fixups

README.md

@@ -205,8 +205,10 @@ module "github_runner" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_build_timeout"></a> [build\_timeout](#input\_build\_timeout) | Number of minutes, from 5 to 2160 (36 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed. | `number` | `5` | no |
+| <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events | `number` | `14` | no |
 | <a name="input_cloudwatch_logs_group_name"></a> [cloudwatch\_logs\_group\_name](#input\_cloudwatch\_logs\_group\_name) | Name of the log group used by the codebuild project. If blank then a default is used. | `string` | `null` | no |
 | <a name="input_cloudwatch_logs_stream_name"></a> [cloudwatch\_logs\_stream\_name](#input\_cloudwatch\_logs\_stream\_name) | Name of the log stream used by the codebuild project. If blank then a default is used. | `string` | `null` | no |
+| <a name="input_create_cloudwatch_log_group"></a> [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a log group is created by this module. If not, AWS will automatically create one if logging is enabled | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | Short description of the project. | `string` | `null` | no |
 | <a name="input_environment_compute_type"></a> [environment\_compute\_type](#input\_environment\_compute\_type) | Information about the compute resources the build project will use. Valid values: BUILD\_GENERAL1\_SMALL, BUILD\_GENERAL1\_MEDIUM, BUILD\_GENERAL1\_LARGE, BUILD\_GENERAL1\_2XLARGE, BUILD\_LAMBDA\_1GB, BUILD\_LAMBDA\_2GB, BUILD\_LAMBDA\_4GB, BUILD\_LAMBDA\_8GB, BUILD\_LAMBDA\_10GB. BUILD\_GENERAL1\_SMALL is only valid if type is set to LINUX\_CONTAINER. When type is set to LINUX\_GPU\_CONTAINER, compute\_type must be BUILD\_GENERAL1\_LARGE. When type is set to LINUX\_LAMBDA\_CONTAINER or ARM\_LAMBDA\_CONTAINER, compute\_type must be BUILD\_LAMBDA\_XGB | `string` | `"BUILD_GENERAL1_SMALL"` | no |
 | <a name="input_environment_image"></a> [environment\_image](#input\_environment\_image) | Docker image to use for this build project. Valid values include Docker images provided by CodeBuild (e.g aws/codebuild/amazonlinux2-x86\_64-standard:4.0), Docker Hub images (e.g., hashicorp/terraform:latest). If use\_ecr\_image is set to true, this value will be ignored and the ECR image location will be used. | `string` | `"aws/codebuild/amazonlinux2-x86_64-standard:5.0"` | no |
@@ -218,7 +220,8 @@ module "github_runner" {
 | <a name="input_iam_role_policies"></a> [iam\_role\_policies](#input\_iam\_role\_policies) | Map of IAM role policy ARNs to attach to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | The AWS KMS key to be used | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Created resources will be named with this. | `string` | n/a | yes |
-| <a name="input_s3_logs_location"></a> [s3\_logs\_location](#input\_s3\_logs\_location) | Value of the S3 bucket to store logs in, if left blank a bucket will be created | `string` | `null` | no |
+| <a name="input_s3_logs_bucket_name"></a> [s3\_logs\_bucket\_name](#input\_s3\_logs\_bucket\_name) | Name of the S3 bucket to store logs in. If null then logging to S3 will be disabled. | `string` | `null` | no |
+| <a name="input_s3_logs_bucket_prefix"></a> [s3\_logs\_bucket\_prefix](#input\_s3\_logs\_bucket\_prefix) | Prefix to use for the logs in the S3 bucket | `string` | `""` | no |
 | <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | The list of Security Group IDs for AWS Codebuild to launch ephemeral EC2 instances in. | `list(string)` | `[]` | no |
 | <a name="input_source_location"></a> [source\_location](#input\_source\_location) | Your source code repo location, for example https://github.com/my/repo.git | `string` | n/a | yes |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | The list of Subnet IDs for AWS Codebuild to launch ephemeral EC2 instances in. | `list(string)` | `[]` | no |
@@ -278,6 +281,7 @@ No modules.
 | [aws_vpc_security_group_egress_rule.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
 | [aws_vpc_security_group_ingress_rule.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_cloudwatch_log_group.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudwatch_log_group) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.cloudwatch_required](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ecr_required](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

iam.tf

@@ -1,5 +1,5 @@
 data "aws_iam_policy_document" "cloudwatch_required" {
-  # Clouwatch permissions
+  # Cloudwatch permissions
   statement {
     sid    = "AllowCreateLogGroup"
     effect = "Allow"
@@ -27,7 +27,7 @@ resource "aws_iam_role_policy" "cloudwatch_required" {
 }
 
