diff --git a/README.md b/README.md
index 2a04e3f1e1..30465dee2a 100644
--- a/README.md
+++ b/README.md
@@ -451,6 +451,8 @@ In case the setup does not work as intended follow the trace of events:
| [runner\_architecture](#input\_runner\_architecture) | The platform architecture of the runner instance\_type. | `string` | `"x64"` | no |
| [runner\_as\_root](#input\_runner\_as\_root) | Run the action runner under the root user. Variable `runner_run_as` will be ignored. | `bool` | `false` | no |
| [runner\_binaries\_s3\_sse\_configuration](#input\_runner\_binaries\_s3\_sse\_configuration) | Map containing server-side encryption configuration for runner-binaries S3 bucket. | `any` | `{}` | no |
+| [runner\_binaries\_s3\_logging\_bucket](#input\_runner\_binaries\_s3\_logging\_bucket) | Bucket for action runner distribution bucket access logging. | `string` | `null` | no |
+| [runner\_binaries\_s3\_logging\_bucket\_prefix](#input\_runner\_binaries\_s3\logging\_bucket\_prefix) | Bucket prefix for action runner distribution bucket access logging. | `string` | `null` | no |
| [runner\_binaries\_syncer\_lambda\_timeout](#input\_runner\_binaries\_syncer\_lambda\_timeout) | Time out of the binaries sync lambda in seconds. | `number` | `300` | no |
| [runner\_binaries\_syncer\_lambda\_zip](#input\_runner\_binaries\_syncer\_lambda\_zip) | File location of the binaries sync lambda zip file. | `string` | `null` | no |
| [runner\_boot\_time\_in\_minutes](#input\_runner\_boot\_time\_in\_minutes) | The minimum time for an EC2 runner to boot and register as a runner. | `number` | `5` | no |
diff --git a/main.tf b/main.tf
index 3a3525bd3b..730719f11c 100644
--- a/main.tf
+++ b/main.tf
@@ -230,6 +230,8 @@ module "runner_binaries" {
tags = local.tags
distribution_bucket_name = "${var.prefix}-dist-${random_string.random.result}"
+ s3_logging_bucket = var.runner_binaries_s3_logging_bucket
+ s3_logging_bucket_prefix = var.runner_binaries_s3_logging_bucket_prefix
runner_os = var.runner_os
runner_architecture = var.runner_architecture
diff --git a/modules/runner-binaries-syncer/main.tf b/modules/runner-binaries-syncer/main.tf
index a62f4efa74..e431a877b2 100644
--- a/modules/runner-binaries-syncer/main.tf
+++ b/modules/runner-binaries-syncer/main.tf
@@ -28,8 +28,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
days = 35
storage_class = "INTELLIGENT_TIERING"
}
-
-
}
}
@@ -64,7 +62,13 @@ resource "aws_s3_bucket_public_access_block" "action_dist" {
restrict_public_buckets = true
}
+resource "aws_s3_bucket_logging" "action_dist_logging" {
+ count = var.s3_logging_bucket != null ? 1 : 0
+ bucket = aws_s3_bucket.action_dist.id
+ target_bucket = var.s3_logging_bucket
+ target_prefix = var.s3_logging_bucket_prefix != null ? var.s3_logging_bucket_prefix : var.distribution_bucket_name
+}
data "aws_iam_policy_document" "action_dist_sse_policy" {
count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf
index b0de0c0d08..4d70862617 100644
--- a/modules/runner-binaries-syncer/variables.tf
+++ b/modules/runner-binaries-syncer/variables.tf
@@ -36,6 +36,31 @@ variable "distribution_bucket_name" {
condition = can(regex("^[a-z0-9-]*$", var.distribution_bucket_name))
}
}
+
+variable "s3_logging_bucket" {
+ description = "Bucket for action runner distribution bucket access logging."
+ type = string
+ default = null
+
+ # Make sure the bucket name only contains legal characters
+ validation {
+ error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name."
+ condition = var.s3_logging_bucket == null || can(regex("^[a-z0-9-]*$", var.s3_logging_bucket))
+ }
+}
+
+variable "s3_logging_bucket_prefix" {
+ description = "Bucket prefix for action runner distribution bucket access logging."
+ type = string
+ default = null
+
+ # Make sure the bucket name only contains legal characters
+ validation {
+ error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name."
+ condition = var.s3_logging_bucket_prefix == null || can(regex("^[a-z0-9-]*$", var.s3_logging_bucket_prefix))
+ }
+}
+
variable "lambda_schedule_expression" {
description = "Scheduler expression for action runner binary syncer."
type = string
@@ -196,4 +221,4 @@ variable "lambda_architecture" {
condition = contains(["arm64", "x86_64"], var.lambda_architecture)
error_message = "`lambda_architecture` value is not valid, valid values are: `arm64` and `x86_64`."
}
-}
\ No newline at end of file
+}
diff --git a/variables.tf b/variables.tf
index 76934cd79f..8ecd5ca791 100644
--- a/variables.tf
+++ b/variables.tf
@@ -135,6 +135,31 @@ variable "runner_binaries_s3_sse_configuration" {
default = {}
}
+variable "runner_binaries_s3_logging_bucket" {
+ description = "Bucket for action runner distribution bucket access logging."
+ type = string
+ default = null
+
+ # Make sure the bucket name only contains legal characters
+ validation {
+ error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name."
+ condition = var.runner_binaries_s3_logging_bucket == null || can(regex("^[a-z0-9-]*$", var.runner_binaries_s3_logging_bucket))
+ }
+}
+
+variable "runner_binaries_s3_logging_bucket_prefix" {
+ description = "Bucket prefix for action runner distribution bucket access logging."
+ type = string
+ default = null
+
+ # Make sure the bucket prefix only contains legal characters
+ validation {
+ error_message = "Only alphanumeric characters, hyphens followed by single slashes allowed in the bucket prefix."
+ condition = var.runner_binaries_s3_logging_bucket_prefix == null || can(regex("^(([a-zA-Z0-9-])+(\\/?))*$", var.runner_binaries_s3_logging_bucket_prefix))
+ }
+}
+
+
variable "role_permissions_boundary" {
description = "Permissions boundary that will be added to the created roles."
type = string