chris-qa-org
diff --git a/‎README.md‎
Lines changed: 9 additions & 28 deletions b/‎README.md‎
Lines changed: 9 additions & 28 deletions
diff --git a/‎cloudfront-frontend-logging-logging.tf‎
Lines changed: 0 additions & 61 deletions b/‎cloudfront-frontend-logging-logging.tf‎
Lines changed: 0 additions & 61 deletions
diff --git a/‎cloudfront-frontend-logging.tf‎
Lines changed: 0 additions & 66 deletions b/‎cloudfront-frontend-logging.tf‎
Lines changed: 0 additions & 66 deletions
diff --git a/‎cloudfront-frontend.tf‎
Lines changed: 2 additions & 2 deletions b/‎cloudfront-frontend.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎kms.tf‎
Lines changed: 2 additions & 14 deletions b/‎kms.tf‎
Lines changed: 2 additions & 14 deletions
diff --git a/‎s3-frontend-logging.tf‎
Lines changed: 0 additions & 60 deletions b/‎s3-frontend-logging.tf‎
Lines changed: 0 additions & 60 deletions
diff --git a/‎s3-frontend.tf‎
Lines changed: 2 additions & 2 deletions b/‎s3-frontend.tf‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎s3-logs.tf‎
Lines changed: 60 additions & 0 deletions b/‎s3-logs.tf‎
Lines changed: 60 additions & 0 deletions
@@ -29,48 +29,29 @@ Terraform module to host a static site generated by Publii
 | [aws_iam_policy.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_user.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_policy_attachment.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
-| [aws_kms_key.s3_bucket_cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_kms_key.s3_bucket_cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_kms_key.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.s3_bucket_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_kms_key.s3_bucket_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_s3_bucket.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_acl.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_acl.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_acl.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_logging.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_acl.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_logging.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
-| [aws_s3_bucket_policy.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_policy.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_policy.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_policy.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_public_access_block.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_public_access_block.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_public_access_block.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_public_access_block.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
-| [aws_s3_bucket_versioning.cloudfront_frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
-| [aws_s3_bucket_versioning.cloudfront_frontend_logging_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
-| [aws_s3_bucket_versioning.frontend_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_bucket_versioning.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_website_configuration.frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
 | [aws_wafv2_web_acl.cloudfront_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource |
 | [random_id.project](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-| [template_file.cloudfront_frontend_logging_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
-| [template_file.cloudfront_frontend_logging_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
-| [template_file.cloudfront_frontend_logging_logging_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
-| [template_file.cloudfront_frontend_logging_logging_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_bucket_cloudfront_read](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
-| [template_file.frontend_logging_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
-| [template_file.frontend_logging_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [template_file.logs_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [template_file.logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.publii_s3_frontend_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
 ## Inputs
 
@@ -72,7 +72,7 @@ resource "aws_cloudfront_distribution" "frontend" {
 
   logging_config {
     include_cookies = false
-    bucket          = aws_s3_bucket.cloudfront_frontend_logging.bucket_domain_name
-    prefix          = "log/"
+    bucket          = aws_s3_bucket.logs.bucket_domain_name
+    prefix          = "cloudfront/frontend/"
   }
 }
@@ -4,20 +4,8 @@ resource "aws_kms_key" "s3_bucket_frontend" {
   enable_key_rotation     = true
 }
 
-resource "aws_kms_key" "s3_bucket_frontend_logging" {
-  description             = "This key is used to encrypt bucket objects within ${aws_s3_bucket.frontend_logging.id}"
-  deletion_window_in_days = 10
-  enable_key_rotation     = true
-}
-
-resource "aws_kms_key" "s3_bucket_cloudfront_frontend_logging" {
-  description             = "This key is used to encrypt bucket objects within ${aws_s3_bucket.cloudfront_frontend_logging.id}"
-  deletion_window_in_days = 10
-  enable_key_rotation     = true
-}
-
-resource "aws_kms_key" "s3_bucket_cloudfront_frontend_logging_logging" {
-  description             = "This key is used to encrypt bucket objects within ${aws_s3_bucket.cloudfront_frontend_logging_logging.id}"
+resource "aws_kms_key" "logs" {
+  description             = "This key is used to encrypt bucket objects within ${aws_s3_bucket.logs.id}"
   deletion_window_in_days = 10
   enable_key_rotation     = true
 }
@@ -35,8 +35,8 @@ resource "aws_s3_bucket_versioning" "frontend" {
 
 resource "aws_s3_bucket_logging" "frontend" {
   bucket        = aws_s3_bucket.frontend.id
-  target_bucket = aws_s3_bucket.frontend_logging.id
-  target_prefix = "log/"
+  target_bucket = aws_s3_bucket.logs.id
+  target_prefix = "s3/frontend/"
 }
 
 resource "aws_s3_bucket_acl" "frontend" {
 
@@ -0,0 +1,60 @@
+resource "aws_s3_bucket" "logs" {
+  bucket        = "${local.project_name}-logs"
+  force_destroy = false
+}
+
+resource "aws_s3_bucket_versioning" "logs" {
+  bucket = aws_s3_bucket.logs.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_acl" "logs" {
+  bucket = aws_s3_bucket.logs.id
+  acl    = "log-delivery-write"
+}
+
+resource "aws_s3_bucket_public_access_block" "logs" {
+  bucket                  = aws_s3_bucket.logs.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
+  bucket = aws_s3_bucket.logs.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.logs.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+data "template_file" "logs_bucket_enforce_tls_statement" {
+  template = file("${path.module}/policies/s3-bucket-policy-statements/enforce-tls.json.tpl")
+
+  vars = {
+    bucket_arn = aws_s3_bucket.logs.arn
+  }
+}
+
+data "template_file" "logs_bucket_policy" {
+  template = file("${path.module}/policies/s3-bucket-policy.json.tpl")
+
+  vars = {
+    statement = <<EOT
+[
+${data.template_file.logs_bucket_enforce_tls_statement.rendered}
+]
+EOT
+  }
+}
+
+resource "aws_s3_bucket_policy" "logs" {
+  bucket = aws_s3_bucket.logs.id
+  policy = data.template_file.logs_bucket_policy.rendered
+}
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ resource "aws_cloudfront_distribution" "frontend" {`
`72`	`72`
`73`	`73`	`logging_config {`
`74`	`74`	`include_cookies = false`
`75`		`- bucket = aws_s3_bucket.cloudfront_frontend_logging.bucket_domain_name`
`76`		`- prefix = "log/"`
	`75`	`+ bucket = aws_s3_bucket.logs.bucket_domain_name`
	`76`	`+ prefix = "cloudfront/frontend/"`
`77`	`77`	`}`
`78`	`78`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,8 +35,8 @@ resource "aws_s3_bucket_versioning" "frontend" {`
`35`	`35`
`36`	`36`	`resource "aws_s3_bucket_logging" "frontend" {`
`37`	`37`	`bucket = aws_s3_bucket.frontend.id`
`38`		`- target_bucket = aws_s3_bucket.frontend_logging.id`
`39`		`- target_prefix = "log/"`
	`38`	`+ target_bucket = aws_s3_bucket.logs.id`
	`39`	`+ target_prefix = "s3/frontend/"`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`resource "aws_s3_bucket_acl" "frontend" {`