477 | Enable ALB access logs for EKS clusters

apps-devstg/us-east-1/k8s-eks-demoapps/k8s-components/locals.tf

@@ -55,4 +55,5 @@ locals {
   alb_ingress_to_nginx_ingress_tags_list = [
     for k, v in local.alb_ingress_to_nginx_ingress_tags_map : "${k}=${v}"
   ]
+  eks_alb_logging_prefix = var.eks_alb_logging_prefix != "" ? var.eks_alb_logging_prefix : data.terraform_remote_state.cluster.outputs.cluster_name
 }

apps-devstg/us-east-1/k8s-eks-demoapps/k8s-components/networking-ingress.tf

@@ -82,6 +82,8 @@ resource "kubernetes_ingress_v1" "apps" {
       # Filter traffic by IP addresses
       # NOTE: this is highly recommended when using an internet-facing ALB
       "alb.ingress.kubernetes.io/inbound-cidrs" = "0.0.0.0/0"
+      # ALB access logs
+      "alb.ingress.kubernetes.io/load-balancer-attributes" = "access_logs.s3.enabled=${var.enable_eks_alb_logging},access_logs.s3.bucket=${var.project}-${var.environment}-alb-logs,access_logs.s3.prefix=${local.eks_alb_logging_prefix}"
     }
   }
 

apps-devstg/us-east-1/k8s-eks-demoapps/k8s-components/variables.tf

@@ -121,6 +121,18 @@ variable "enable_backups" {
   default = false
 }
 
+variable "enable_eks_alb_logging" {
+  description = "Turn EKS ALB logging on"
+  type        = bool
+  default     = false
+}
+
+variable "eks_alb_logging_prefix" {
+  description = "Turn EKS ALB logging on"
+  type        = string
+  default     = ""
+}
+
 #==================================#
 # Ingress Monitor Controller (IMC) #
 #==================================#

apps-devstg/us-east-1/k8s-eks/cluster/config.tf

@@ -16,7 +16,7 @@ provider "kubernetes" {
 # Backend Config (partial)
 #
 terraform {
-  required_version = "~> 1.1.3"
+  required_version = "~> 1.2"
 
   required_providers {
     aws        = "~> 4.10"

apps-devstg/us-east-1/k8s-eks/identities/ids_external_secrets.tf

@@ -51,7 +51,7 @@ resource "aws_iam_policy" "external_secrets_secrets_manager" {
         "kms:DescribeKey"
       ],
       "Resource": [
-        "${data.terraform_remote_state.shared.outputs.aws_kms_key_arn}"
+        "${data.terraform_remote_state.shared-keys.outputs.aws_kms_key_arn}"
       ]
     }
   ]
@@ -85,7 +85,7 @@ resource "aws_iam_policy" "external_secrets_parameter_store" {
         "kms:DescribeKey"
       ],
       "Resource": [
-        "${data.terraform_remote_state.shared.outputs.aws_kms_key_arn}"
+        "${data.terraform_remote_state.shared-keys.outputs.aws_kms_key_arn}"
       ]
     }
   ]

apps-devstg/us-east-1/k8s-eks/k8s-components/locals.tf

@@ -45,4 +45,5 @@ locals {
   alb_ingress_to_nginx_ingress_tags_list = [
     for k, v in local.alb_ingress_to_nginx_ingress_tags_map : "${k}=${v}"
   ]
+  eks_alb_logging_prefix = var.eks_alb_logging_prefix != "" ? var.eks_alb_logging_prefix : data.terraform_remote_state.eks-cluster.outputs.cluster_name
 }

apps-devstg/us-east-1/k8s-eks/k8s-components/networking-ingress.tf

@@ -82,6 +82,8 @@ resource "kubernetes_ingress_v1" "apps" {
       # Filter traffic by IP addresses
       # NOTE: this is highly recommended when using an internet-facing ALB
       "alb.ingress.kubernetes.io/inbound-cidrs" = "0.0.0.0/0"
+      # ALB access logs
+      "alb.ingress.kubernetes.io/load-balancer-attributes" = "access_logs.s3.enabled=${var.enable_eks_alb_logging},access_logs.s3.bucket=${var.project}-${var.environment}-alb-logs,access_logs.s3.prefix=${local.eks_alb_logging_prefix}"
     }
   }
 

apps-devstg/us-east-1/k8s-eks/k8s-components/variables.tf

@@ -111,6 +111,18 @@ variable "enable_backups" {
   default = false
 }
 
+variable "enable_eks_alb_logging" {
+  description = "Turn EKS ALB logging on"
+  type        = bool
+  default     = false
+}
+
+variable "eks_alb_logging_prefix" {
+  description = "Turn EKS ALB logging on"
+  type        = string
+  default     = ""
+}
+
 #==================================#
 # Ingress Monitor Controller (IMC) #
 #==================================#

apps-devstg/us-east-1/security-audit/logs.tf

@@ -0,0 +1,23 @@
+module "s3_bucket_alb_logs" {
+  source = "github.com/binbashar/terraform-aws-s3-bucket.git?ref=v3.7.0"
+  count  = var.create_alb_logs_bucket ? 1 : 0
+
+  bucket = "${var.project}-${var.environment}-alb-logs"
+  acl    = "log-delivery-write"
+
+  versioning = {
+    enabled = true
+  }
+
+  # Allow deletion of non-empty bucket
+  force_destroy = true
+
+  attach_elb_log_delivery_policy = true # Required for ALB logs
+  attach_lb_log_delivery_policy  = true # Required for ALB/NLB logs
+
+  # S3 bucket-level Public Access Block configuration
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}

apps-devstg/us-east-1/security-audit/variables.tf

@@ -18,3 +18,8 @@ variable "metrics" {
   description = "Metrics definitions"
   default     = {}
 }
+
+variable "create_alb_logs_bucket" {
+  type    = bool
+  default = false
+}

apps-devstg/us-east-1/security-certs/outputs.tf

@@ -4,4 +4,4 @@
 output "certificate_arn" {
   description = "The certificate ARN"
   value       = aws_acm_certificate.main.arn
-}
+}