Update README.md and CHANGELOG.md.

Author: tobyclemson

CHANGELOG.md

@@ -20,6 +20,14 @@ BACKWARDS INCOMPATIBILITIES / NOTES:
   been removed in favour of the `dns` variable which allows an arbitrary number 
   of records to be created.
 
+IMPROVEMENTS:
+
+* An `enable_deletion_protection` variable has been added, allowing deletion
+  protection to be enabled for the load balancer.
+* An `enable_access_logs` variable has been added, along with 
+  `access_logs_bucket_name` and `access_logs_bucket_prefix` variables, allowing
+  access logs to be configured for the load balancer.
+
 ## 2.0.0 (May 28th, 2021)
 
 BACKWARDS INCOMPATIBILITIES / NOTES:

README.md

@@ -6,23 +6,25 @@ Terraform AWS Network Load Balancer
 A Terraform module for building a network load balancer in AWS.
 
 The load balancer requires:
+
 * An existing VPC
 * Some existing subnets
 * A domain name and public and private hosted zones
- 
+
 The ECS load balancer consists of:
+
 * An NLB
-  * Deployed across the provided subnet IDs
-  * Either internal or internet-facing as specified
-  * With a health check using the specified target
-  * With connection draining as specified
-* A security group allowing access to/from the load balancer according to the 
+    * Deployed across the provided subnet IDs
+    * Either internal or internet-facing as specified
+    * With a health check using the specified target
+    * With connection draining as specified
+* A security group allowing access to/from the load balancer according to the
   specified access control and egress CIDRs configuration
 * A security group for use by instances allowing access from the load balancer
   according to the specified access control configuration
 * A DNS entry
-  * In the public hosted zone if specified
-  * In the private hosted zone if specified
+    * In the public hosted zone if specified
+    * In the private hosted zone if specified
 
 ![Diagram of infrastructure managed by this module](https://raw.githubusercontent.com/infrablocks/terraform-aws-network-load-balancer/main/docs/architecture.png)
 
@@ -37,130 +39,134 @@ module "network_load_balancer" {
   source  = "infrablocks/network-load-balancer/aws"
   version = "0.1.7"
 
-  region = "eu-west-2"
-  vpc_id = "vpc-fb7dc365"
+  region     = "eu-west-2"
+  vpc_id     = "vpc-fb7dc365"
   subnet_ids = "subnet-ae4533c4,subnet-443e6b12"
-  
-  component = "important-component"
+
+  component             = "important-component"
   deployment_identifier = "production"
-  
-  domain_name = "example.com"
-  public_zone_id = "Z1WA3EVJBXSQ2V"
+
+  domain_name     = "example.com"
+  public_zone_id  = "Z1WA3EVJBXSQ2V"
   private_zone_id = "Z3CVA9QD5NHSW3"
-  
+
   listeners = [
     {
-      lb_port = 443
-      lb_protocol = "HTTPS"
-      instance_port = 443
-      instance_protocol = "HTTPS"
+      lb_port            = 443
+      lb_protocol        = "HTTPS"
+      instance_port      = 443
+      instance_protocol  = "HTTPS"
       ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/default"
     },
     {
-      lb_port = 6567
-      lb_protocol = "TCP"
-      instance_port = 6567
+      lb_port           = 6567
+      lb_protocol       = "TCP"
+      instance_port     = 6567
       instance_protocol = "TCP"
     }
   ]
-  
+
   access_control = [
     {
-      lb_port = 443
+      lb_port       = 443
       instance_port = 443
-      allow_cidr = '0.0.0.0/0'
+      allow_cidr    = '0.0.0.0/0'
     },
     {
-      lb_port = 6567
+      lb_port       = 6567
       instance_port = 6567
-      allow_cidr = '10.0.0.0/8'
+      allow_cidr    = '10.0.0.0/8'
     }
   ]
-  
+
   egress_cidrs = '10.0.0.0/8'
-  
-  health_check_target = 'HTTPS:443/ping'
-  health_check_timeout = 10
-  health_check_interval = 30
+
+  health_check_target              = 'HTTPS:443/ping'
+  health_check_timeout             = 10
+  health_check_interval            = 30
   health_check_unhealthy_threshold = 5
-  health_check_healthy_threshold = 5
+  health_check_healthy_threshold   = 5
 
   enable_cross_zone_load_balancing = 'yes'
 
