feat: Add log delivery source organization variables (#322)

antonbabenko · szubersk · web-flow · commit 6731ac2d7763 · 2025-04-18T12:31:06.000-07:00
Co-authored-by: szubersk &lt;szuberskidamian@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -190,6 +190,7 @@ No modules.
 | <a name="input_acceleration_status"></a> [acceleration\_status](#input\_acceleration\_status) | (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. | `string` | `null` | no |
 | <a name="input_access_log_delivery_policy_source_accounts"></a> [access\_log\_delivery\_policy\_source\_accounts](#input\_access\_log\_delivery\_policy\_source\_accounts) | (Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket. | `list(string)` | `[]` | no |
 | <a name="input_access_log_delivery_policy_source_buckets"></a> [access\_log\_delivery\_policy\_source\_buckets](#input\_access\_log\_delivery\_policy\_source\_buckets) | (Optional) List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket. | `list(string)` | `[]` | no |
+| <a name="input_access_log_delivery_policy_source_organizations"></a> [access\_log\_delivery\_policy\_source\_organizations](#input\_access\_log\_delivery\_policy\_source\_organizations) | (Optional) List of AWS Organization IDs should be allowed to deliver access logs to this bucket. | `list(string)` | `[]` | no |
 | <a name="input_acl"></a> [acl](#input\_acl) | (Optional) The canned ACL to apply. Conflicts with `grant` | `string` | `null` | no |
 | <a name="input_allowed_kms_key_arn"></a> [allowed\_kms\_key\_arn](#input\_allowed\_kms\_key\_arn) | The ARN of KMS key which should be allowed in PutObject | `string` | `null` | no |
 | <a name="input_analytics_configuration"></a> [analytics\_configuration](#input\_analytics\_configuration) | Map containing bucket analytics configuration. | `any` | `{}` | no |
@@ -228,6 +229,7 @@ No modules.
 | <a name="input_inventory_source_account_id"></a> [inventory\_source\_account\_id](#input\_inventory\_source\_account\_id) | The inventory source account id. | `string` | `null` | no |
 | <a name="input_inventory_source_bucket_arn"></a> [inventory\_source\_bucket\_arn](#input\_inventory\_source\_bucket\_arn) | The inventory source bucket ARN. | `string` | `null` | no |
 | <a name="input_is_directory_bucket"></a> [is\_directory\_bucket](#input\_is\_directory\_bucket) | If the s3 bucket created is a directory bucket | `bool` | `false` | no |
+| <a name="input_lb_log_delivery_policy_source_organizations"></a> [lb\_log\_delivery\_policy\_source\_organizations](#input\_lb\_log\_delivery\_policy\_source\_organizations) | (Optional) List of AWS Organization IDs should be allowed to deliver ALB/NLB logs to this bucket. | `list(string)` | `[]` | no |
 | <a name="input_lifecycle_rule"></a> [lifecycle\_rule](#input\_lifecycle\_rule) | List of maps containing configuration of object lifecycle management. | `any` | `[]` | no |
 | <a name="input_location_type"></a> [location\_type](#input\_location\_type) | Location type. Valid values: `AvailabilityZone` or `LocalZone` | `string` | `null` | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Map containing access bucket logging configuration. | `any` | `{}` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -76,8 +76,10 @@ module "log_bucket" {
   attach_deny_insecure_transport_policy = true
   attach_require_latest_tls_policy      = true
 
-  access_log_delivery_policy_source_accounts = [data.aws_caller_identity.current.account_id]
-  access_log_delivery_policy_source_buckets  = ["arn:aws:s3:::${local.bucket_name}"]
+  access_log_delivery_policy_source_accounts      = [data.aws_caller_identity.current.account_id]
+  access_log_delivery_policy_source_buckets       = ["arn:aws:s3:::${local.bucket_name}"]
+  access_log_delivery_policy_source_organizations = ["o-123456"]
+  lb_log_delivery_policy_source_organizations     = ["o-123456"]
 }
 
 module "cloudfront_log_bucket" {
diff --git a/main.tf b/main.tf
@@ -688,6 +688,16 @@ data "aws_iam_policy_document" "lb_log_delivery" {
       variable = "s3:x-amz-acl"
       values   = ["bucket-owner-full-control"]
     }
+
+    dynamic "condition" {
+      for_each = length(var.lb_log_delivery_policy_source_organizations) > 0 ? [true] : []
+
+      content {
+        test     = "StringEquals"
+        variable = "aws:ResourceOrgID"
+        values   = var.lb_log_delivery_policy_source_organizations
+      }
+    }
   }
 
   statement {
@@ -709,6 +719,15 @@ data "aws_iam_policy_document" "lb_log_delivery" {
       aws_s3_bucket.this[0].arn,
     ]
 
+    dynamic "condition" {
+      for_each = length(var.lb_log_delivery_policy_source_organizations) > 0 ? [true] : []
+
+      content {
+        test     = "StringEquals"
+        variable = "aws:ResourceOrgID"
+        values   = var.lb_log_delivery_policy_source_organizations
+      }
+    }
   }
 }
 
