code cleanup

aws_s3_bucket.access_logs_bucket.tf

@@ -0,0 +1,60 @@
+resource "aws_s3_bucket" "access_logs_bucket" {
+  # checkov:skip=CKV_AWS_144: Cross region replication is overkill
+  # checkov:skip=CKV_AWS_18:
+  # checkov:skip=CKV_AWS_52:
+  # checkov:skip=CKV_AWS_145:v4 provider legacy
+  count         = var.enable_log_to_s3 ? 1 : 0
+  bucket_prefix = "${var.access_logs_bucket_name}-"
+  force_destroy = true
+  tags          = var.tags
+}
+
+resource "aws_s3_bucket_acl" "access_logs_bucket" {
+  count  = var.enable_log_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.access_logs_bucket[0].id
+  acl    = "log-delivery-write"
+}
+
+resource "aws_s3_bucket_versioning" "access_logs_bucket" {
+  count  = var.enable_log_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.access_logs_bucket[0].id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "access_logs_bucket" {
+  count  = var.enable_log_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.access_logs_bucket[0].id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.ssmkey.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "access_logs_bucket" {
+  count  = var.enable_log_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.access_logs_bucket[0].id
+
+  rule {
+    id     = "delete_after_X_days"
+    status = "Enabled"
+
+    expiration {
+      days = var.access_log_expire_days
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "access_logs_bucket" {
+  count                   = var.enable_log_to_s3 ? 1 : 0
+  bucket                  = aws_s3_bucket.access_logs_bucket[0].id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}

aws_s3_bucket.session_logs_bucket.tf

@@ -2,30 +2,31 @@ resource "aws_s3_bucket" "session_logs_bucket" {
   # checkov:skip=CKV_AWS_144: Cross region replication overkill
   # checkov:skip=CKV_AWS_52:
   # checkov:skip=CKV_AWS_145:v4 provider legacy
+  count         = var.enable_log_to_s3 ? 1 : 0
   bucket_prefix = "${var.bucket_name}-"
   force_destroy = true
   tags          = var.tags
-
 }
 
-resource "aws_s3_bucket_acl" "session_logs_bucket" {
-  bucket = aws_s3_bucket.session_logs_bucket.id
 
-  acl = "private"
+resource "aws_s3_bucket_acl" "session_logs_bucket" {
+  count  = var.enable_log_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.session_logs_bucket[0].id
+  acl    = "private"
 }
 
-
 resource "aws_s3_bucket_versioning" "session_logs_bucket" {
-  bucket = aws_s3_bucket.session_logs_bucket.id
+  count  = var.enable_log_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.session_logs_bucket[0].id
 
   versioning_configuration {
     status = "Enabled"
   }
 }
 
-
 resource "aws_s3_bucket_server_side_encryption_configuration" "session_logs_bucket" {
-  bucket = aws_s3_bucket.session_logs_bucket.id
+  count  = var.enable_log_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.session_logs_bucket[0].id
 
   rule {
     apply_server_side_encryption_by_default {
@@ -35,9 +36,9 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "session_logs_buck
   }
 }
 
-
 resource "aws_s3_bucket_lifecycle_configuration" "session_logs_bucket" {
-  bucket = aws_s3_bucket.session_logs_bucket.id
+  count  = var.enable_log_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.session_logs_bucket[0].id
 
   rule {
     id     = "archive_after_X_days"
@@ -54,17 +55,17 @@ resource "aws_s3_bucket_lifecycle_configuration" "session_logs_bucket" {
   }
 }
 
-
 resource "aws_s3_bucket_logging" "session_logs_bucket" {
-  bucket = aws_s3_bucket.session_logs_bucket.id
+  count  = var.enable_log_to_s3 ? 1 : 0
+  bucket = aws_s3_bucket.session_logs_bucket[0].id
 
-  target_bucket = aws_s3_bucket.session_logs_bucket.id
+  target_bucket = aws_s3_bucket.access_logs_bucket[0].id
   target_prefix = "log/"
 }
 
-
 resource "aws_s3_bucket_public_access_block" "session_logs_bucket" {
-  bucket                  = aws_s3_bucket.session_logs_bucket.id
+  count                   = var.enable_log_to_s3 ? 1 : 0
+  bucket                  = aws_s3_bucket.session_logs_bucket[0].id
   block_public_acls       = true
   block_public_policy     = true
   ignore_public_acls      = true

data.tf

@@ -1,4 +1,29 @@
+locals {
+  region  = var.vpc_endpoints_enabled && var.vpc_id != null ? split(":", data.aws_vpc.selected[0].arn)[3] : data.aws_region.current.name
+  subnets = var.vpc_endpoints_enabled ? length(var.subnet_ids) > 0 ? var.subnet_ids : data.aws_subnets.selected[0].ids : []
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_partition" "current" {}
+
 data "aws_vpc" "selected" {
   count = var.vpc_endpoints_enabled ? 1 : 0
   id    = var.vpc_id
 }
+
+data "aws_subnets" "selected" {
+  count = var.vpc_endpoints_enabled ? 1 : 0
+  filter {
+    name   = "vpc-id"
+    values = [var.vpc_id]
+  }
+}
+
+data "aws_route_table" "selected" {
+  count     = var.vpc_endpoints_enabled ? length(local.subnets) : 0
+  subnet_id = sort(local.subnets)[count.index]
+}
+

example/examplea/module.ssm.tf

@@ -1,7 +1,7 @@
 module "ssm" {
   source                   = "../../"
   bucket_name              = "my-session-logs"
-  access_log_bucket_name   = "my-session-access-logs"
+  access_logs_bucket_name  = "my-session-access-logs"
   enable_log_to_s3         = true
   enable_log_to_cloudwatch = true
   linux_shell_profile      = "date"

example/examplea/outputs.tf

@@ -2,8 +2,8 @@ output "session_logs_bucket_name" {
   value = module.ssm.session_logs_bucket_name
 }
 
-output "access_log_bucket_name" {
-  value = module.ssm.access_log_bucket_name
+output "access_logs_bucket_name" {
+  value = module.ssm.access_logs_bucket_name
 }
 
 output "cloudwatch_log_group_arn" {