diff --git a/modules/ManagementGovernance/Cwl-firehose-s3/README.md b/modules/ManagementGovernance/Cwl-firehose-s3/README.md new file mode 100644 index 0000000..2f13a57 --- /dev/null +++ b/modules/ManagementGovernance/Cwl-firehose-s3/README.md @@ -0,0 +1,57 @@ + + +This module configure CloudwatchLog and stream logs to s3 bucket via Kinesis Firehose + +## Requirements + +| Name | Version | +|------|---------| +| terraform | ~> 1.3.0 | +| aws | >= 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| aws | >= 5.0 | +| random | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.firehose-log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_subscription_filter.cwl-sub-filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource | +| [aws_iam_policy.cwlog-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.firehose-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.cwlog-stream-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.firehose-stream-iam-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.cwlog-role-policy-attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.firehose-role-policy-attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kinesis_firehose_delivery_stream.cwl-s3-firehose-stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource | +| [random_id.rid](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| cwl-region | AWS region where Cloudwatch LogGroup resides. Needed for setting up cwlog-stream-role | `string` | n/a | yes | +| dest-bucket-arn | Destination S3 bucket ARN | `string` | n/a | yes | +| dest-bucket-kmskey-arn | KMS key ARN for destination bucket | `string` | n/a | yes | +| dest-bucket-prefix | S3 object prefix for this stream | `string` | n/a | yes | +| firehose-kmskey-arn | KMS Key arn for Firehose | `string` | n/a | yes | +| source-cwlgroup-name | Name of source CloudwatchLog group | `string` | n/a | yes | +| stream-name | Name of Kinesis Data Firehose delivery stream | `string` | n/a | yes | + +## Outputs + +No outputs. + +--- +## Authorship +This module was developed by Rackspace. \ No newline at end of file diff --git a/modules/ManagementGovernance/Cwl-firehose-s3/main.tf b/modules/ManagementGovernance/Cwl-firehose-s3/main.tf new file mode 100644 index 0000000..8143e95 --- /dev/null +++ b/modules/ManagementGovernance/Cwl-firehose-s3/main.tf @@ -0,0 +1,161 @@ +resource "aws_kinesis_firehose_delivery_stream" "cwl-s3-firehose-stream" { + name = var.stream-name + destination = "extended_s3" + + extended_s3_configuration { + role_arn = aws_iam_role.firehose-stream-iam-role.arn + bucket_arn = var.dest-bucket-arn + prefix = trimprefix(var.dest-bucket-prefix, "/") + error_output_prefix = "FirehoseErrors/" + kms_key_arn = var.dest-bucket-kmskey-arn + cloudwatch_logging_options { + enabled = var.enable-firehose-errorlog + log_group_name = try(aws_cloudwatch_log_group.firehose-log[0].name, null) + log_stream_name = "DestinationDelivery" + } + } + server_side_encryption { + enabled = true + key_type = "CUSTOMER_MANAGED_CMK" + key_arn = var.firehose-kmskey-arn + } +} + +resource "aws_cloudwatch_log_group" "firehose-log" { + count = var.enable-firehose-errorlog ? 1 : 0 + name = "/aws/kinesisfirehose/${var.stream-name}" + retention_in_days = 365 +} + +resource "aws_cloudwatch_log_subscription_filter" "cwl-sub-filter" { + log_group_name = var.source-cwlgroup-name + name = "stream-to-s3" + role_arn = aws_iam_role.cwlog-stream-role.arn + filter_pattern = "" + destination_arn = aws_kinesis_firehose_delivery_stream.cwl-s3-firehose-stream.arn +} + +resource "random_id" "rid" { + byte_length = 4 +} + +resource "aws_iam_role" "firehose-stream-iam-role" { + name = "firehose-stream-role-${var.stream-name}-${random_id.rid.dec}" + description = "Kinesis Firehose IAM role for streaming logs from CloudwatchLog to