cloudposse · joe-niland · Nov 11, 2020 · Nov 11, 2020
diff --git a/README.md b/README.md
@@ -164,6 +164,7 @@ Available targets:
 | log\_include\_cookies | Include cookies in access logs | `bool` | `false` | no |
 | log\_prefix | Path of logs in S3 bucket | `string` | `""` | no |
 | log\_standard\_transition\_days | Number of days to persist in the standard storage tier before moving to the glacier tier | `number` | `30` | no |
+| logging\_enabled | When true, access logs will be sent to a newly created s3 bucket | `bool` | `true` | no |
 | max\_ttl | Maximum amount of time (in seconds) that an object is in a CloudFront cache | `number` | `31536000` | no |
 | min\_ttl | Minimum amount of time that you want objects to stay in CloudFront caches | `number` | `0` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
@@ -200,6 +201,7 @@ Available targets:
 | cf\_id | ID of CloudFront distribution |
 | cf\_origin\_access\_identity | A shortcut to the full path for the origin access identity to use in CloudFront |
 | cf\_status | Current status of the distribution |
+| logs | Logs resource |
 
 <!-- markdownlint-restore -->
 

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -49,6 +49,7 @@
 | log\_include\_cookies | Include cookies in access logs | `bool` | `false` | no |
 | log\_prefix | Path of logs in S3 bucket | `string` | `""` | no |
 | log\_standard\_transition\_days | Number of days to persist in the standard storage tier before moving to the glacier tier | `number` | `30` | no |
+| logging\_enabled | When true, access logs will be sent to a newly created s3 bucket | `bool` | `true` | no |
 | max\_ttl | Maximum amount of time (in seconds) that an object is in a CloudFront cache | `number` | `31536000` | no |
 | min\_ttl | Minimum amount of time that you want objects to stay in CloudFront caches | `number` | `0` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
@@ -85,5 +86,6 @@
 | cf\_id | ID of CloudFront distribution |
 | cf\_origin\_access\_identity | A shortcut to the full path for the origin access identity to use in CloudFront |
 | cf\_status | Current status of the distribution |
+| logs | Logs resource |
 
 <!-- markdownlint-restore -->
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -99,6 +99,12 @@ variable "comment" {
   description = "Comment for the origin access identity"
 }
 
+variable "logging_enabled" {
+  type        = bool
+  default     = true
+  description = "When true, access logs will be sent to a newly created s3 bucket"
+}
+
 variable "log_include_cookies" {
   default     = "false"
   description = "Include cookies in access logs"

diff --git a/main.tf b/main.tf
@@ -15,7 +15,7 @@ resource "aws_cloudfront_origin_access_identity" "default" {
 module "logs" {
   source = "git::https://github.com/cloudposse/terraform-aws-log-storage.git?ref=tags/0.14.0"
 
-  enabled                  = module.this.enabled && length(var.log_bucket_fqdn) == 0
+  enabled                  = module.this.enabled && var.logging_enabled && length(var.log_bucket_fqdn) == 0
   attributes               = compact(concat(module.this.attributes, ["origin", "logs"]))
   lifecycle_prefix         = var.log_prefix
   standard_transition_days = var.log_standard_transition_days
@@ -34,10 +34,13 @@ resource "aws_cloudfront_distribution" "default" {
   default_root_object = var.default_root_object
   price_class         = var.price_class
 
-  logging_config {
-    include_cookies = var.log_include_cookies
-    bucket          = length(var.log_bucket_fqdn) > 0 ? var.log_bucket_fqdn : module.logs.bucket_domain_name
-    prefix          = var.log_prefix
+  dynamic "logging_config" {
+    for_each = var.logging_enabled ? ["true"] : []
+    content {
+      include_cookies = var.log_include_cookies
+      bucket          = length(var.log_bucket_fqdn) > 0 ? var.log_bucket_fqdn : module.logs.bucket_domain_name
+      prefix          = var.log_prefix
+    }
   }
 
   aliases = var.aliases

diff --git a/outputs.tf b/outputs.tf
@@ -37,3 +37,8 @@ output "cf_origin_access_identity" {
   value       = try(aws_cloudfront_origin_access_identity.default[0].cloudfront_access_identity_path, "")
   description = "A shortcut to the full path for the origin access identity to use in CloudFront"
 }
+
+output "logs" {
+  value       = module.logs
+  description = "Logs resource"
+}
diff --git a/variables.tf b/variables.tf
@@ -115,6 +115,12 @@ variable "comment" {
   description = "Comment for the origin access identity"
 }
 
+variable "logging_enabled" {
+  type        = bool
+  default     = true
+  description = "When true, access logs will be sent to a newly created s3 bucket"
+}
+
 variable "log_include_cookies" {
   type        = bool
   default     = false