Merge pull request #130 from nlamirault/feat/buckets-refacto

Loki: buckets refactoring
nlamirault · Nov 24, 2023 · eeba829 · eeba829
2 parents f4eb670 + a982593
commit eeba829
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 29 deletions.
diff --git a/modules/loki/README.md b/modules/loki/README.md
@@ -60,9 +60,9 @@ tags = {
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_irsa"></a> [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 |
-| <a name="module_loki"></a> [loki](#module\_loki) | terraform-aws-modules/s3-bucket/aws | 3.4.0 |
-| <a name="module_loki_log"></a> [loki\_log](#module\_loki\_log) | terraform-aws-modules/s3-bucket/aws | 3.4.0 |
+| <a name="module_buckets_data"></a> [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 3.6.0 |
+| <a name="module_buckets_logging"></a> [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 3.6.0 |
+| <a name="module_irsa"></a> [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.7 |
 
 ## Resources
 

diff --git a/modules/loki/bucket.tf b/modules/loki/bucket.tf
@@ -14,19 +14,22 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-module "loki_log" {
+module "buckets_logging" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "3.15.1"
 
-  bucket                  = format("%s-log", local.service_name)
-  control_object_ownership = true
-  object_ownership         = "ObjectWriter"
+  for_each = local.buckets_names
+
+  bucket                  = format("%s-%s", local.service_name, each.value)
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+  ignore_public_acls      = true
 
-  acl           = "log-delivery-write"
   force_destroy = true
 
   tags = merge(
-    { "Name" = format("%s-log", local.service_name) },
+    { "Name" = format("%s-%s", local.service_name, each.value) },
     var.tags
   )
 
@@ -46,24 +49,27 @@ module "loki_log" {
 }
 
 #tfsec:ignore:aws-s3-encryption-customer-key
-module "loki" {
+module "buckets_data" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "3.15.1"
 
-  bucket                  = local.service_name
-  control_object_ownership = true
-  object_ownership         = "ObjectWriter"
+  for_each = local.buckets_names
+
+  bucket                  = format("%s-%s", local.service_name, each.value)
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+  ignore_public_acls      = true
 
-  acl           = "private"
   force_destroy = true
 
   tags = merge(
-    { "Name" = local.service_name },
+    { "Name" = format("%s-%s", local.service_name, each.value) },
     var.tags
   )
 
   logging = {
-    target_bucket = module.loki_log.s3_bucket_id
+    target_bucket = module.buckets_logging[format("%s-%s", local.service_name, each.value)].s3_bucket_id
     target_prefix = "log/"
   }
 

diff --git a/modules/loki/iam.tf b/modules/loki/iam.tf
@@ -27,22 +27,26 @@ data "aws_iam_policy_document" "bucket" {
 
     #tfsec:ignore:aws-iam-no-policy-wildcards
     resources = [
-      module.loki.s3_bucket_arn,
-      "${module.loki.s3_bucket_arn}/*"
+      module.buckets_data[*].s3_bucket_arn,
+      "${module.buckets_data[*].s3_bucket_arn}/*"
     ]
   }
 
-  # statement {
-  #   effect = "Allow"
+  dynamic "statement" {
+    for_each = var.enable_kms ? [1] : []
 
-  #   actions = [
-  #     "kms:Encrypt",
-  #     "kms:Decrypt",
-  #     "kms:GenerateDataKey*",
-  #   ]
+    content {
+      effect = "Allow"
 
-  #   resources = var.enable_kms ? [aws_kms_key.loki[0].arn] : []
-  # }
+      actions = [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:GenerateDataKey*",
+      ]
+
+      resources = [aws_kms_key.loki[0].arn]
+    }
+  }
 }
 
 #tfsec:ignore:AWS099
@@ -70,6 +74,7 @@ resource "aws_iam_policy" "bucket" {
   path        = "/"
   description = "Bucket permissions for Loki"
   policy      = data.aws_iam_policy_document.bucket.json
+
   tags = merge(
     { "Name" = format("%s-bucket", local.service_name) },
     var.tags
@@ -83,6 +88,7 @@ resource "aws_iam_policy" "kms" {
   path        = "/"
   description = "KMS permissions for Loki"
   policy      = data.aws_iam_policy_document.kms[0].json
+
   tags = merge(
     { "Name" = format("%s-kms", local.service_name) },
     var.tags
@@ -104,6 +110,7 @@ module "irsa" {
     aws_iam_policy.bucket.arn,
   ]
   oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.service_account}"]
+
   tags = merge(
     { "Name" = local.role_name },
     var.tags

diff --git a/modules/loki/kms.tf b/modules/loki/kms.tf
@@ -19,6 +19,7 @@ resource "aws_kms_key" "loki" {
   description             = "KMS for Loki"
   deletion_window_in_days = var.deletion_window_in_days
   enable_key_rotation     = true
+
   tags = merge(
     { "Name" = local.service_name },
     var.tags

diff --git a/modules/loki/locals.tf b/modules/loki/locals.tf
@@ -18,4 +18,10 @@ locals {
   service_name = format("%s-loki", var.cluster_name)
 
   role_name = "loki"
+
+  buckets_names = [
+    "admin",
+    "chunks",
+    "ruler"
+  ]
 }
diff --git a/modules/loki/outputs.tf b/modules/loki/outputs.tf
@@ -15,12 +15,12 @@
 # SPDX-License-Identifier: Apache-2.0
 
 output "bucket" {
-  value       = module.loki.s3_bucket_id
+  value       = module.buckets_data[*].s3_bucket_id
   description = "S3 bucket for Loki"
 }
 
 output "bucket_log" {
-  value       = module.loki_log.s3_bucket_id
+  value       = module.buckets_logging[*].s3_bucket_id
   description = "S3 log bucket for Loki"
 }