S3" + assume_role_policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "FirehoseStreaming", + "Effect" : "Allow", + "Principal" : { + "Service" : "firehose.amazonaws.com" + }, + "Action" : "sts:AssumeRole" + } + ] + } + ) +} + +resource "aws_iam_role_policy_attachment" "firehose-role-policy-attachment" { + role = aws_iam_role.firehose-stream-iam-role.name + policy_arn = aws_iam_policy.firehose-role-policy.arn +} + +resource "aws_iam_policy" "firehose-role-policy" { + name = "kinesis-firehose-log-stream-${var.stream-name}-${random_id.rid.dec}" + description = "Policy for Kinesis Firehose streaming logs to s3" + policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "s3:AbortMultipartUpload", + "s3:GetBucketLocation", + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:PutObject" + ], + "Resource" : [ + var.dest-bucket-arn, + "${var.dest-bucket-arn}/*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource" : [ + var.dest-bucket-kmskey-arn + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "logs:PutLogEvents", + "logs:PutLogEventsBatch", + "logs:CreateLogStream" + ], + "Resource" : [ + "arn:aws:logs:*:*:log-group:/aws/kinesisfirehose/${var.stream-name}/*" + ] + } + ] + } + ) +} + + +resource "aws_iam_role" "cwlog-stream-role" { + name = "cloudwatchlog-stream-role-${var.stream-name}-${random_id.rid.dec}" + description = "CloudwatchLog role for streaming to firehose" + assume_role_policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "CloudwatchLogStreaming", + "Effect" : "Allow", + "Principal" : { + "Service" : "logs.${var.cwl-region}.amazonaws.com" + }, + "Action" : "sts:AssumeRole" + } + ] + } + ) +} + + +resource "aws_iam_role_policy_attachment" "cwlog-role-policy-attachment" { + role = aws_iam_role.cwlog-stream-role.name + policy_arn = aws_iam_policy.cwlog-role-policy.arn +} + +resource "aws_iam_policy" "cwlog-role-policy" { + name = "cloudwatchlog-stream-${var.stream-name}-${random_id.rid.dec}" + description = "Policy for CloudWatch Logs streaming to Kinesis Firehose" + policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : ["firehose:PutRecord"], + "Resource" : [ + "arn:aws:firehose:${var.cwl-region}:${data.aws_caller_identity.this.account_id}:deliverystream/${var.stream-name}" + ] + } + ] + } + ) +} + +data "aws_caller_identity" "this" {} \ No newline at end of file diff --git a/modules/ManagementGovernance/Cwl-firehose-s3/variables.tf b/modules/ManagementGovernance/Cwl-firehose-s3/variables.tf new file mode 100644 index 0000000..e5dffc6 --- /dev/null +++ b/modules/ManagementGovernance/Cwl-firehose-s3/variables.tf @@ -0,0 +1,40 @@ +variable "stream-name" { + type = string + description = "Name of Kinesis Data Firehose delivery stream" +} + +variable "firehose-kmskey-arn" { + type = string + description = "KMS Key arn for Firehose" +} + +variable "dest-bucket-arn" { + type = string + description = "Destination S3 bucket ARN" +} + +variable "dest-bucket-prefix" { + type = string + description = "S3 object prefix for this stream. Please do not start with / end with a /. For example, r53-log/acme.local/" +} + +variable "dest-bucket-kmskey-arn" { + type = string + description = "KMS key ARN for destination bucket" +} + +variable "source-cwlgroup-name" { + type = string + description = "Name of source CloudwatchLog group" +} + +variable "cwl-region" { + type = string + description = "AWS region where Cloudwatch LogGroup resides. Needed for setting up cwlog-stream-role" +} + +variable "enable-firehose-errorlog" { + type = bool + description = "Enable firehose errorlog" + default = false +} \ No newline at end of file diff --git a/modules/ManagementGovernance/Cwl-firehose-s3/versions.tf b/modules/ManagementGovernance/Cwl-firehose-s3/versions.tf new file mode 100644 index 0000000..2a10c6a --- /dev/null +++ b/modules/ManagementGovernance/Cwl-firehose-s3/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = "~> 1.3.0" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.0" + } + } +} diff --git