This repository contains Terraform configuration files that create an S3 bucket and DynamoDB table, both are secured with server-side encryption (SSE) using a KMS key. This module configures the S3 bucket and DynamoDB table to be used with Loki for the storage of Chunks and Indexes.
To view examples for how you can leverage this S3-IRSA Module, please see the examples directory.
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 3.72 |
| Name | Version |
|---|---|
| aws | >= 3.72 |
| Name | Source | Version |
|---|---|---|
| s3_bucket | terraform-aws-modules/s3-bucket/aws | v3.14.0 |
| Name | Type |
|---|---|
| aws_dynamodb_table.loki_dynamodb | resource |
| aws_iam_policy.dynamodb_irsa_policy | resource |
| aws_iam_policy.irsa_policy | resource |
| aws_iam_role.irsa | resource |
| aws_iam_role_policy_attachment.dynamodb_policy_attachment | resource |
| aws_iam_role_policy_attachment.irsa | resource |
| aws_s3_bucket_logging.logging | resource |
| aws_s3_bucket_policy.bucket_policy | resource |
| aws_s3_bucket_versioning.versioning | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.dynamo_irsa_policy | data source |
| aws_iam_policy_document.irsa_policy | data source |
| aws_kms_key.default | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_logging_bucket_id | The ID of the S3 bucket to which access logs are written | string |
null |
no |
| access_logging_bucket_prefix | The prefix to use for all log object keys. Ex: 'logs/' | string |
"s3-irsa-bucket-access-logs/" |
no |
| access_logging_enabled | If true, set up access logging of the S3 bucket to a different S3 bucket, provided by the variables logging_bucket_id and logging_bucket_path. Caution: Enabling this will likely cause LOTS of access logs, as one is generated each time the bucket is accessed and Loki will be hitting the bucket a lot! |
bool |
false |
no |
| dynamodb_enabled | Is dynamoDB enabled | bool |
false |
no |
| eks_oidc_provider_arn | EKS OIDC Provider ARN e.g., arn:aws:iam:::oidc-provider/<var.eks_oidc_provider> | string |
n/a | yes |
| force_destroy | If true, destroys all objects in the bucket when the bucket is destroyed so that the bucket can be destroyed without error. Objects that are destroyed in this way are NOT recoverable. | bool |
false |
no |
| irsa_iam_permissions_boundary | IAM permissions boundary for IRSA roles | string |
"" |
no |
| irsa_iam_policies | IAM Policies for IRSA IAM role | list(string) |
[] |
no |
| irsa_iam_role_name | IAM role name for IRSA | string |
"" |
no |
| irsa_iam_role_path | IAM role path for IRSA roles | string |
"/" |
no |
| kms_key_arn | KMS Key ARN to use for encryption | string |
n/a | yes |
| kubernetes_namespace | Kubernetes namespace for IRSA | string |
"default" |
no |
| kubernetes_service_account | Kubernetes service account for IRSA | string |
"default" |
no |
| name_prefix | Name prefix for all resources that use a randomized suffix | string |
n/a | yes |
| policy_name_prefix | IAM Policy name prefix | string |
"irsa-policy" |
no |
| region | AWS Region | string |
"" |
no |
| tags | A map of tags to apply to all resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| dynamodb_name | Name of DynmoDB table |
| irsa_role | ARN of the IRSA Role |
| s3_bucket | S3 Bucket Name |