Allow an NLB to log to the S3 logging bucket

README.md

@@ -65,12 +65,14 @@ Logging from the following services is supported for both cases:
 | allow\_cloudwatch | Allow Cloudwatch service to export logs to bucket. | string | `"false"` | no |
 | allow\_config | Allow Config service to log to bucket. | string | `"false"` | no |
 | allow\_elb | Allow ELB service to log to bucket. | string | `"false"` | no |
+| allow\_nlb | Allow NLB service to log to bucket. | string | `"false"` | no |
 | allow\_redshift | Allow Redshift service to log to bucket. | string | `"false"` | no |
 | cloudtrail\_logs\_prefix | S3 prefix for CloudTrail logs. | string | `"cloudtrail"` | no |
 | cloudwatch\_logs\_prefix | S3 prefix for CloudWatch log exports. | string | `"cloudwatch"` | no |
 | config\_logs\_prefix | S3 prefix for AWS Config logs. | string | `"config"` | no |
 | default\_allow | Whether all services included in this module should be allowed to write to the bucket by default. Alternatively select individual services. It's recommended to use the default bucket ACL of log-delivery-write. | string | `"true"` | no |
 | elb\_logs\_prefix | S3 prefix for ELB logs. | string | `"elb"` | no |
+| nlb\_logs\_prefix | S3 prefix for NLB logs. | string | `"nlb"` | no |
 | redshift\_logs\_prefix | S3 prefix for RedShift logs. | string | `"redshift"` | no |
 | region | Region where the AWS S3 bucket will be created. | string | n/a | yes |
 | s3\_bucket\_acl | Set bucket ACL per [AWS S3 Canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) list. | string | `"log-delivery-write"` | no |

main.tf

@@ -203,6 +203,7 @@ data "aws_iam_policy_document" "bucket_policy" {
   }
 
   ## ELB
+  # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html#attach-bucket-policy
   statement {
     actions = ["s3:PutObject"]
     effect  = "${(var.default_allow || var.allow_elb) ? "Allow" : "Deny"}"
@@ -217,6 +218,7 @@ data "aws_iam_policy_document" "bucket_policy" {
   }
 
   ## ALB
+  # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions
   statement {
     actions = ["s3:PutObject"]
     effect  = "${(var.default_allow || var.allow_alb) ? "Allow" : "Deny"}"
@@ -230,6 +232,40 @@ data "aws_iam_policy_document" "bucket_policy" {
     sid       = "alb-logs-put-object"
   }
 
+  ## NLB
+  # https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html#access-logging-bucket-requirements
+  statement {
+    actions = ["s3:PutObject"]
+    effect  = "${(var.default_allow || var.allow_nlb) ? "Allow" : "Deny"}"
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+      values   = ["bucket-owner-full-control"]
+    }
+
+    resources = ["arn:aws:s3:::${var.s3_bucket_name}/${var.nlb_logs_prefix}/*"]
+    sid       = "nlb-logs-put-object"
+  }
+
+  statement {
+    actions = ["s3:GetBucketAcl"]
+    effect  = "${(var.default_allow || var.allow_nlb) ? "Allow" : "Deny"}"
+
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+
+    resources = ["arn:aws:s3:::${var.s3_bucket_name}"]
+    sid       = "nlb-logs-acl-check"
+  }
+
   ## Redshift
   statement {
     actions = ["s3:PutObject"]

variables.tf

@@ -32,6 +32,12 @@ variable "alb_logs_prefix" {
   type        = "string"
 }
 
+variable "nlb_logs_prefix" {
+  description = "S3 prefix for NLB logs."
+  default     = "nlb"
+  type        = "string"
+}
+
 variable "cloudwatch_logs_prefix" {
   description = "S3 prefix for CloudWatch log exports."
   default     = "cloudwatch"
@@ -81,6 +87,12 @@ variable "allow_alb" {
   type        = "string"
 }
 
+variable "allow_nlb" {
+  description = "Allow NLB service to log to bucket."
+  default     = false
+  type        = "string"
+}
+
 variable "allow_config" {
   description = "Allow Config service to log to bucket."
   default     = false