Add AccessLog attribute to CloudFormation and Terraform renderer

tests/integration/update_cluster/complex/cloudformation.json

@@ -1458,6 +1458,20 @@
             "Key": "kubernetes.io/cluster/complex.example.com",
             "Value": "owned"
           }
+        ],
+        "LoadBalancerAttributes": [
+          {
+            "Key": "access_logs.s3.enabled",
+            "Value": "true"
+          },
+          {
+            "Key": "access_logs.s3.bucket",
+            "Value": "access-log-example"
+          },
+          {
+            "Key": "access_logs.s3.prefix",
+            "Value": ""
+          }
         ]
       }
     },

tests/integration/update_cluster/complex/data/aws_s3_bucket_object_cluster-completed.spec_content

@@ -9,6 +9,8 @@ spec:
   - 10.2.0.0/16
   api:
     loadBalancer:
+      accessLog:
+        bucket: access-log-example
       additionalSecurityGroups:
       - sg-exampleid5
       - sg-exampleid6

tests/integration/update_cluster/complex/in-legacy-v1alpha2.yaml

@@ -17,6 +17,8 @@ spec:
       subnets:
         - name: us-test-1a
           allocationId: eipalloc-012345a678b9cdefa
+      accessLog:
+        bucket: access-log-example
   kubernetesApiAccess:
   - 1.1.1.0/24
   channel: stable

tests/integration/update_cluster/complex/in-v1alpha2.yaml

@@ -17,6 +17,8 @@ spec:
       subnets:
         - name: us-test-1a
           allocationId: eipalloc-012345a678b9cdefa
+      accessLog:
+        bucket: access-log-example
   kubernetesApiAccess:
   - 1.1.1.0/24
   channel: stable

tests/integration/update_cluster/complex/kubernetes.tf

@@ -523,6 +523,11 @@ resource "aws_launch_template" "nodes-complex-example-com" {
 }
 
 resource "aws_lb" "api-complex-example-com" {
+  access_logs {
+    bucket  = "access-log-example"
+    enabled = true
+    prefix  = ""
+  }
   enable_cross_zone_load_balancing = true
   internal                         = false
   load_balancer_type               = "network"

upup/pkg/fi/cloudup/awstasks/classic_load_balancer.go

@@ -716,7 +716,7 @@ func (_ *ClassicLoadBalancer) RenderTerraform(t *terraform.TerraformTarget, a, e
 		}
 	}
 
-	if e.AccessLog != nil {
+	if e.AccessLog != nil && fi.BoolValue(e.AccessLog.Enabled) {
 		tf.AccessLog = &terraformLoadBalancerAccessLog{
 			EmitInterval:   e.AccessLog.EmitInterval,
 			Enabled:        e.AccessLog.Enabled,
@@ -856,7 +856,7 @@ func (_ *ClassicLoadBalancer) RenderCloudformation(t *cloudformation.Cloudformat
 		}
 	}
 
-	if e.AccessLog != nil {
+	if e.AccessLog != nil && fi.BoolValue(e.AccessLog.Enabled) {
 		tf.AccessLog = &cloudformationClassicLoadBalancerAccessLog{
 			EmitInterval:   e.AccessLog.EmitInterval,
 			Enabled:        e.AccessLog.Enabled,

upup/pkg/fi/cloudup/awstasks/network_load_balancer.go

@@ -371,29 +371,20 @@ func (e *NetworkLoadBalancer) Find(c *fi.Context) (*NetworkLoadBalancer, error)
 				if err != nil {
 					return nil, err
 				}
-				if actual.AccessLog != nil {
+				if actual.AccessLog == nil {
+					actual.AccessLog = &NetworkLoadBalancerAccessLog{}
+				}
 				actual.AccessLog.Enabled = fi.Bool(b)
-				} else {
-					actual.AccessLog = &NetworkLoadBalancerAccessLog{
-						Enabled: fi.Bool(b),
-					}
-				}
 			case "access_logs.s3.bucket":
-				if actual.AccessLog != nil {
+				if actual.AccessLog == nil {
+					actual.AccessLog = &NetworkLoadBalancerAccessLog{}
+				}
 				actual.AccessLog.S3BucketName = value
-				} else {
-					actual.AccessLog = &NetworkLoadBalancerAccessLog{
-						S3BucketName: value,
-					}
-				}
 			case "access_logs.s3.prefix":
-				if actual.AccessLog != nil {
+				if actual.AccessLog == nil {
+					actual.AccessLog = &NetworkLoadBalancerAccessLog{}
+				}
 				actual.AccessLog.S3BucketPrefix = value
-				} else {
-					actual.AccessLog = &NetworkLoadBalancerAccessLog{
-						S3BucketPrefix: value,
-					}
-				}
 			default:
 				klog.V(2).Infof("unsupported key -- ignoring, %v.\n", key)
 			}
@@ -706,6 +697,7 @@ type terraformNetworkLoadBalancer struct {
 	Type                   string                                      `json:"load_balancer_type" cty:"load_balancer_type"`
 	SubnetMappings         []terraformNetworkLoadBalancerSubnetMapping `json:"subnet_mapping" cty:"subnet_mapping"`
 	CrossZoneLoadBalancing bool                                        `json:"enable_cross_zone_load_balancing" cty:"enable_cross_zone_load_balancing"`
+	AccessLog              *terraformNetworkLoadBalancerAccessLog      `json:"access_logs,omitempty" cty:"access_logs"`
 
