diff --git a/terraform/iam.tf b/terraform/iam.tf index 09a60df..199cf82 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -1,5 +1,25 @@ # # POLICY TO LET BUCKET PERMISSIONS: +data "aws_elb_service_account" "main" {} + +data "aws_iam_policy_document" "bucket_policy" { + statement { + actions = ["s3:PutObject"] + resources = ["${aws_s3_bucket.logging_bucket.arn}/*"] + + principals { + type = "AWS" + identifiers = [data.aws_elb_service_account.main.arn] + } + } +} + +resource "aws_s3_bucket_policy" "bucket_policy" { + bucket = aws_s3_bucket.nlb_logs.id + policy = data.aws_iam_policy_document.bucket_policy.json +} + + # # subir como data y statement como en el infra ops en vez de esta forma: # resource "aws_s3_bucket_policy" "alb_log_bucket_policy" { diff --git a/terraform/main.tf b/terraform/main.tf index 78326b0..b0f3161 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -81,6 +81,11 @@ resource "aws_route_table_association" "vectorstore_rta" { # } # } +module "alb_logging" { + source = "./modules/alb_logging" + bucket_name = "milvus-api-alb-logs" + // other necessary variables +} @@ -106,11 +111,11 @@ resource "aws_lb" "vectorstore_nlb" { subnets = [aws_subnet.vectorstore_subnet.id, aws_subnet.vectorstore_subnet_2.id] enable_deletion_protection = false - # access_logs { - # bucket = aws_s3_bucket.nlb_logs.bucket - # prefix = "access-logs" - # enabled = true - # } + access_logs { + bucket = module.alb_logging.bucket_name + prefix = "logs" + enabled = true + } tags = { Name = "vectorstore_nlb" diff --git a/terraform/modules/alb_logging/main.tf b/terraform/modules/alb_logging/main.tf new file mode 100644 index 0000000..4f1b491 --- /dev/null +++ b/terraform/modules/alb_logging/main.tf @@ -0,0 +1,22 @@ +resource "aws_s3_bucket" "logging_bucket" { + bucket = var.bucket_name +} + +data "aws_elb_service_account" "main" {} + +data "aws_iam_policy_document" "bucket_policy" { + statement { + actions = ["s3:PutObject"] + resources = ["${aws_s3_bucket.logging_bucket.arn}/*"] + + principals { + type = "AWS" + identifiers = [data.aws_elb_service_account.main.arn] + } + } +} + +resource "aws_s3_bucket_policy" "bucket_policy" { + bucket = aws_s3_bucket.logging_bucket.id + policy = data.aws_iam_policy_document.bucket_policy.json +} diff --git a/terraform/modules/alb_logging/outputs.tf b/terraform/modules/alb_logging/outputs.tf new file mode 100644 index 0000000..ac38515 --- /dev/null +++ b/terraform/modules/alb_logging/outputs.tf @@ -0,0 +1,4 @@ +output "bucket_name" { + description = "The name of the S3 bucket for ALB logs" + value = aws_s3_bucket.logging_bucket.bucket +} diff --git a/terraform/modules/alb_logging/variables.tf b/terraform/modules/alb_logging/variables.tf new file mode 100644 index 0000000..da4b016 --- /dev/null +++ b/terraform/modules/alb_logging/variables.tf @@ -0,0 +1,5 @@ +variable "bucket_name" { + description = "The name of the bucket to be created for storing ALB logs." + type = string + default = "milvus-api-alb-logs" +} diff --git a/terraform/variables.tf b/terraform/variables.tf index 807bee5..6b5ad5e 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -25,4 +25,3 @@ variable "key_name" { # No default provided; should be specified at runtime or via terraform.tfvars for security reasons } -