 data "aws_iam_policy_document" "networking_required" {
-  count = local.any_vpc_config ? 1 : 0
+  count = local.has_vpc_config ? 1 : 0
   # VPC permissions
   statement {
     sid    = "AllowNetworkingDescribe"
@@ -68,27 +68,27 @@ data "aws_iam_policy_document" "networking_required" {
 }
 
 resource "aws_iam_role_policy" "networking_required" {
-  count  = local.any_vpc_config ? 1 : 0
+  count  = local.has_vpc_config ? 1 : 0
   name   = "${var.name}-networking"
   role   = local.create_iam_role ? aws_iam_role.this[0].name : var.iam_role_name
   policy = data.aws_iam_policy_document.networking_required[0].json
 }
 
 data "aws_iam_policy_document" "s3_required" {
   # S3 permissions
-  count = local.s3_log_bucket ? 1 : 0
+  count = local.has_s3_log_bucket ? 1 : 0
   statement {
     effect  = "Allow"
-    actions = ["s3:*"]
+    actions = ["s3:PutObject*"]
     resources = [
       local.s3_logs_bucket_arn,
-      "${local.s3_logs_bucket_arn}/*",
+      "${local.s3_logs_bucket_arn}/${s3_logs_bucket_prefix}*",
     ]
   }
 }
 
 resource "aws_iam_role_policy" "s3_required" {
-  count  = local.s3_log_bucket ? 1 : 0
+  count  = local.has_s3_log_bucket ? 1 : 0
   name   = "${var.name}-s3-logging"
   role   = local.create_iam_role ? aws_iam_role.this[0].name : var.iam_role_name
   policy = data.aws_iam_policy_document.s3_required[0].json

locals.tf

@@ -3,25 +3,39 @@ locals {
 
   aws_region = data.aws_region.current.name
 
-  create_cloudwatch_logs_group = var.cloudwatch_logs_group_name == null
+  has_s3_log_bucket = var.s3_logs_bucket_name != null
 
-  s3_log_bucket = var.s3_logs_location != null
-
-  any_vpc_config = var.vpc_id != null
+  has_vpc_config = var.vpc_id != null
 
   has_github_personal_access_token = var.github_personal_access_token != null
 
   has_github_personal_access_token_ssm_parameter = var.github_personal_access_token_ssm_parameter != null
 
   subnet_arns = [for subnet_id in var.subnet_ids : "arn:aws:ec2:${local.aws_region}:${local.aws_account_id}:subnet/${subnet_id}"]
 
-  security_group_ids = length(var.security_group_ids) == 0 ? try([aws_security_group.codebuild[0].id], []) : concat(try([aws_security_group.codebuild[0].id], []), var.security_group_ids)
+  security_group_ids = (
+    length(var.security_group_ids) == 0
+    ? try([aws_security_group.codebuild[0].id], [])
+    : concat(try([aws_security_group.codebuild[0].id], []), var.security_group_ids)
+  )
 
   create_iam_role = var.iam_role_name == null
 
-  cloudwatch_logs_group_arn = local.create_cloudwatch_logs_group ? aws_cloudwatch_log_group.codebuild[0].arn : "arn:aws:logs:${local.aws_region}:${local.aws_account_id}:log-group:${var.cloudwatch_logs_group_name}"
-
-  cloudwatch_logs_steam_name = var.cloudwatch_logs_stream_name == null ? var.name : var.cloudwatch_logs_stream_name
-
-  s3_logs_bucket_arn = var.s3_logs_location == null ? null : "arn:aws:s3:::${var.s3_logs_location}"
+  cloudwatch_logs_group_arn = (
+    var.create_cloudwatch_log_group
+    ? aws_cloudwatch_log_group.codebuild[0].arn
+    : data.aws_cloudwatch_log_group.codebuild[0].arn
+  )
+
+  cloudwatch_logs_steam_name = (
+    var.cloudwatch_logs_stream_name == null
+    ? var.name
+    : var.cloudwatch_logs_stream_name
+  )
+
+  s3_logs_bucket_arn = (
+    var.s3_logs_bucket_name == null
+    ? null
+    : "arn:aws:s3:::${var.s3_logs_bucket_name}"
+  )
 }

logs.tf

@@ -0,0 +1,11 @@
+resource "aws_cloudwatch_log_group" "codebuild" {
+  #checkov:skip=CKV_AWS_338:log retention set to 14 days as it only shows the github runner initialise
+  count             = var.create_cloudwatch_log_group ? 1 : 0
+  name              = coalesce(var.cloudwatch_logs_group_name, "/aws/codebuild/${var.name}")
+  retention_in_days = var.cloudwatch_log_group_retention_in_days
+  kms_key_id        = var.kms_key_id
+}
+data "aws_cloudwatch_log_group" "codebuild" {
+  count = var.create_cloudwatch_log_group ? 0 : 1
+  name  = var.cloudwatch_logs_group_name
+}

