feat: enable S3 and CloudFront access logging

j4y · j4y · commit b16c1ff287ed · 2025-12-26T10:09:04.000-05:00
- add dedicated log bucket for storing access logs
- configure CloudFront distribution logging to write to log bucket
diff --git a/terraform/website/main.tf b/terraform/website/main.tf
@@ -2,6 +2,17 @@ resource "aws_s3_bucket" "bucket" {
   bucket = var.domain
 }
 
+resource "aws_s3_bucket_logging" "bucket_logging" {
+  bucket = aws_s3_bucket.bucket.id
+
+  target_bucket = aws_s3_bucket.logs.id
+  target_prefix = "s3-access-logs/"
+}
+
+resource "aws_s3_bucket" "logs" {
+  bucket = "${var.domain}-logs"
+}
+
 resource "aws_s3_bucket_ownership_controls" "bucket" {
   bucket = aws_s3_bucket.bucket.id
   rule {
@@ -70,6 +81,13 @@ resource "aws_cloudfront_distribution" "distribution" {
   is_ipv6_enabled = true
   price_class     = "PriceClass_100"
 
+  logging_config {
+    include_cookies = false
+    bucket          = "${aws_s3_bucket.logs.bucket_regional_domain_name}"
+    prefix          = "cloudfront/"
+  }
+
+
   origin {
     domain_name = aws_s3_bucket_website_configuration.bucket.website_endpoint
     origin_id   = aws_s3_bucket.bucket.bucket_regional_domain_name