 	Tags map[string]string `json:"tags" cty:"tags"`
 }
@@ -747,6 +739,14 @@ func (_ *NetworkLoadBalancer) RenderTerraform(t *terraform.TerraformTarget, a, e
 		})
 	}
 
+	if e.AccessLog != nil && fi.BoolValue(e.AccessLog.Enabled) {
+		nlbTF.AccessLog = &terraformNetworkLoadBalancerAccessLog{
+			Enabled:        e.AccessLog.Enabled,
+			S3BucketName:   e.AccessLog.S3BucketName,
+			S3BucketPrefix: e.AccessLog.S3BucketPrefix,
+		}
+	}
+
 	err := t.RenderResource("aws_lb", *e.Name, nlbTF)
 	if err != nil {
 		return err
@@ -788,6 +788,7 @@ func (_ *NetworkLoadBalancer) RenderTerraform(t *terraform.TerraformTarget, a, e
 			return err
 		}
 	}
+
 	return nil
 }
 
@@ -805,6 +806,7 @@ type cloudformationNetworkLoadBalancer struct {
 	SubnetMappings         []*cloudformationSubnetMapping        `json:"SubnetMappings"`
 	Type                   string                                `json:"Type"`
 	Tags                   []cloudformationTag                   `json:"Tags"`
+	LoadBalancerAttributes []cloudformationLoadBalancerAttribute `json:"LoadBalancerAttributes,omitempty"`
 }
 
 type cloudformationSubnetMapping struct {
@@ -813,6 +815,11 @@ type cloudformationSubnetMapping struct {
 	PrivateIPv4Address *string                 `json:"PrivateIPv4Address,omitempty"`
 }
 
+type cloudformationLoadBalancerAttribute struct {
+	Key   *string `json:"Key"`
+	Value *string `json:"Value,omitempty"`
+}
+
 type cloudformationNetworkLoadBalancerListener struct {
 	Certificates    []cloudformationNetworkLoadBalancerListenerCertificate `json:"Certificates,omitempty"`
 	DefaultActions  []cloudformationNetworkLoadBalancerListenerAction      `json:"DefaultActions"`
@@ -849,6 +856,25 @@ func (_ *NetworkLoadBalancer) RenderCloudformation(t *cloudformation.Cloudformat
 	} else {
 		nlbCF.Scheme = elbv2.LoadBalancerSchemeEnumInternetFacing
 	}
+
+	if e.AccessLog != nil && *e.AccessLog.Enabled {
+		var attributes []cloudformationLoadBalancerAttribute
+
+		attributes = append(attributes, cloudformationLoadBalancerAttribute{
+			Key:   aws.String("access_logs.s3.enabled"),
+			Value: aws.String(strconv.FormatBool(aws.BoolValue(e.AccessLog.Enabled))),
+		})
+		attributes = append(attributes, cloudformationLoadBalancerAttribute{
+			Key:   aws.String("access_logs.s3.bucket"),
+			Value: e.AccessLog.S3BucketName,
+		})
+		attributes = append(attributes, cloudformationLoadBalancerAttribute{
+			Key:   aws.String("access_logs.s3.prefix"),
+			Value: e.AccessLog.S3BucketPrefix,
+		})
+		nlbCF.LoadBalancerAttributes = attributes
+	}
+
 	err := t.RenderResource("AWS::ElasticLoadBalancingV2::LoadBalancer", *e.Name, nlbCF)
 	if err != nil {
 		return err

upup/pkg/fi/cloudup/awstasks/networkloadbalancer_attributes.go

@@ -37,6 +37,12 @@ func (_ *NetworkLoadBalancerAccessLog) GetDependencies(tasks map[string]fi.Task)
 	return nil
 }
 
+type terraformNetworkLoadBalancerAccessLog struct {
+	Enabled        *bool   `json:"enabled,omitempty" cty:"enabled"`
+	S3BucketName   *string `json:"bucket,omitempty" cty:"bucket"`
+	S3BucketPrefix *string `json:"bucket_prefix,omitempty" cty:"prefix"`
+}
+
 func findNetworkLoadBalancerAttributes(cloud awsup.AWSCloud, LoadBalancerArn string) ([]*elbv2.LoadBalancerAttribute, error) {
 
 	request := &elbv2.DescribeLoadBalancerAttributesInput{