Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider Removing Access Logs Module #107

Closed
wants to merge 2 commits into from
Closed

Consider Removing Access Logs Module #107

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8375c31
removing access logs module
ekristen Nov 29, 2021
ea87446
remove reference to old module
ekristen Nov 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 1 addition & 17 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,22 +38,6 @@ resource "aws_security_group_rule" "https_ingress" {
security_group_id = join("", aws_security_group.default.*.id)
}

module "access_logs" {
source = "cloudposse/lb-s3-bucket/aws"
version = "0.14.1"
enabled = module.this.enabled && var.access_logs_enabled && var.access_logs_s3_bucket_id == null
attributes = compact(concat(module.this.attributes, ["alb", "access", "logs"]))
lifecycle_rule_enabled = var.lifecycle_rule_enabled
enable_glacier_transition = var.enable_glacier_transition
expiration_days = var.expiration_days
glacier_transition_days = var.glacier_transition_days
noncurrent_version_expiration_days = var.noncurrent_version_expiration_days
noncurrent_version_transition_days = var.noncurrent_version_transition_days
standard_transition_days = var.standard_transition_days
force_destroy = var.alb_access_logs_s3_bucket_force_destroy
context = module.this.context
}

module "default_load_balancer_label" {
source = "cloudposse/label/null"
version = "0.25.0"
Expand Down Expand Up @@ -83,7 +67,7 @@ resource "aws_lb" "default" {
drop_invalid_header_fields = var.drop_invalid_header_fields

access_logs {
bucket = try(element(compact([var.access_logs_s3_bucket_id, module.access_logs.bucket_id]), 0), "")
bucket = var.access_logs_s3_bucket_id
Copy link

@bridgecrew bridgecrew bot Nov 29, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure ALB redirects HTTP requests into HTTPS ones
    Resource: aws_lb.default | ID: BC_AWS_NETWORKING_49

How to Fix

resource "aws_lb" "lb_good" {
}


resource "aws_lb_listener" "listener_good" {
  load_balancer_arn = aws_lb.lb_good.arn
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }

  }
}

Description

TBA

Dependent Resources



Path Resource Connecting Attribute
/main.tf aws_lb_listener.http_forward load_balancer_arn
/main.tf aws_lb_listener.http_redirect load_balancer_arn
/main.tf aws_lb_listener.https load_balancer_arn

Copy link

@bridgecrew bridgecrew bot Nov 29, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MEDIUM   Ensure public facing ALB are protected by AWS Web Application Firewall v2 (AWS WAFv2)
    Resource: aws_lb.default | ID: BC_AWS_NETWORKING_58

Description

TBD Dependent Resources

Path Resource Connecting Attribute
/main.tf aws_lb_listener.http_forward load_balancer_arn
/main.tf aws_lb_listener.http_redirect load_balancer_arn
/main.tf aws_lb_listener.https load_balancer_arn

prefix = var.access_logs_prefix
enabled = var.access_logs_enabled
}
Expand Down
5 changes: 0 additions & 5 deletions outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,3 @@ output "listener_arns" {
concat(aws_lb_listener.http_forward.*.arn, aws_lb_listener.http_redirect.*.arn, aws_lb_listener.https.*.arn)
)
}

output "access_logs_bucket_id" {
description = "The S3 bucket ID for access logs"
value = module.access_logs.bucket_id
}
48 changes: 0 additions & 48 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,12 +188,6 @@ variable "health_check_matcher" {
description = "The HTTP response codes to indicate a healthy check"
}

variable "alb_access_logs_s3_bucket_force_destroy" {
type = bool
default = false
description = "A boolean that indicates all objects should be deleted from the ALB access logs S3 bucket so that the bucket can be destroyed without error"
}

variable "target_group_port" {
type = number
default = 80
Expand Down Expand Up @@ -250,48 +244,6 @@ variable "listener_https_fixed_response" {
default = null
}

variable "lifecycle_rule_enabled" {
type = bool
description = "A boolean that indicates whether the s3 log bucket lifecycle rule should be enabled."
default = false
}

variable "enable_glacier_transition" {
type = bool
description = "Enables the transition of lb logs to AWS Glacier"
default = true
}

variable "glacier_transition_days" {
type = number
description = "Number of days after which to move s3 logs to the glacier storage tier"
default = 60
}

variable "expiration_days" {
type = number
description = "Number of days after which to expunge s3 logs"
default = 90
}

variable "noncurrent_version_expiration_days" {
type = number
description = "Specifies when noncurrent s3 log versions expire"
default = 90
}

variable "noncurrent_version_transition_days" {
type = number
description = "Specifies when noncurrent s3 log versions transition"
default = 30
}

variable "standard_transition_days" {
type = number
description = "Number of days to persist logs in standard storage tier before moving to the infrequent access tier"
default = 30
}

variable "stickiness" {
type = object({
cookie_duration = number
Expand Down