Add option to expire access logs

Softwire · Jan 13, 2023 · 9f5c9c1 · 9f5c9c1
1 parent b567dbf
commit 9f5c9c1
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -38,6 +38,7 @@ Any changes to the S3 bucket will be synchronised within 5 minutes
 | tags_host_key | Tags to apply to the bastion host key secret and KMS key | map | no | `{}` |
 | extra_userdata | Extra commands to append to the instance user data script | string | no | |
 | log_group_name | The name of a CloudWatch log group to send logs of SSH logins and user/key changes to | string | no | |
+| s3_access_log_expiration_days | Days to keep S3 access logs, defaults to forever | number | no | |
 
 ### DNS Config
 

diff --git a/storage.tf b/storage.tf
@@ -91,3 +91,21 @@ resource "aws_s3_bucket_logging" "ssh_keys" {
   target_bucket = aws_s3_bucket.ssh_keys_logs.id
   target_prefix = "${var.name_prefix}logs/"
 }
+
+resource "aws_s3_bucket_lifecycle_configuration" "ssh_keys_logs" {
+  count = var.s3_access_log_expiration_days == null ? 0 : 1
+
+  bucket = aws_s3_bucket.ssh_keys_logs.id
+
+  rule {
+    id = "expire-old-logs"
+
+    filter {}
+
+    expiration {
+      days = var.s3_access_log_expiration_days
+    }
+
+    status = "Enabled"
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -99,9 +99,13 @@ variable "extra_userdata" {
   description = "Extra commands to append to the instance user data script"
 }
 
-
 variable "log_group_name" {
   type        = string
   default     = null
   description = "Optional log group to send SSH logs to"
 }
+
+variable "s3_access_log_expiration_days" {
+  type    = number
+  default = null
+}