a/modules/ManagementGovernance/Monitoring.EC2/get-cwagent-dimensions.sh b/modules/ManagementGovernance/Monitoring.EC2/get-cwagent-dimensions.sh index 3f4cee2..8001bfd 100755 --- a/modules/ManagementGovernance/Monitoring.EC2/get-cwagent-dimensions.sh +++ b/modules/ManagementGovernance/Monitoring.EC2/get-cwagent-dimensions.sh @@ -15,6 +15,11 @@ export AWS_ACCESS_KEY_ID=$access_key export AWS_SECRET_ACCESS_KEY=$secret_key export AWS_SESSION_TOKEN=$session_token +#aws cloudwatch list-metrics --namespace CWAgent --metric-name disk_inodes_free \ +#--dimensions Name=InstanceId,Value=$iid Name=path,Value=/ | \ +#jq '.Metrics[] | .Dimensions[] | {(.Name):(.Value)}' | jq -s 'add' + +# when there are multiple metrics with the same name... aws cloudwatch list-metrics --namespace CWAgent --metric-name disk_inodes_free \ ---dimensions Name=InstanceId,Value=$iid Name=path,Value=/ | \ -jq '.Metrics[] | .Dimensions[] | {(.Name):(.Value)}' | jq -s 'add' +--dimensions Name=InstanceId,Value=$iid Name=path,Value=/ --query Metrics[] | \ +jq '. | last | .Dimensions[] | {(.Name):(.Value)}' | jq -s 'add' diff --git a/modules/ManagementGovernance/Monitoring.EC2/main.tf b/modules/ManagementGovernance/Monitoring.EC2/main.tf index 69755d3..97ae6c1 100644 --- a/modules/ManagementGovernance/Monitoring.EC2/main.tf +++ b/modules/ManagementGovernance/Monitoring.EC2/main.tf @@ -145,24 +145,41 @@ resource "aws_cloudwatch_metric_alarm" "ec2-swap_used_percent" { } } -resource "aws_cloudwatch_metric_alarm" "ec2-disk_used_percent" { +resource "aws_cloudwatch_metric_alarm" "ec2-disk_used_percent_warn" { count = module.ec2_os.awscliout[0] != "Windows" && data.external.cw-dimensions.result != null ? 1 : 0 - alarm_name = "${var.settings.disk_used_percent.ecccode}-EC2_${var.ec2-instance-id}-disk_used_percent" - comparison_operator = var.settings.disk_used_percent.comparison_operator - evaluation_periods = var.settings.disk_used_percent.evaluation_periods + alarm_name = "${var.settings.disk_used_percent_warn.ecccode}-EC2_${var.ec2-instance-id}-disk_used_percent" + comparison_operator = var.settings.disk_used_percent_warn.comparison_operator + evaluation_periods = var.settings.disk_used_percent_warn.evaluation_periods metric_name = "disk_used_percent" - period = var.settings.disk_used_percent.period - statistic = var.settings.disk_used_percent.statistic - threshold = var.settings.disk_used_percent.threshold + period = var.settings.disk_used_percent_warn.period + statistic = var.settings.disk_used_percent_warn.statistic + threshold = var.settings.disk_used_percent_warn.threshold alarm_description = "EC2:disk_used_percent" namespace = "CWAgent" insufficient_data_actions = [] actions_enabled = var.actions-enabled - alarm_actions = [var.settings.disk_used_percent.action] - ok_actions = [var.settings.disk_used_percent.action] + alarm_actions = [var.settings.disk_used_percent_warn.action] + ok_actions = [var.settings.disk_used_percent_warn.action] dimensions = data.external.cw-dimensions.result } +resource "aws_cloudwatch_metric_alarm" "ec2-disk_used_percent_crit" { + count = module.ec2_os.awscliout[0] != "Windows" && data.external.cw-dimensions.result != null ? 1 : 0 + alarm_name = "${var.settings.disk_used_percent_crit.ecccode}-EC2_${var.ec2-instance-id}-disk_used_percent" + comparison_operator = var.settings.disk_used_percent_crit.comparison_operator + evaluation_periods = var.settings.disk_used_percent_crit.evaluation_periods + metric_name = "disk_used_percent" + period = var.settings.disk_used_percent_crit.period + statistic = var.settings.disk_used_percent_crit.statistic + threshold = var.settings.disk_used_percent_crit.threshold + alarm_description = "EC2:disk_used_percent" + namespace = "CWAgent" + insufficient_data_actions = [] + actions_enabled = var.actions-enabled + alarm_actions = [var.settings.disk_used_percent_crit.action] + ok_actions = [var.settings.disk_used_percent_crit.action] + dimensions = data.external.cw-dimensions.result +} resource "aws_cloudwatch_metric_alarm" "ec2-disk_inodes_free" { count = module.ec2_os.awscliout[0] != "Windows" && data.external.cw-dimensions.result != null ? 