-  enable_connection_draining = 'yes'
+  enable_connection_draining  = 'yes'
   connection_draining_timeout = 60
 
   idle_timeout = 60
 
-  include_public_dns_record = 'yes'
+  include_public_dns_record  = 'yes'
   include_private_dns_record = 'yes'
 
   expose_to_public_internet = 'yes'
 }
 ```
 
-As mentioned above, the load balancer deploys into an existing base network. 
-Whilst the base network can be created using any mechanism you like, the 
+As mentioned above, the load balancer deploys into an existing base network.
+Whilst the base network can be created using any mechanism you like, the
 [AWS Base Networking](https://github.com/infrablocks/terraform-aws-base-networking)
-module will create everything you need. See the 
+module will create everything you need. See the
 [docs](https://github.com/infrablocks/terraform-aws-base-networking/blob/main/README.md)
 for usage instructions.
 
-See the 
-[Terraform registry entry](https://registry.terraform.io/modules/infrablocks/network-load-balancer/aws/latest) 
+See the
+[Terraform registry entry](https://registry.terraform.io/modules/infrablocks/network-load-balancer/aws/latest)
 for more details.
 
 ### Inputs
 
-| Name                             | Description                                                                   | Default             | Required                             |
-|----------------------------------|-------------------------------------------------------------------------------|:-------------------:|:------------------------------------:|
-|region| The region into which to deploy the load balancer|-| yes|
-|vpc_id| The ID of the VPC into which to deploy the load balancer	|-| yes|
-|subnet_ids| The IDs of the subnets for the NLB	 |-| yes|
-|component| The component for which the load balancer is being created	|-| yes|
-|deployment_identifier| An identifier for this instantiation	|-| yes|
-|domain_name|The domain name of the supplied Route 53 zones    |-| yes|
-|public_zone_id| The ID of the public Route 53 zone	|-| yes|
-|private_zone_id| The ID of the private Route 53 zone	|-| yes|
-|enable_cross_zone_load_balancing| Whether or not to enable cross zone load balancing (\"yes\" or \"no\").|no| no|
-|idle_timeout| The time after which idle connections are closed.|60| no|
-|include_public_dns_record| Whether or not to create a public DNS entry (\"yes\" or \"no\").|no| no|
-|include_private_dns_record| Whether or not to create a private DNS entry (\"yes\" or \"no\").|yes| no|
-|expose_to_public_internet| Whether or not to the NLB should be internet facing (\"yes\" or \"no\").|no| no|
-|use_https| whether or not to use HTTPS|no| no|
-|target_group_port|The port that the application is listening on|-| yes|
-|target_group_type|The type of target that you must specify when registering targets with this target group.|instance| no|
-|target_group_protocol| The protocol to use for routing traffic to the targets. Should be either TCP or TLS|TCP| no|
-|health_check_port|The port to use to connect with the target. Either ports 1-65536, or traffic-port|traffic-port|no|
-|health_check_protocol| The protocol to use for health checks	|TLS| no|
-|health_check_interval|The time between health check attempts in seconds	 |30| no|
-|health_check_unhealthy_threshold| The number of failed health checks before an instance is taken out of service	|2| no|
-|health_check_healthy_threshold| The number of successful health checks before an instance is put into service	|10| no|
-|listener_port| Port that NLB listens on|443| no|
-|listener_protocol| Protocol that the NLB listens on|TLS| no|
-|listener_certificate_arn|certificate ARN to be used by the certificate|-| yes|
+| Name                             | Description                                                                                                                            |   Default    | Required |
+|----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|:------------:|:--------:|
+| region                           | The region into which to deploy the load balancer                                                                                      |      -       |   yes    |
+| vpc_id                           | The ID of the VPC into which to deploy the load balancer	                                                                              |      -       |   yes    |
+| subnet_ids                       | The IDs of the subnets for the NLB	                                                                                                    |      -       |   yes    |
+| component                        | The component for which the load balancer is being created	                                                                            |      -       |   yes    |
+| deployment_identifier            | An identifier for this instantiation	                                                                                                  |      -       |   yes    |
+| domain_name                      | The domain name of the supplied Route 53 zones                                                                                         |      -       |   yes    |
+| public_zone_id                   | The ID of the public Route 53 zone	                                                                                                    |      -       |   yes    |
+| private_zone_id                  | The ID of the private Route 53 zone	                                                                                                   |      -       |   yes    |
+| enable_cross_zone_load_balancing | Whether or not to enable cross zone load balancing (\"yes\" or \"no\").                                                                |      no      |    no    |
+| enable_deletion_protection       | Whether or not to enable deletion protection for the load balancer.                                                                    |    false     |    no    |
+| enable_access_logs               | Whether or not to enable access logs on the load balancer.                                                                             |    false     |    no    |
+| access_logs_bucket_name          | The name of the S3 bucket in which to store access logs when `enable_access_logs` is `true`.                                           |    false     |    no    |
+| access_logs_bucket_prefix        | The prefix to use for objects in the access logs S3 bucket when `enable_access_logs` is `true`. Logs are stored in the root if `null`. |    false     |    no    |
+| idle_timeout                     | The time after which idle connections are closed.                                                                                      |      60      |    no    |
+| include_public_dns_record        | Whether or not to create a public DNS entry (\"yes\" or \"no\").                                                                       |      no      |    no    |
+| include_private_dns_record       | Whether or not to create a private DNS entry (\"yes\" or \"no\").                                                                      |     yes      |    no    |
+| expose_to_public_internet        | Whether or not to the NLB should be internet facing (\"yes\" or \"no\").                                                               |      no      |    no    |
+| use_https                        | whether or not to use HTTPS                                                                                                            |      no      |    no    |
+| target_group_port                | The port that the application is listening on                                                                                          |      -       |   yes    |
+| target_group_type                | The type of target that you must specify when registering targets with this target group.                                              |   instance   |    no    |
+| target_group_protocol            | The protocol to use for routing traffic to the targets. Should be either TCP or TLS                                                    |     TCP      |    no    |
+| health_check_port                | The port to use to connect with the target. Either ports 1-65536, or traffic-port                                                      | traffic-port |    no    |
+| health_check_protocol            | The protocol to use for health checks	                                                                                                 |     TLS      |    no    |
+| health_check_interval            | The time between health check attempts in seconds	                                                                                     |      30      |    no    |
+| health_check_unhealthy_threshold | The number of failed health checks before an instance is taken out of service	                                                         |      2       |    no    |
+| health_check_healthy_threshold   | The number of successful health checks before an instance is put into service	                                                         |      10      |    no    |
+| listener_port                    | Port that NLB listens on                                                                                                               |     443      |    no    |
+| listener_protocol                | Protocol that the NLB listens on                                                                                                       |     TLS      |    no    |
+| listener_certificate_arn         | certificate ARN to be used by the certificate                                                                                          |      -       |   yes    |
 
 ### Outputs
 
-| Name                                    | Description                                               |
-|-----------------------------------------|-----------------------------------------------------------|
-| name                                    | The name of the created NLB                               |
-| arn                                     | The arn of the created NLB                               |
-| zone_id                                 | The zone ID of the created NLB                            |
-| dns_name                                | The DNS name of the created NLB                           |
-| address                                 | The address of the DNS record(s) for the created NLB      |
+| Name     | Description                                          |
+|----------|------------------------------------------------------|
+| name     | The name of the created NLB                          |
+| arn      | The arn of the created NLB                           |
+| zone_id  | The zone ID of the created NLB                       |
+| dns_name | The DNS name of the created NLB                      |
+| address  | The address of the DNS record(s) for the created NLB |
 
 ### Compatibility
 
-This module is compatible with Terraform versions greater than or equal to 
+This module is compatible with Terraform versions greater than or equal to
 Terraform 1.0.
 
 Development
 -----------
 
 ### Machine Requirements
 
-In order for the build to run correctly, a few tools will need to be installed 
+In order for the build to run correctly, a few tools will need to be installed
 on your development machine:
 
 * Ruby (3.1.1)
@@ -214,13 +220,13 @@ direnv allow <repository-directory>
 
 ### Running the build
 
-Running the build requires an AWS account and AWS credentials. You are free to 
+Running the build requires an AWS account and AWS credentials. You are free to
 configure credentials however you like as long as an access key ID and secret
-access key are available. These instructions utilise 
+access key are available. These instructions utilise
 [aws-vault](https://github.com/99designs/aws-vault) which makes credential
 management easy and secure.
 
-To provision module infrastructure, run tests and then destroy that 
+To provision module infrastructure, run tests and then destroy that
 infrastructure, execute:
 
