? 0 : 1
 
   bucket = module.audit_log_bucket[0].this_bucket.id
   policy = data.aws_iam_policy_document.audit_log[0].json

diff --git a/modules/secure-bucket/main.tf b/modules/secure-bucket/main.tf
@@ -59,6 +59,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "access_log" {
 }
 
 resource "aws_s3_bucket_policy" "access_log_policy" {
+  count = var.use_external_log_bucket_policy ? 0 : 1
+
   bucket = aws_s3_bucket.access_log.id
   policy = data.aws_iam_policy_document.access_log_policy.json
 

diff --git a/modules/secure-bucket/migrations.tf b/modules/secure-bucket/migrations.tf
@@ -8,10 +8,13 @@ moved {
   to   = aws_s3_bucket.access_log
 }
 
-moved {
-  from = aws_s3_bucket_policy.access_log_policy[0]
-  to   = aws_s3_bucket_policy.access_log_policy
-}
+# Migrations to 2.2.0-custom
+# Allowing bucket policy to be exported out and not be applied
+
+# moved {
+#   from = aws_s3_bucket_policy.access_log_policy[0]
+#   to   = aws_s3_bucket_policy.access_log_policy
+# }
 
 moved {
   from = aws_s3_bucket_public_access_block.access_log[0]
@@ -27,4 +30,3 @@ moved {
   from = aws_s3_bucket_public_access_block.content[0]
   to   = aws_s3_bucket_public_access_block.content
 }
-
diff --git a/modules/secure-bucket/outputs.tf b/modules/secure-bucket/outputs.tf
@@ -7,3 +7,8 @@ output "log_bucket" {
   description = "The S3 bucket used for storing access logs of this bucket."
   value       = aws_s3_bucket.access_log
 }
+
+output "log_bucket_policy" {
+  description = "Bucket policy to use on the bucket for the access logs."
+  value       = data.aws_iam_policy_document.access_log_policy
+}
diff --git a/modules/secure-bucket/variables.tf b/modules/secure-bucket/variables.tf
@@ -33,3 +33,9 @@ variable "bucket_key_enabled" {
   type        = bool
   default     = false
 }
+
+variable "use_external_log_bucket_policy" {
+  description = "Whether or not to apply bucket policy onto log bucket directly."
+  type        = bool
+  default     = false
+}
diff --git a/outputs.tf b/outputs.tf
@@ -7,6 +7,11 @@ output "audit_bucket" {
   value       = one(module.audit_log_bucket[*].this_bucket)
 }
 
+output "audit_bucket_policy" {
+  description = "Bucket policy of the audit logs bucket."
+  value       = one(data.aws_iam_policy_document.audit_log[*])
+}
+
 # --------------------------------------------------------------------------------------------------
 # Outputs from alarm-baseline module.
 # --------------------------------------------------------------------------------------------------
@@ -137,6 +142,15 @@ output "support_iam_role" {
   value       = one(module.iam_baseline[*].support_iam_role)
 }
 
+# --------------------------------------------------------------------------------------------------
+# Outputs from secure-bucket module.
+# --------------------------------------------------------------------------------------------------
+
+output "access_log_bucket_policy" {
+  description = "Bucket policy of the access logs bucket of audit logs."
+  value       = one(module.audit_log_bucket[*].log_bucket_policy)
+}
+
 # --------------------------------------------------------------------------------------------------
 # Outputs from vpc-baseline module.
 # --------------------------------------------------------------------------------------------------

diff --git a/variables.tf b/variables.tf
@@ -115,6 +115,18 @@ variable "use_external_audit_log_bucket" {
   default     = false
 }
 
+variable "use_external_audit_log_bucket_policy" {
+  description = "Whether or not to apply bucket policy onto audit log bucket directly."
+  type        = bool
+  default     = false
+}
+
+variable "use_external_audit_access_log_bucket_policy" {
+  description = "Whether or not to apply bucket policy onto the access logs bucket corresponding to audit log bucket directly."
+  type        = bool
+  default     = false
+}
+
 # --------------------------------------------------------------------------------------------------
 # Variables for iam-baseline module.
 # --------------------------------------------------------------------------------------------------