feat: Adding analytics configuration support (#193)

Co-authored-by: magreenbaum <magreenbaum>
Co-authored-by: Anton Babenko <[email protected]>

Author: magreenbaum

README.md

@@ -137,6 +137,7 @@ No modules.
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_accelerate_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_accelerate_configuration) | resource |
 | [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_analytics_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_analytics_configuration) | resource |
 | [aws_s3_bucket_cors_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
 | [aws_s3_bucket_intelligent_tiering_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_intelligent_tiering_configuration) | resource |
 | [aws_s3_bucket_inventory.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_inventory) | resource |
@@ -158,7 +159,7 @@ No modules.
 | [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deny_insecure_transport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.elb_log_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.inventory_destination_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.inventory_and_analytics_destination_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lb_log_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.require_latest_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
@@ -168,6 +169,11 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_acceleration_status"></a> [acceleration\_status](#input\_acceleration\_status) | (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. | `string` | `null` | no |
 | <a name="input_acl"></a> [acl](#input\_acl) | (Optional) The canned ACL to apply. Conflicts with `grant` | `string` | `null` | no |
+| <a name="input_analytics_configuration"></a> [analytics\_configuration](#input\_analytics\_configuration) | Map containing bucket analytics configuration. | `any` | `{}` | no |
+| <a name="input_analytics_self_source_destination"></a> [analytics\_self\_source\_destination](#input\_analytics\_self\_source\_destination) | Whether or not the analytics source bucket is also the destination bucket. | `bool` | `false` | no |
+| <a name="input_analytics_source_account_id"></a> [analytics\_source\_account\_id](#input\_analytics\_source\_account\_id) | The analytics source account id. | `string` | `null` | no |
+| <a name="input_analytics_source_bucket_arn"></a> [analytics\_source\_bucket\_arn](#input\_analytics\_source\_bucket\_arn) | The analytics source bucket ARN. | `string` | `null` | no |
+| <a name="input_attach_analytics_destination_policy"></a> [attach\_analytics\_destination\_policy](#input\_attach\_analytics\_destination\_policy) | Controls if S3 bucket should have bucket analytics destination policy attached. | `bool` | `false` | no |
 | <a name="input_attach_deny_insecure_transport_policy"></a> [attach\_deny\_insecure\_transport\_policy](#input\_attach\_deny\_insecure\_transport\_policy) | Controls if S3 bucket should have deny non-SSL transport policy attached | `bool` | `false` | no |
 | <a name="input_attach_elb_log_delivery_policy"></a> [attach\_elb\_log\_delivery\_policy](#input\_attach\_elb\_log\_delivery\_policy) | Controls if S3 bucket should have ELB log delivery policy attached | `bool` | `false` | no |
 | <a name="input_attach_inventory_destination_policy"></a> [attach\_inventory\_destination\_policy](#input\_attach\_inventory\_destination\_policy) | Controls if S3 bucket should have bucket inventory destination policy attached. | `bool` | `false` | no |

examples/s3-analytics/README.md

@@ -0,0 +1,55 @@
+# S3 bucket Analytics Configurations
+
+Configuration in this directory creates an S3 bucket with several analytics configurations including a different destination for analytics reports generated.
+
+Please check [complete example](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/complete) to see all other features supported by this module.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_analytics_and_inventory_destination_bucket"></a> [analytics\_and\_inventory\_destination\_bucket](#module\_analytics\_and\_inventory\_destination\_bucket) | ../../ | n/a |
+| <a name="module_analytics_configuration_bucket"></a> [analytics\_configuration\_bucket](#module\_analytics\_configuration\_bucket) | ../../ | n/a |
+| <a name="module_analytics_destination_bucket"></a> [analytics\_destination\_bucket](#module\_analytics\_destination\_bucket) | ../../ | n/a |
+| <a name="module_inventory_source_bucket"></a> [inventory\_source\_bucket](#module\_inventory\_source\_bucket) | ../.. | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_s3_bucket_arn"></a> [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. |
+| <a name="output_s3_bucket_bucket_domain_name"></a> [s3\_bucket\_bucket\_domain\_name](#output\_s3\_bucket\_bucket\_domain\_name) | The bucket domain name. Will be of format bucketname.s3.amazonaws.com. |
+| <a name="output_s3_bucket_bucket_regional_domain_name"></a> [s3\_bucket\_bucket\_regional\_domain\_name](#output\_s3\_bucket\_bucket\_regional\_domain\_name) | The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL. |
+| <a name="output_s3_bucket_hosted_zone_id"></a> [s3\_bucket\_hosted\_zone\_id](#output\_s3\_bucket\_hosted\_zone\_id) | The Route 53 Hosted Zone ID for this bucket's region. |
+| <a name="output_s3_bucket_id"></a> [s3\_bucket\_id](#output\_s3\_bucket\_id) | The name of the bucket. |
+| <a name="output_s3_bucket_region"></a> [s3\_bucket\_region](#output\_s3\_bucket\_region) | The AWS region this bucket resides in. |
+| <a name="output_s3_bucket_website_domain"></a> [s3\_bucket\_website\_domain](#output\_s3\_bucket\_website\_domain) | The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records. |
+| <a name="output_s3_bucket_website_endpoint"></a> [s3\_bucket\_website\_endpoint](#output\_s3\_bucket\_website\_endpoint) | The website endpoint, if the bucket is configured with a website. If not, this will be an empty string. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/s3-analytics/main.tf

@@ -0,0 +1,132 @@
+locals {
+  bucket_name = "s3-bucket-${random_pet.this.id}"
+  region      = "eu-west-1"
+}
+
+provider "aws" {
+  region = local.region
+
+  # Make it faster by skipping something
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  skip_requesting_account_id  = true
+}
+
+data "aws_caller_identity" "current" {}
+
+module "analytics_configuration_bucket" {
+  source = "../../"
+
+  bucket = local.bucket_name
+
+  force_destroy = true
+
+  attach_analytics_destination_policy = true
+  attach_policy                       = true
+  analytics_self_source_destination   = true
+  acl                                 = "private" # "acl" conflicts with "grant" and "owner"
+
+  versioning = {
+    status     = true
+    mfa_delete = false
+  }
+
+  analytics_configuration = {
+
+    # No exporting
+    prefix_documents = {
+      filter = {
+        prefix = "documents/"
+      }
+    }
+
+    # Same source and destination bucket
+    tags = {
+      filter = {
+        tags = {
+          production = "true"
+        }
+      }
+      storage_class_analysis = {
+        output_schema_version = "V_1"
+      }
+    }
+
+    # Different destination bucket
+    all = {
+      storage_class_analysis = {
+        destination_bucket_arn = module.analytics_destination_bucket.s3_bucket_arn
+        prefix                 = "analytics"
+      }
+    }
+
+    # Different destination shared with inventory destination
+    example = {
+      storage_class_analysis = {
+        destination_bucket_arn = module.analytics_and_inventory_destination_bucket.s3_bucket_arn
+      }
+    }
+  }
+}
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+module "analytics_destination_bucket" {
+  source = "../../"
+
+  bucket                              = "analytics-destination-${random_pet.this.id}"
+  acl                                 = "private" # "acl" conflicts with "grant" and "owner"
+  force_destroy                       = true
+  attach_policy                       = true
+  attach_analytics_destination_policy = true
+  analytics_source_bucket_arn         = module.analytics_configuration_bucket.s3_bucket_arn
+  analytics_source_account_id         = data.aws_caller_identity.current.id
+}
+
+# Inventory configuration for shared destination example
+module "inventory_source_bucket" {
+  source = "../.."
+
+  bucket = "inventory-source-${random_pet.this.id}"
+
+  force_destroy = true
+  acl           = "private" # "acl" conflicts with "grant" and "owner"
+
+  inventory_configuration = {
+    destination_other = {
+      included_object_versions = "All"
+      destination = {
+        bucket_arn = module.analytics_and_inventory_destination_bucket.s3_bucket_arn
+        format     = "CSV"
+        encryption = {
+          encryption_type = "sse_s3"
+        }
+      }
+      frequency       = "Daily"
+      optional_fields = ["Size", "EncryptionStatus", "StorageClass", "ChecksumAlgorithm"]
+    }
+  }
+}
+
+# Example of using the same destination bucket for analytics and inventory
+module "analytics_and_inventory_destination_bucket" {
+  source = "../../"
+
+  bucket        = "analytics-and-inventory-destination-${random_pet.this.id}"
+  acl           = "private" # "acl" conflicts with "grant" and "owner"
+  force_destroy = true
+  attach_policy = true
+
+  # Analytics bucket policy settings
+  attach_analytics_destination_policy = true
+  analytics_source_bucket_arn         = module.analytics_configuration_bucket.s3_bucket_arn
+  analytics_source_account_id         = data.aws_caller_identity.current.id
+
+  # Inventory bucket policy settings
+  attach_inventory_destination_policy = true
+  inventory_source_bucket_arn         = module.inventory_source_bucket.s3_bucket_arn
+  inventory_source_account_id         = data.aws_caller_identity.current.id
+}

examples/s3-analytics/outputs.tf

@@ -0,0 +1,39 @@
+output "s3_bucket_id" {
+  description = "The name of the bucket."
+  value       = module.analytics_configuration_bucket.s3_bucket_id
+}
+
+output "s3_bucket_arn" {
+  description = "The ARN of the bucket. Will be of format arn:aws:s3:::bucketname."
+  value       = module.analytics_configuration_bucket.s3_bucket_arn
+}
+
+output "s3_bucket_bucket_domain_name" {
+  description = "The bucket domain name. Will be of format bucketname.s3.amazonaws.com."
+  value       = module.analytics_configuration_bucket.s3_bucket_bucket_domain_name
+}
+
+output "s3_bucket_bucket_regional_domain_name" {
+  description = "The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL."
+  value       = module.analytics_configuration_bucket.s3_bucket_bucket_regional_domain_name
+}
+
+output "s3_bucket_hosted_zone_id" {
+  description = "The Route 53 Hosted Zone ID for this bucket's region."
+  value       = module.analytics_configuration_bucket.s3_bucket_hosted_zone_id
+}
+
+output "s3_bucket_region" {
+  description = "The AWS region this bucket resides in."
+  value       = module.analytics_configuration_bucket.s3_bucket_region
+}
+
+output "s3_bucket_website_endpoint" {
+  description = "The website endpoint, if the bucket is configured with a website. If not, this will be an empty string."
+  value       = module.analytics_configuration_bucket.s3_bucket_website_endpoint
+}
+
+output "s3_bucket_website_domain" {
+  description = "The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records. "
+  value       = module.analytics_configuration_bucket.s3_bucket_website_domain
+}