 ```bash
@@ -257,7 +263,7 @@ Configuration parameters can be overridden via environment variables:
 DEPLOYMENT_IDENTIFIER=testing aws-vault exec <profile> -- ./go
 ```
 
-When a deployment identifier is provided via an environment variable, 
+When a deployment identifier is provided via an environment variable,
 infrastructure will not be destroyed at the end of test execution. This can
 be useful during development to avoid lengthy provision and destroy cycles.
 
@@ -281,6 +287,7 @@ ssh-keygen -m PEM -t rsa -b 4096 -C integration-test@example.com -N '' -f config
 #### Generating a self-signed certificate
 
 To generate a self signed certificate:
+
 ```
 openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
 ```
@@ -317,14 +324,14 @@ openssl aes-256-cbc \
 Contributing
 ------------
 
-Bug reports and pull requests are welcome on GitHub at 
+Bug reports and pull requests are welcome on GitHub at
 https://github.com/infrablocks/terraform-aws-network-load-balancer. This project
-is intended to be a safe, welcoming space for collaboration, and contributors 
-are expected to adhere to the 
+is intended to be a safe, welcoming space for collaboration, and contributors
+are expected to adhere to the
 [Contributor Covenant](http://contributor-covenant.org) code of conduct.
 
 License
 -------
 
-The library is available as open source under the terms of the 
+The library is available as open source under the terms of the
 [MIT License](http://opensource.org/licenses/MIT).

variables.tf

@@ -103,12 +103,13 @@ variable "enable_access_logs" {
 }
 
 variable "access_logs_bucket_name" {
-  description = "The S3 bucket prefix. Logs are stored in the root if not configured"
+  description = "The name of the S3 bucket in which to store access logs when `enable_access_logs` is `true`."
   type    = string
   default = null
 }
 
 variable "access_logs_bucket_prefix" {
+  description = "The prefix to use for objects in the access logs S3 bucket when `enable_access_logs` is `true`. Logs are stored in the root if `null`."
   type    = string
   default = null
 }