@@ -754,6 +773,16 @@ data "aws_iam_policy_document" "access_log_delivery" {
       }
     }
 
+    dynamic "condition" {
+      for_each = length(var.access_log_delivery_policy_source_organizations) > 0 ? [true] : []
+
+      content {
+        test     = "StringEquals"
+        variable = "aws:ResourceOrgID"
+        values   = var.access_log_delivery_policy_source_organizations
+      }
+    }
+
   }
 
   statement {
@@ -774,6 +803,16 @@ data "aws_iam_policy_document" "access_log_delivery" {
       aws_s3_bucket.this[0].arn,
     ]
 
+    dynamic "condition" {
+      for_each = length(var.access_log_delivery_policy_source_organizations) > 0 ? [true] : []
+
+      content {
+        test     = "StringEquals"
+        variable = "aws:ResourceOrgID"
+        values   = var.access_log_delivery_policy_source_organizations
+      }
+    }
+
   }
 }
 
diff --git a/variables.tf b/variables.tf
@@ -172,6 +172,18 @@ variable "access_log_delivery_policy_source_accounts" {
   default     = []
 }
 
+variable "access_log_delivery_policy_source_organizations" {
+  description = "(Optional) List of AWS Organization IDs should be allowed to deliver access logs to this bucket."
+  type        = list(string)
+  default     = []
+}
+
+variable "lb_log_delivery_policy_source_organizations" {
+  description = "(Optional) List of AWS Organization IDs should be allowed to deliver ALB/NLB logs to this bucket."
+  type        = list(string)
+  default     = []
+}
+
 variable "grant" {
   description = "An ACL policy grant. Conflicts with `acl`"
   type        = any
diff --git a/wrappers/main.tf b/wrappers/main.tf

Original file line number	Diff line number	Diff line change
`@@ -688,6 +688,16 @@ data "aws_iam_policy_document" "lb_log_delivery" {`
`688`	`688`	`variable = "s3:x-amz-acl"`
`689`	`689`	`values = ["bucket-owner-full-control"]`
`690`	`690`	`}`
	`691`	`+`
	`692`	`+ dynamic "condition" {`
	`693`	`+ for_each = length(var.lb_log_delivery_policy_source_organizations) > 0 ? [true] : []`
	`694`	`+`
	`695`	`+ content {`
	`696`	`+ test = "StringEquals"`
	`697`	`+ variable = "aws:ResourceOrgID"`
	`698`	`+ values = var.lb_log_delivery_policy_source_organizations`
	`699`	`+ }`
	`700`	`+ }`
`691`	`701`	`}`
`692`	`702`
`693`	`703`	`statement {`
`@@ -709,6 +719,15 @@ data "aws_iam_policy_document" "lb_log_delivery" {`
`709`	`719`	`aws_s3_bucket.this[0].arn,`
`710`	`720`	`]`
`711`	`721`
	`722`	`+ dynamic "condition" {`
	`723`	`+ for_each = length(var.lb_log_delivery_policy_source_organizations) > 0 ? [true] : []`
	`724`	`+`
	`725`	`+ content {`
	`726`	`+ test = "StringEquals"`
	`727`	`+ variable = "aws:ResourceOrgID"`
	`728`	`+ values = var.lb_log_delivery_policy_source_organizations`
	`729`	`+ }`
	`730`	`+ }`
`712`	`731`	`}`
`713`	`732`	`}`
`714`	`733`
`@@ -754,6 +773,16 @@ data "aws_iam_policy_document" "access_log_delivery" {`
`754`	`773`	`}`
`755`	`774`	`}`
`756`	`775`
	`776`	`+ dynamic "condition" {`
	`777`	`+ for_each = length(var.access_log_delivery_policy_source_organizations) > 0 ? [true] : []`
	`778`	`+`
	`779`	`+ content {`
	`780`	`+ test = "StringEquals"`
	`781`	`+ variable = "aws:ResourceOrgID"`
	`782`	`+ values = var.access_log_delivery_policy_source_organizations`
	`783`	`+ }`
	`784`	`+ }`
	`785`	`+`
`757`	`786`	`}`
`758`	`787`
`759`	`788`	`statement {`
`@@ -774,6 +803,16 @@ data "aws_iam_policy_document" "access_log_delivery" {`
`774`	`803`	`aws_s3_bucket.this[0].arn,`
`775`	`804`	`]`
`776`	`805`
	`806`	`+ dynamic "condition" {`
	`807`	`+ for_each = length(var.access_log_delivery_policy_source_organizations) > 0 ? [true] : []`
	`808`	`+`
	`809`	`+ content {`
	`810`	`+ test = "StringEquals"`
	`811`	`+ variable = "aws:ResourceOrgID"`
	`812`	`+ values = var.access_log_delivery_policy_source_organizations`
	`813`	`+ }`
	`814`	`+ }`
	`815`	`+`
`777`	`816`	`}`
`778`	`817`	`}`
`779`	`818`