examples/s3-analytics/variables.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.9"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}

examples/s3-analytics/versions.tf

@@ -518,7 +518,7 @@ data "aws_iam_policy_document" "combined" {
     var.attach_lb_log_delivery_policy ? data.aws_iam_policy_document.lb_log_delivery[0].json : "",
     var.attach_require_latest_tls_policy ? data.aws_iam_policy_document.require_latest_tls[0].json : "",
     var.attach_deny_insecure_transport_policy ? data.aws_iam_policy_document.deny_insecure_transport[0].json : "",
-    var.attach_inventory_destination_policy ? data.aws_iam_policy_document.inventory_destination_policy[0].json : "",
+    var.attach_inventory_destination_policy || var.attach_analytics_destination_policy ? data.aws_iam_policy_document.inventory_and_analytics_destination_policy[0].json : "",
     var.attach_policy ? var.policy : ""
   ])
 }
@@ -792,13 +792,13 @@ resource "aws_s3_bucket_inventory" "this" {
   }
 }
 
-# Inventory destination bucket requires a bucket policy to allow source to PutObjects
+# Inventory and analytics destination bucket requires a bucket policy to allow source to PutObjects
 # https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-9
-data "aws_iam_policy_document" "inventory_destination_policy" {
-  count = local.create_bucket && var.attach_inventory_destination_policy ? 1 : 0
+data "aws_iam_policy_document" "inventory_and_analytics_destination_policy" {
+  count = local.create_bucket && var.attach_inventory_destination_policy || var.attach_analytics_destination_policy ? 1 : 0
 
   statement {
-    sid    = "destinationInventoryPolicy"
+    sid    = "destinationInventoryAndAnalyticsPolicy"
     effect = "Allow"
 
     actions = [
@@ -817,16 +817,18 @@ data "aws_iam_policy_document" "inventory_destination_policy" {
     condition {
       test     = "ArnLike"
       variable = "aws:SourceArn"
-      values = [
-        var.inventory_self_source_destination ? aws_s3_bucket.this[0].arn : var.inventory_source_bucket_arn
-      ]
+      values = compact(distinct([
+        var.inventory_self_source_destination ? aws_s3_bucket.this[0].arn : var.inventory_source_bucket_arn,
+        var.analytics_self_source_destination ? aws_s3_bucket.this[0].arn : var.analytics_source_bucket_arn
+      ]))
     }
 
     condition {
       test = "StringEquals"
-      values = [
-        var.inventory_self_source_destination ? data.aws_caller_identity.current.id : var.inventory_source_account_id
-      ]
+      values = compact(distinct([
+        var.inventory_self_source_destination ? data.aws_caller_identity.current.id : var.inventory_source_account_id,
+        var.analytics_self_source_destination ? data.aws_caller_identity.current.id : var.analytics_source_account_id
+      ]))
       variable = "aws:SourceAccount"
     }
 
@@ -837,3 +839,40 @@ data "aws_iam_policy_document" "inventory_destination_policy" {
     }
   }
 }
+
+resource "aws_s3_bucket_analytics_configuration" "this" {
+  for_each = { for k, v in var.analytics_configuration : k => v if local.create_bucket }
+
+  bucket = aws_s3_bucket.this[0].id
+  name   = each.key
+
+  dynamic "filter" {
+    for_each = length(try(flatten([each.value.filter]), [])) == 0 ? [] : [true]
+
+    content {
+      prefix = try(each.value.filter.prefix, null)
+      tags   = try(each.value.filter.tags, null)
+    }
+  }
+
+  dynamic "storage_class_analysis" {
+    for_each = length(try(flatten([each.value.storage_class_analysis]), [])) == 0 ? [] : [true]
+
+    content {
+
+      data_export {
+        output_schema_version = try(each.value.storage_class_analysis.output_schema_version, null)
+
+        destination {
+
+          s3_bucket_destination {
+            bucket_arn        = try(each.value.storage_class_analysis.destination_bucket_arn, aws_s3_bucket.this[0].arn)
+            bucket_account_id = try(each.value.storage_class_analysis.destination_account_id, data.aws_caller_identity.current.id)
+            format            = try(each.value.storage_class_analysis.export_format, "CSV")
+            prefix            = try(each.value.storage_class_analysis.export_prefix, null)
+          }
+        }
+      }
+    }
+  }
+}