Skip to content

Commit

Permalink
477 | Enable ALB access logs for EKS clusters (#484)
Browse files Browse the repository at this point in the history 
* EKS ALB access logs

* bucket must be on the same account

* disabled by default

* terraform fmt

* demoapps alb logs

* Apply suggestions from code review

Co-authored-by: Diego OJeda (BinBash) <[email protected]>

* feedback

* consider demoapps too

* fmt

---------

Co-authored-by: Diego OJeda (BinBash) <[email protected]>
  • Loading branch information
@Franr @diego-ojeda-binbash
Franr and diego-ojeda-binbash authored Mar 30, 2023
1 parent 6184fd1 commit 7aad416
Show file tree
Hide file tree
Showing 11 changed files with 62 additions and 4 deletions.
1 change: 1 addition & 0 deletions apps-devstg/us-east-1/k8s-eks-demoapps/k8s-components/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,5 @@ locals {
alb_ingress_to_nginx_ingress_tags_list = [
for k, v in local.alb_ingress_to_nginx_ingress_tags_map : "${k}=${v}"
]
eks_alb_logging_prefix = var.eks_alb_logging_prefix != "" ? var.eks_alb_logging_prefix : data.terraform_remote_state.cluster.outputs.cluster_name
}
2 changes: 2 additions & 0 deletions apps-devstg/us-east-1/k8s-eks-demoapps/k8s-components/networking-ingress.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,8 @@ resource "kubernetes_ingress_v1" "apps" {
# Filter traffic by IP addresses
# NOTE: this is highly recommended when using an internet-facing ALB
"alb.ingress.kubernetes.io/inbound-cidrs" = "0.0.0.0/0"
# ALB access logs
"alb.ingress.kubernetes.io/load-balancer-attributes" = "access_logs.s3.enabled=${var.enable_eks_alb_logging},access_logs.s3.bucket=${var.project}-${var.environment}-alb-logs,access_logs.s3.prefix=${local.eks_alb_logging_prefix}"
}
}

Expand Down
12 changes: 12 additions & 0 deletions apps-devstg/us-east-1/k8s-eks-demoapps/k8s-components/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,18 @@ variable "enable_backups" {
default = false
}

variable "enable_eks_alb_logging" {
description = "Turn EKS ALB logging on"
type = bool
default = false
}

variable "eks_alb_logging_prefix" {
description = "Turn EKS ALB logging on"
type = string
default = ""
}

#==================================#
# Ingress Monitor Controller (IMC) #
#==================================#
Expand Down
2 changes: 1 addition & 1 deletion apps-devstg/us-east-1/k8s-eks/cluster/config.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ provider "kubernetes" {
# Backend Config (partial)
#
terraform {
required_version = "~> 1.1.3"
required_version = "~> 1.2"

required_providers {
aws = "~> 4.10"
Expand Down
4 changes: 2 additions & 2 deletions apps-devstg/us-east-1/k8s-eks/identities/ids_external_secrets.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ resource "aws_iam_policy" "external_secrets_secrets_manager" {
"kms:DescribeKey"
],
"Resource": [
"${data.terraform_remote_state.shared.outputs.aws_kms_key_arn}"
"${data.terraform_remote_state.shared-keys.outputs.aws_kms_key_arn}"
]
}
]
Expand Down Expand Up @@ -85,7 +85,7 @@ resource "aws_iam_policy" "external_secrets_parameter_store" {
"kms:DescribeKey"
],
"Resource": [
"${data.terraform_remote_state.shared.outputs.aws_kms_key_arn}"
"${data.terraform_remote_state.shared-keys.outputs.aws_kms_key_arn}"
]
}
]
Expand Down
1 change: 1 addition & 0 deletions apps-devstg/us-east-1/k8s-eks/k8s-components/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,4 +45,5 @@ locals {
alb_ingress_to_nginx_ingress_tags_list = [
for k, v in local.alb_ingress_to_nginx_ingress_tags_map : "${k}=${v}"
]
eks_alb_logging_prefix = var.eks_alb_logging_prefix != "" ? var.eks_alb_logging_prefix : data.terraform_remote_state.eks-cluster.outputs.cluster_name
}
2 changes: 2 additions & 0 deletions apps-devstg/us-east-1/k8s-eks/k8s-components/networking-ingress.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,8 @@ resource "kubernetes_ingress_v1" "apps" {
# Filter traffic by IP addresses
# NOTE: this is highly recommended when using an internet-facing ALB
"alb.ingress.kubernetes.io/inbound-cidrs" = "0.0.0.0/0"
# ALB access logs
"alb.ingress.kubernetes.io/load-balancer-attributes" = "access_logs.s3.enabled=${var.enable_eks_alb_logging},access_logs.s3.bucket=${var.project}-${var.environment}-alb-logs,access_logs.s3.prefix=${local.eks_alb_logging_prefix}"
}
}

Expand Down
12 changes: 12 additions & 0 deletions apps-devstg/us-east-1/k8s-eks/k8s-components/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,18 @@ variable "enable_backups" {
default = false
}

variable "enable_eks_alb_logging" {
description = "Turn EKS ALB logging on"
type = bool
default = false
}

variable "eks_alb_logging_prefix" {
description = "Turn EKS ALB logging on"
type = string
default = ""
}

#==================================#
# Ingress Monitor Controller (IMC) #
#==================================#
Expand Down
23 changes: 23 additions & 0 deletions apps-devstg/us-east-1/security-audit/logs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
module "s3_bucket_alb_logs" {
source = "github.com/binbashar/terraform-aws-s3-bucket.git?ref=v3.7.0"
count = var.create_alb_logs_bucket ? 1 : 0

bucket = "${var.project}-${var.environment}-alb-logs"
acl = "log-delivery-write"

versioning = {
enabled = true
}

# Allow deletion of non-empty bucket
force_destroy = true

attach_elb_log_delivery_policy = true # Required for ALB logs
attach_lb_log_delivery_policy = true # Required for ALB/NLB logs

# S3 bucket-level Public Access Block configuration
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
5 changes: 5 additions & 0 deletions apps-devstg/us-east-1/security-audit/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,8 @@ variable "metrics" {
description = "Metrics definitions"
default = {}
}

variable "create_alb_logs_bucket" {
type = bool
default = false
}
2 changes: 1 addition & 1 deletion apps-devstg/us-east-1/security-certs/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,4 @@
output "certificate_arn" {
description = "The certificate ARN"
value = aws_acm_certificate.main.arn
}
}

0 comments on commit 7aad416

Please sign in to comment.