Skip to content

Commit

Permalink
feat: Support s3 bucket logging for distribution cache bucket (philip…
Browse files Browse the repository at this point in the history
…s-labs#2430)

* feat: Support s3 bucket logging

Allow s3 bucket logging configuration support

* adjust bucket prefix regex and validation error
  • Loading branch information
AldinDuraki authored Oct 6, 2022
1 parent 5c0744e commit 69578e0
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 2 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -452,6 +452,8 @@ In case the setup does not work as intended follow the trace of events:
| <a name="input_runner_architecture"></a> [runner\_architecture](#input\_runner\_architecture) | The platform architecture of the runner instance\_type. | `string` | `"x64"` | no |
| <a name="input_runner_as_root"></a> [runner\_as\_root](#input\_runner\_as\_root) | Run the action runner under the root user. Variable `runner_run_as` will be ignored. | `bool` | `false` | no |
| <a name="input_runner_binaries_s3_sse_configuration"></a> [runner\_binaries\_s3\_sse\_configuration](#input\_runner\_binaries\_s3\_sse\_configuration) | Map containing server-side encryption configuration for runner-binaries S3 bucket. | `any` | `{}` | no |
| <a name="input_runner_binaries_s3_logging_bucket"></a> [runner\_binaries\_s3\_logging\_bucket](#input\_runner\_binaries\_s3\_logging\_bucket) | Bucket for action runner distribution bucket access logging. | `string` | `null` | no |
| <a name="input_runner_binaries_s3_logging_bucket_prefix"></a> [runner\_binaries\_s3\_logging\_bucket\_prefix](#input\_runner\_binaries\_s3\logging\_bucket\_prefix) | Bucket prefix for action runner distribution bucket access logging. | `string` | `null` | no |
| <a name="input_runner_binaries_syncer_lambda_timeout"></a> [runner\_binaries\_syncer\_lambda\_timeout](#input\_runner\_binaries\_syncer\_lambda\_timeout) | Time out of the binaries sync lambda in seconds. | `number` | `300` | no |
| <a name="input_runner_binaries_syncer_lambda_zip"></a> [runner\_binaries\_syncer\_lambda\_zip](#input\_runner\_binaries\_syncer\_lambda\_zip) | File location of the binaries sync lambda zip file. | `string` | `null` | no |
| <a name="input_runner_boot_time_in_minutes"></a> [runner\_boot\_time\_in\_minutes](#input\_runner\_boot\_time\_in\_minutes) | The minimum time for an EC2 runner to boot and register as a runner. | `number` | `5` | no |
Expand Down
2 changes: 2 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,8 @@ module "runner_binaries" {
tags = local.tags

distribution_bucket_name = "${var.prefix}-dist-${random_string.random.result}"
s3_logging_bucket = var.runner_binaries_s3_logging_bucket
s3_logging_bucket_prefix = var.runner_binaries_s3_logging_bucket_prefix

runner_os = var.runner_os
runner_architecture = var.runner_architecture
Expand Down
8 changes: 6 additions & 2 deletions modules/runner-binaries-syncer/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
days = 35
storage_class = "INTELLIGENT_TIERING"
}


}
}

Expand Down Expand Up @@ -64,7 +62,13 @@ resource "aws_s3_bucket_public_access_block" "action_dist" {
restrict_public_buckets = true
}

resource "aws_s3_bucket_logging" "action_dist_logging" {
count = var.s3_logging_bucket != null ? 1 : 0

bucket = aws_s3_bucket.action_dist.id
target_bucket = var.s3_logging_bucket
target_prefix = var.s3_logging_bucket_prefix != null ? var.s3_logging_bucket_prefix : var.distribution_bucket_name
}

data "aws_iam_policy_document" "action_dist_sse_policy" {
count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
Expand Down
25 changes: 25 additions & 0 deletions modules/runner-binaries-syncer/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,31 @@ variable "distribution_bucket_name" {
condition = can(regex("^[a-z0-9-]*$", var.distribution_bucket_name))
}
}

variable "s3_logging_bucket" {
description = "Bucket for action runner distribution bucket access logging."
type = string
default = null

# Make sure the bucket name only contains legal characters
validation {
error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name."
condition = var.s3_logging_bucket == null || can(regex("^[a-z0-9-]*$", var.s3_logging_bucket))
}
}

variable "s3_logging_bucket_prefix" {
description = "Bucket prefix for action runner distribution bucket access logging."
type = string
default = null

# Make sure the bucket name only contains legal characters
validation {
error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name."
condition = var.s3_logging_bucket_prefix == null || can(regex("^[a-z0-9-]*$", var.s3_logging_bucket_prefix))
}
}

variable "lambda_schedule_expression" {
description = "Scheduler expression for action runner binary syncer."
type = string
Expand Down
25 changes: 25 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,31 @@ variable "runner_binaries_s3_sse_configuration" {
default = {}
}

variable "runner_binaries_s3_logging_bucket" {
description = "Bucket for action runner distribution bucket access logging."
type = string
default = null

# Make sure the bucket name only contains legal characters
validation {
error_message = "Only lowercase alphanumeric characters and hyphens allowed in the bucket name."
condition = var.runner_binaries_s3_logging_bucket == null || can(regex("^[a-z0-9-]*$", var.runner_binaries_s3_logging_bucket))
}
}

variable "runner_binaries_s3_logging_bucket_prefix" {
description = "Bucket prefix for action runner distribution bucket access logging."
type = string
default = null

# Make sure the bucket prefix only contains legal characters
validation {
error_message = "Only alphanumeric characters, hyphens followed by single slashes allowed in the bucket prefix."
condition = var.runner_binaries_s3_logging_bucket_prefix == null || can(regex("^(([a-zA-Z0-9-])+(\\/?))*$", var.runner_binaries_s3_logging_bucket_prefix))
}
}


variable "role_permissions_boundary" {
description = "Permissions boundary that will be added to the created roles."
type = string
Expand Down

0 comments on commit 69578e0

Please sign in to comment.