Merge pull request #143 from nlamirault/feat/tempo-refactoring

Tempo: Refactoring buckets
nlamirault · Nov 24, 2023 · f4eb670 · f4eb670
2 parents 4f0e764 + 31e295d
commit f4eb670
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 29 deletions.
diff --git a/modules/tempo/README.md b/modules/tempo/README.md
@@ -60,9 +60,9 @@ tags = {
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_irsa"></a> [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.4 |
-| <a name="module_tempo"></a> [tempo](#module\_tempo) | terraform-aws-modules/s3-bucket/aws | 3.5.0 |
-| <a name="module_tempo_log"></a> [tempo\_log](#module\_tempo\_log) | terraform-aws-modules/s3-bucket/aws | 3.5.0 |
+| <a name="module_buckets_data"></a> [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 3.6.0 |
+| <a name="module_buckets_logging"></a> [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 3.6.0 |
+| <a name="module_irsa"></a> [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.10.0 |
 
 ## Resources
 

diff --git a/modules/tempo/bucket.tf b/modules/tempo/bucket.tf
@@ -14,19 +14,22 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-module "tempo_log" {
+module "buckets_logging" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "3.15.1"
 
-  bucket                  = format("%s-log", local.service_name)
-  control_object_ownership = true
-  object_ownership         = "ObjectWriter"
+  for_each = local.buckets_names
+
+  bucket                  = format("%s-%s-logging", local.service_name, each.value)
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+  ignore_public_acls      = true
 
-  acl           = "log-delivery-write"
   force_destroy = true
 
   tags = merge(
-    { "Name" = format("%s-log", local.service_name) },
+    { "Name" = format("%s-%s-logging", local.service_name, each.value) },
     var.tags
   )
 
@@ -46,24 +49,27 @@ module "tempo_log" {
 }
 
 #tfsec:ignore:aws-s3-encryption-customer-key
-module "tempo" {
+module "buckets_data" {
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "3.15.1"
 
-  bucket                  = local.service_name
-  control_object_ownership = true
-  object_ownership         = "ObjectWriter"
+  for_each = local.buckets_names
+
+  bucket                  = format("%s-%s", local.service_name, each.value)
+  block_public_acls       = true
+  block_public_policy     = true
+  restrict_public_buckets = true
+  ignore_public_acls      = true
 
-  acl           = "private"
   force_destroy = true
 
   tags = merge(
-    { "Name" = local.service_name },
+    { "Name" = format("%s-%s", local.service_name, each.value) },
     var.tags
   )
 
   logging = {
-    target_bucket = module.tempo_log.s3_bucket_id
+    target_bucket = module.buckets_logging[format("%s-%s", local.service_name, each.value)].s3_bucket_id
     target_prefix = "log/"
   }
 

diff --git a/modules/tempo/iam.tf b/modules/tempo/iam.tf
@@ -29,23 +29,26 @@ data "aws_iam_policy_document" "bucket" {
 
     #tfsec:ignore:aws-iam-no-policy-wildcards
     resources = [
-      module.tempo.s3_bucket_arn,
-      "${module.tempo.s3_bucket_arn}/*"
+      module.buckets_data[*].s3_bucket_arn,
+      "${module.buckets_data[*].s3_bucket_arn}/*"
     ]
   }
 
-  # statement {
-  #   effect = "Allow"
+  dynamic "statement" {
+    for_each = var.enable_kms ? [1] : []
 
-  #   actions = [
-  #     "kms:Encrypt",
-  #     "kms:Decrypt",
-  #     "kms:GenerateDataKey*",
-  #   ]
+    content {
+      effect = "Allow"
 
-  #   resources = var.enable_kms ? [aws_kms_key.tempo[0].arn] : []
-  # }
+      actions = [
+        "kms:Encrypt",
+        "kms:Decrypt",
+        "kms:GenerateDataKey*",
+      ]
 
+      resources = [aws_kms_key.tempo[0].arn]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "kms" {

diff --git a/modules/tempo/locals.tf b/modules/tempo/locals.tf
@@ -18,4 +18,8 @@ locals {
   service_name = format("%s-tempo", var.cluster_name)
 
   role_name = "tempo"
+
+  buckets_names = [
+    "traces"
+  ]
 }
diff --git a/modules/tempo/outputs.tf b/modules/tempo/outputs.tf
@@ -15,12 +15,12 @@
 # SPDX-License-Identifier: Apache-2.0
 
 output "bucket" {
-  value       = module.tempo.s3_bucket_id
+  value       = module.buckets_data[*].s3_bucket_id
   description = "S3 bucket for Tempo"
 }
 
 output "bucket_log" {
-  value       = module.tempo_log.s3_bucket_id
+  value       = module.buckets_logging[*].s3_bucket_id
   description = "S3 log bucket for Tempo"
 }