1 : 0 @@ -205,49 +222,96 @@ resource "aws_cloudwatch_metric_alarm" "ec2-processes_total" { } } -resource "aws_cloudwatch_metric_alarm" "ec2-net_err_in" { +resource "aws_cloudwatch_metric_alarm" "ec2-net_err" { count = module.ec2_os.awscliout[0] != "Windows" && length(module.detect_cloudwatch_agent.awscliout) > 0 ? 1 : 0 - alarm_name = "${var.settings.net_err_in.ecccode}-EC2_${var.ec2-instance-id}-net_err_in" - comparison_operator = var.settings.net_err_in.comparison_operator + alarm_name = "${var.settings.net_err_in.ecccode}-EC2_${var.ec2-instance-id}-net_err" + comparison_operator = "GreaterThanThreshold" evaluation_periods = var.settings.net_err_in.evaluation_periods - metric_name = "net_err_in" - period = var.settings.net_err_in.period - statistic = var.settings.net_err_in.statistic - threshold = var.settings.net_err_in.threshold - alarm_description = "EC2:net_err_in" - namespace = "CWAgent" + threshold = 0 + alarm_description = "EC2:net_err_in or EC2:net_err_out exceeds threshold" insufficient_data_actions = [] - actions_enabled = var.actions-enabled + actions_enabled = false alarm_actions = [var.settings.net_err_in.action] ok_actions = [var.settings.net_err_in.action] - dimensions = { - InstanceId = var.ec2-instance-id - ImageId = data.aws_instance.ec2-instance.ami - InstanceType = data.aws_instance.ec2-instance.instance_type - interface = "eth0" + treat_missing_data = "notBreaching" + + metric_query { + id = "e1" + expression = "IF(m1 > ${var.settings.net_err_in.threshold} OR m2 > ${var.settings.net_err_out.threshold}, 1, 0)" + label = "net_err_exceeds_threshold" + return_data = "true" + } + + metric_query { + id = "m1" + metric { + metric_name = "net_err_in" + namespace = "CWAgent" + period = var.settings.net_err_in.period + stat = var.settings.net_err_in.statistic + dimensions = { + InstanceId = var.ec2-instance-id + ImageId = data.aws_instance.ec2-instance.ami + InstanceType = data.aws_instance.ec2-instance.instance_type + interface = "eth0" + } + } + } + + metric_query { + id = "m2" + metric { + metric_name = "net_err_out" + namespace = "CWAgent" + period = var.settings.net_err_out.period + stat = var.settings.net_err_out.statistic + dimensions = { + InstanceId = var.ec2-instance-id + ImageId = data.aws_instance.ec2-instance.ami + InstanceType = data.aws_instance.ec2-instance.instance_type + interface = "eth0" + } + } } } -resource "aws_cloudwatch_metric_alarm" "ec2-net_err_out" { - count = module.ec2_os.awscliout[0] != "Windows" && length(module.detect_cloudwatch_agent.awscliout) > 0 ? 1 : 0 - alarm_name = "${var.settings.net_err_out.ecccode}-EC2_${var.ec2-instance-id}-net_err_out" - comparison_operator = var.settings.net_err_out.comparison_operator - evaluation_periods = var.settings.net_err_out.evaluation_periods - metric_name = "net_err_in" - period = var.settings.net_err_out.period - statistic = var.settings.net_err_out.statistic - threshold = var.settings.net_err_out.threshold - alarm_description = "EC2:net_err_out" - namespace = "CWAgent" +resource "aws_cloudwatch_metric_alarm" "ec2-NetworkIn" { + count = try(var.settings.NetworkIn.monitor,false) ? 1 : 0 + alarm_name = "${var.settings.NetworkIn.ecccode}-EC2_${var.ec2-instance-id}-NetworkIn" + comparison_operator = var.settings.NetworkIn.comparison_operator + evaluation_periods = var.settings.NetworkIn.evaluation_periods + metric_name = "NetworkIn" + period = var.settings.NetworkIn.period + statistic = var.settings.NetworkIn.statistic + threshold = var.settings.NetworkIn.threshold + alarm_description = "EC2:NetworkIn" + namespace = "AWS/EC2" insufficient_data_actions = [] actions_enabled = var.actions-enabled - alarm_actions = [var.settings.net_err_out.action] - ok_actions = [var.settings.net_err_out.action] + alarm_actions = [var.settings.NetworkIn.action] + ok_actions = [var.settings.NetworkIn.action] dimensions = { - InstanceId = var.ec2-instance-id - ImageId = data.aws_instance.ec2-instance.ami - InstanceType = data.aws_instance.ec2-instance.instance_type - interface = "eth0" + InstanceId = var.ec2-instance-id + } +} + +resource "aws_cloudwatch_metric_alarm" "ec2-NetworkOut" { + count = try(var.settings.NetworkIn.monitor,false) ? 