Skip to content

Instantly share code, notes, and snippets.

@stknohg
Last active May 21, 2022 04:08
Show Gist options
  • Save stknohg/66ddd968ede64f3e882eb168b8d9d45c to your computer and use it in GitHub Desktop.
Save stknohg/66ddd968ede64f3e882eb168b8d9d45c to your computer and use it in GitHub Desktop.
S3サーバーアクセスログを試すTerraformサンプル
terraform {
required_version = "~> 1.2.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.15.1"
}
}
}
provider "aws" {
region = "ap-northeast-1"
}
data "aws_caller_identity" "current" {}
//
// アクセスログ保存用バケット
//
// 基本設定
resource "aws_s3_bucket" "server_access_logs" {
// 今回は s3-server-access-logs-<アカウントID> なバケット名に
bucket = "s3-server-access-logs-${data.aws_caller_identity.current.account_id}"
}
// パブリックアクセス無効
resource "aws_s3_bucket_public_access_block" "server_access_logs" {
bucket = aws_s3_bucket.server_access_logs.bucket
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
// デフォルト暗号化 (SSE-S3)
resource "aws_s3_bucket_server_side_encryption_configuration" "server_access_logs" {
bucket = aws_s3_bucket.server_access_logs.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256" // SSE-S3
}
}
}
// ACL無効 (バケット所有者の強制)
resource "aws_s3_bucket_ownership_controls" "server_access_logs" {
bucket = aws_s3_bucket.server_access_logs.id
rule {
object_ownership = "BucketOwnerEnforced"
}
}
// ★ バケットポリシー ★
data "aws_iam_policy_document" "server_access_logs" {
// アクセスログのPutを許可
statement {
sid = "S3ServerAccessLogsPolicy"
actions = [
"s3:PutObject",
]
resources = [
"${aws_s3_bucket.server_access_logs.arn}/*"
]
principals {
type = "Service"
identifiers = [
"logging.s3.amazonaws.com"
]
}
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = [
"arn:aws:s3:::*" // 今回は許可する送信元S3を絞らない構成に(本番環境では絞るべき)
]
}
condition {
test = "StringEquals"
variable = "aws:SourceAccount"
values = [
"${data.aws_caller_identity.current.account_id}" // 自アカウントからのみ許可
]
}
}
}
resource "aws_s3_bucket_policy" "server_access_logs" {
bucket = aws_s3_bucket.server_access_logs.id
policy = data.aws_iam_policy_document.server_access_logs.json
}
// ライフサイクル設定 : 1年保存設定
resource "aws_s3_bucket_lifecycle_configuration" "server_access_logs" {
bucket = aws_s3_bucket.server_access_logs.id
rule {
id = "expiration-rule"
status = "Enabled"
expiration {
days = 365
}
}
}
//
// アクセスログ送信用 (サンプルバケット)
//
// 基本設定
resource "aws_s3_bucket" "sample" {
// 今回は s3-sample-bucket-<アカウントID> なバケット名に
bucket = "s3-sample-bucket-${data.aws_caller_identity.current.account_id}"
}
// パブリックアクセス無効
resource "aws_s3_bucket_public_access_block" "sample" {
bucket = aws_s3_bucket.sample.bucket
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
// デフォルト暗号化 (SSE-S3)
resource "aws_s3_bucket_server_side_encryption_configuration" "sample" {
bucket = aws_s3_bucket.sample.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256" // SSE-S3
}
}
}
// ACL無効 (バケット所有者の強制)
resource "aws_s3_bucket_ownership_controls" "sample" {
bucket = aws_s3_bucket.sample.id
rule {
object_ownership = "BucketOwnerEnforced"
}
}
// ★ アクセスログ送信設定 ★
resource "aws_s3_bucket_logging" "sample" {
bucket = aws_s3_bucket.sample.id
target_bucket = aws_s3_bucket.server_access_logs.id // ログ送信先バケット
target_prefix = "${aws_s3_bucket.sample.id}/" // ログ送信先Prefix
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment