fix: Fixed Access Logging #26
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR fixes S3 access logging configuration by addressing conflicts between object lock and logging target functionality, and adds necessary IAM policies for S3 logging service access.
- Disables object lock for buckets serving as logging targets (incompatible AWS feature combination)
- Adds IAM policy permissions for S3 logging service to access audit log buckets
- Corrects resource naming and references for S3 bucket ACL configuration
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| aws/modules/s3/variables.tf | Adds is_logging_target variable to identify logging destination buckets |
| aws/modules/s3/main.tf | Conditionally disables object lock for logging targets and sets appropriate ownership controls |
| aws/prod-infra/prod/s3.tf | Configures audit logs bucket as logging target, fixes ACL resource name and bucket reference |
| aws/prod-infra/prod/s3-policy.tf | Adds S3 logging service permissions and source restrictions |
| aws/non-prod-infra/staging/s3.tf | Mirrors prod configuration for staging environment |
| aws/non-prod-infra/staging/s3-policy.tf | Mirrors prod policy configuration for staging environment |
| aws/non-prod-infra/dev/s3.tf | Mirrors prod configuration for dev environment with lifecycle adjustment |
| aws/non-prod-infra/dev/s3-policy.tf | Mirrors prod policy configuration for dev environment |
| .pre-commit-config.yaml | Updates checkov version from 3.2.483 to 3.2.484 |
Comments suppressed due to low confidence (1)
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| enable_object_lock = false | ||
| object_lock_mode = "GOVERNANCE" | ||
| object_lock_retention_days = 30 |
There was a problem hiding this comment.
Object lock configuration parameters (object_lock_mode and object_lock_retention_days) are specified but enable_object_lock is set to false. These parameters will have no effect and should be removed or the configuration should be updated to conditionally omit them when object lock is disabled.
| enable_object_lock = false | ||
| object_lock_mode = "GOVERNANCE" | ||
| object_lock_retention_days = 30 |
There was a problem hiding this comment.
Object lock configuration parameters (object_lock_mode and object_lock_retention_days) are specified but enable_object_lock is set to false. These parameters will have no effect and should be removed or the configuration should be updated to conditionally omit them when object lock is disabled.
2 participants
No description provided.