1 : 0 + alarm_name = "${var.settings.NetworkOut.ecccode}-EC2_${var.ec2-instance-id}-NetworkOut" + comparison_operator = var.settings.NetworkOut.comparison_operator + evaluation_periods = var.settings.NetworkOut.evaluation_periods + metric_name = "NetworkOut" + period = var.settings.NetworkOut.period + statistic = var.settings.NetworkOut.statistic + threshold = var.settings.NetworkOut.threshold + alarm_description = "EC2:NetworkOut" + namespace = "AWS/EC2" + insufficient_data_actions = [] + actions_enabled = var.actions-enabled + alarm_actions = [var.settings.NetworkOut.action] + ok_actions = [var.settings.NetworkOut.action] + dimensions = { + InstanceId = var.ec2-instance-id } } diff --git a/modules/ManagementGovernance/Monitoring.EventBridge/main.tf b/modules/ManagementGovernance/Monitoring.EventBridge/main.tf index 71ec961..25950f5 100644 --- a/modules/ManagementGovernance/Monitoring.EventBridge/main.tf +++ b/modules/ManagementGovernance/Monitoring.EventBridge/main.tf @@ -1,9 +1,12 @@ resource "aws_cloudwatch_event_rule" "EventRule" { - name = "${var.cw-alarm-prefix}-health-events" - description = "A CloudWatch Event Rule that triggers on changes in the status of AWS Personal Health Dashboard (AWS Health) and forwards the events to an SNS topic." - is_enabled = var.actions-enabled + name = "${var.cw-alarm-prefix}-health-events" + description = "A CloudWatch Event Rule that triggers on changes in the status of AWS Personal Health Dashboard (AWS Health) and forwards the events to an SNS topic." + state = var.actions-enabled event_pattern = < on AWS account ." + +"Resources: " +"Start time: " +"End time: " + +"Detail: " +EOF + } } \ No newline at end of file diff --git a/modules/ManagementGovernance/Monitoring.NLB/main.tf b/modules/ManagementGovernance/Monitoring.NLB/main.tf index bc9d959..d98cfb4 100644 --- a/modules/ManagementGovernance/Monitoring.NLB/main.tf +++ b/modules/ManagementGovernance/Monitoring.NLB/main.tf @@ -80,3 +80,26 @@ resource "aws_cloudwatch_metric_alarm" "nlb-HealthyHostCount" { LoadBalancer = "net/${split("/", var.load-balancer)[2]}/${split("/", var.load-balancer)[3]}" } } + + +resource "aws_cloudwatch_metric_alarm" "nlb-UnHealthyHostCount" { + # for_each = module.nlb-targetgroups.result-set + for_each = toset(module.nlb_tgs.awscliout) + alarm_name = "${var.settings.UnHealthyHostCount.ecccode}-NLBTG_${split(":", each.value)[5]}-UnHealthyHostCount" + comparison_operator = var.settings.UnHealthyHostCount.comparison_operator + evaluation_periods = var.settings.UnHealthyHostCount.evaluation_periods + metric_name = "UnHealthyHostCount" + period = var.settings.UnHealthyHostCount.period + statistic = var.settings.UnHealthyHostCount.statistic + threshold = var.settings.UnHealthyHostCount.threshold + alarm_description = "NLBTG:UnHealthyHostCount" + namespace = "AWS/NetworkELB" + insufficient_data_actions = [] + actions_enabled = var.actions-enabled + alarm_actions = [var.settings.UnHealthyHostCount.action] + ok_actions = [var.settings.UnHealthyHostCount.action] + dimensions = { + TargetGroup = split(":", each.value)[5] + LoadBalancer = "net/${split("/", var.load-balancer)[2]}/${split("/", var.load-balancer)[3]}" + } +} diff --git a/modules/ManagementGovernance/Monitoring.Redis/main.tf b/modules/ManagementGovernance/Monitoring.Redis/main.tf index 0164153..85b4be9 100644 --- a/modules/ManagementGovernance/Monitoring.Redis/main.tf +++ b/modules/ManagementGovernance/Monitoring.Redis/main.tf @@ -7,13 +7,15 @@ resource "aws_cloudwatch_metric_alarm" "redis-alarms" { period = each.value["period"] statistic = each.value["statistic"] threshold = each.value["threshold"] - alarm_description = "NGW:${each.value["metric"]}" + alarm_description = "ElastiCache:${each.value["metric"]}" namespace = "AWS/ElastiCache" insufficient_data_actions = [] actions_enabled = var.actions-enabled alarm_actions = [each.value["action"]] ok_actions = [each.value["action"]] + treat_missing_data = "notBreaching" dimensions = { CacheClusterId = var.redis-cluster-id } + } \ No newline at end of file diff --git a/modules/storage/s3_bucket_2023/outputs.tf b/modules/storage/s3_bucket_2023/outputs.tf index a2d779b..a321e73 100644 --- a/modules/storage/s3_bucket_2023/outputs.tf +++ b/modules/storage/s3_bucket_2023/outputs.tf @@ -1,3 +1,7 @@ output bucket_name { value = aws_s3_bucket.this.id +} + +output bucket_arn { + value = aws_s3_bucket.this.arn } \ No newline at end of file diff --git a/modules/storage/s3_bucket_2023/variables.tf b/modules/storage/s3_bucket_2023/variables.tf index 6906b16..91423d2 100644 --- a/modules/storage/s3_bucket_2023/variables.tf +++ b/modules/storage/s3_bucket_2023/variables.tf @@ -1,60 +1,79 @@ -variable bucket_name {} -variable bucket_policy_json {} -variable current_version_expiration_days { - type = number - default = 2560 +variable "bucket_name" { + type = string + description = "Name of bucket" +} + +variable "bucket_policy_json" { + type = string + default = "{}" + description = "Json-encoded bucket policy. The AllowSSLRequestsOnly policy is merged with this input." +} + +variable "current_version_expiration_days" { + type = number + default = 2560 description = "731 for flowlogs" } -variable noncurrent_version_expiration_days { - type = number - default = 2560 +variable "noncurrent_version_expiration_days" { + type = number + default = 2560 description = "731 for flowlogs" } -variable enable_bucket_logging { - type = bool +variable "enable_bucket_logging" { + type = bool + description = "Enable bucket logging" } -variable logging_bucket_id { - type = string - default = null +variable "logging_bucket_id" { + type = string + default = null + description = "Logging bucket id" } -variable enable_encryption { - type = bool +variable "enable_encryption" { + type = bool + description = "Enable encryption for s3 bucket" } -variable encryption_key_arn { - type = string - default = "" +variable "encryption_key_arn" { + type = string + default = "" description = "Leave blank to use AES256" } -variable enable_versioning { - type = bool +variable "enable_versioning" { + type = bool + description = "Enable s3 bucket versioning" } -variable enable_bucket_lifecycle { - type = bool +variable "enable_bucket_lifecycle" { + type = bool + description = "Enable s3 bucket lifecycle" } -variable enable_replication { - type = bool - default = false +variable "enable_replication" { + type = bool + default = false + description = "Enable s3 bucket replication" } -variable replication_role_arn { - type = string - default = null +variable "replication_role_arn" { + type = string + default = null + description = "IAM role of s3 bucket replication" } -variable replication_dest_bucket_name { - type = string - default = null +variable "replication_dest_bucket_name" { + type = string + default = null + description = "Replica bucket name" } -variable replication_destination_aws_account_id { - type = number - default = null +variable "replication_destination_aws_account_id" { + type = number + default = null + description = "AWS account id of replica bucket" } -variable replication_destination_kms_key_arn { - type = string - default = null +variable "replication_destination_kms_key_arn" { + type = string + default = null + description = "KMS key ARN of destination bucket" } \ No newline at end of file