Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added log-delivery-policy for s3-bucket component #698

Closed
wants to merge 8 commits into from
Closed

Added log-delivery-policy for s3-bucket component #698

wants to merge 8 commits into from

Conversation

zdmytriv
Copy link
Contributor

@zdmytriv zdmytriv commented May 25, 2023
edited
Loading

what

  • Added log-delivery-policy for s3-bucket component

why

references

@zdmytriv zdmytriv requested review from a team as code owners May 25, 2023 10:51
@osterman osterman requested review from Nuru and aknysh May 25, 2023 12:11
aknysh
aknysh reviewed May 25, 2023
View reviewed changes
modules/s3-bucket/main.tf Outdated Show resolved Hide resolved
aknysh
aknysh reviewed May 25, 2023
View reviewed changes
Copy link
Member

@aknysh aknysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, please see comments

@zdmytriv zdmytriv requested a review from aknysh May 25, 2023 13:41
Nuru
Nuru requested changes May 25, 2023
View reviewed changes
modules/s3-bucket/variables.tf
Comment on lines +402 to +403
Map of IAM policy statements to use in the bucket policy. Conflicts with `var.custom_policy_enabled` and `var.log_delivery_policy_enabled`.
It will be used if `var.custom_policy_enabled` and `var.log_delivery_policy_enabled` are set to `false`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This description is wrong, right? This will be used when var.custom_policy_enabled is true.

Copy link
Contributor Author

@zdmytriv zdmytriv May 25, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope.

When custom_policy_enabled=true then policy from iam.tf this will be used.

When iam_policy_statements=true (and other 2 are false) then policy from iam-policy module will be used this

modules/s3-bucket/variables.tf Outdated Show resolved Hide resolved
@zdmytriv zdmytriv force-pushed the added-log-delivery-policy-for-s3-bucket-component branch from be616cd to 4822e28 Compare May 25, 2023 19:24
aknysh
aknysh reviewed May 25, 2023
View reviewed changes
modules/s3-bucket/iam.tf Outdated Show resolved Hide resolved
aknysh
aknysh reviewed May 25, 2023
View reviewed changes
Copy link
Member

@aknysh aknysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see comments

@zdmytriv
Copy link
Contributor Author

@Nuru please re-review

@zdmytriv zdmytriv requested a review from Nuru May 25, 2023 20:26
@zdmytriv zdmytriv marked this pull request as draft May 26, 2023 09:55
@goruha goruha requested a review from aknysh October 2, 2024 14:47
Nuru
Nuru requested changes Oct 3, 2024
View reviewed changes
Copy link
Contributor

@Nuru Nuru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zdmytriv I appreciate the motivation behind this PR and the effort you put into it. I am, however, not inclined to accept this PR for a few reasons. (Although I'm using the "Request changes" feature, I'm not asking you to make changes to make the PR acceptable, I'm asking you to close the PR without merging.)

To begin with, the log delivery policy you have added is not the current "best practice" policy. The current best practice is to include conditionals on the source account and ARN to guard against the confused deputies problem. (See the link for more details.)

Next, the name "custom policy" of the input to the current component is a bit misleading. Both the custom policy and the default policy are user supplied policies, just with different formats. This component does not provide any pre-defined policies. Adding a pre-defined policy makes this component even more complicated, and invites future users to want to be able to combine custom and pre-defined policies in a way that will cause further confusion and headache.

Cloud Posse already provides other components and modules for log delivery buckets, such as vpc-flow-logs-bucket and cloudtrail-bucket to handle the cases where the S3 bucket is for log delivery. These are much easier to use because they are pre-tuned for specific purposes. This component (s3-bucket) is meant for maximum flexibility, and users can and should create their own policies for it.

So I suggest you use one of the other components that meets your needs and please close this PR.

@goruha goruha closed this Oct 3, 2024
@goruha goruha deleted the added-log-delivery-policy-for-s3-bucket-component branch November 1, 2024 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Nuru Nuru Nuru requested changes

@aknysh aknysh Awaiting requested review from aknysh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zdmytriv @Nuru @aknysh @goruha