main.tf

@@ -1,11 +1,3 @@
-resource "aws_cloudwatch_log_group" "codebuild" {
-  #checkov:skip=CKV_AWS_338:log retention set to 14 days sw it is only show the github runner initialise
-  count             = local.create_cloudwatch_logs_group ? 1 : 0
-  name              = "/aws/codebuild/${var.name}"
-  retention_in_days = 14
-  kms_key_id        = var.kms_key_id
-}
-
 resource "aws_codebuild_project" "this" {
   name          = var.name
   description   = var.description
@@ -26,15 +18,19 @@ resource "aws_codebuild_project" "this" {
 
   logs_config {
     cloudwatch_logs {
-      group_name  = local.create_cloudwatch_logs_group ? aws_cloudwatch_log_group.codebuild[0].name : var.cloudwatch_logs_group_name
+      group_name = (
+        var.create_cloudwatch_log_group
+        ? aws_cloudwatch_log_group.codebuild[0].name
+        : data.aws_cloudwatch_log_group.codebuild[0].name
+      )
       stream_name = local.cloudwatch_logs_steam_name
     }
 
     dynamic "s3_logs" {
-      for_each = try(var.s3_logs_location, null) == null ? toset([]) : toset([1])
+      for_each = try(var.s3_logs_bucket_name, null) == null ? toset([]) : toset([1])
       content {
         status   = "ENABLED"
-        location = "${var.s3_logs_location}/logs"
+        location = "${var.s3_logs_bucket_name}/${var.s3_logs_bucket_prefix}"
       }
     }
   }
@@ -50,7 +46,7 @@ resource "aws_codebuild_project" "this" {
   }
 
   dynamic "vpc_config" {
-    for_each = local.any_vpc_config ? toset([1]) : toset([])
+    for_each = local.has_vpc_config ? toset([1]) : toset([])
     content {
       vpc_id             = var.vpc_id
       subnets            = var.subnet_ids
@@ -87,7 +83,7 @@ resource "aws_codebuild_webhook" "this" {
 
 resource "aws_security_group" "codebuild" {
   #checkov:skip=CKV2_AWS_5:access logging not required
-  count       = local.any_vpc_config ? 1 : 0
+  count       = local.has_vpc_config ? 1 : 0
   vpc_id      = var.vpc_id
   name        = var.name
   description = "Security group for CodeBuild project ${var.name}"
@@ -97,7 +93,7 @@ resource "aws_security_group" "codebuild" {
 }
 
 resource "aws_vpc_security_group_egress_rule" "codebuild" {
-  count             = local.any_vpc_config ? 1 : 0
+  count             = local.has_vpc_config ? 1 : 0
   security_group_id = aws_security_group.codebuild[count.index].id
 
   cidr_ipv4   = "0.0.0.0/0"
@@ -106,7 +102,7 @@ resource "aws_vpc_security_group_egress_rule" "codebuild" {
 }
 
 resource "aws_vpc_security_group_ingress_rule" "codebuild" {
-  count             = local.any_vpc_config ? 1 : 0
+  count             = local.has_vpc_config ? 1 : 0
   security_group_id = aws_security_group.codebuild[count.index].id
 
   cidr_ipv4   = "0.0.0.0/0"

variables.tf

@@ -53,6 +53,12 @@ variable "environment_image" {
 }
 
 # logs
+variable "create_cloudwatch_log_group" {
+  description = "Determines whether a log group is created by this module. If not, AWS will automatically create one if logging is enabled"
+  type        = bool
+  default     = true
+}
+
 variable "cloudwatch_logs_group_name" {
   description = "Name of the log group used by the codebuild project. If blank then a default is used."
   type        = string
@@ -65,12 +71,22 @@ variable "cloudwatch_logs_stream_name" {
   default     = null
 }
 
-variable "s3_logs_location" {
-  description = "Value of the S3 bucket to store logs in, if left blank a bucket will be created"
+variable "cloudwatch_log_group_retention_in_days" {
+  description = "Number of days to retain log events"
+  type        = number
+  default     = 14
+}
+
+variable "s3_logs_bucket_name" {
+  description = "Name of the S3 bucket to store logs in. If null then logging to S3 will be disabled."
   type        = string
   default     = null
 }
-# TODO make this optional
+variable "s3_logs_bucket_prefix" {
+  description = "Prefix to use for the logs in the S3 bucket"
+  type        = string
+  default     = ""
+}
 
 # vpc
 variable "vpc_id" {