OBS Server-Side Access Logging – Example
This project demonstrates how to configure OBS (Object Storage Service) server-side access logging on T-Cloud Public (formerly Open Telekom Cloud) using OpenTofu / Terraform.
It provisions two OBS buckets: one that serves a static website, and a separate bucket that collects its access logs — following the security best practice of separating public content from log data.
What gets created
| Resource | Purpose |
|---|---|
| Website bucket | Publicly readable bucket with static-website hosting enabled (index.html / error.html). |
| Logs bucket | Private bucket (log-delivery-write ACL) that receives server-side access logs from the website bucket. |
index.html object |
A minimal "Hello World" page uploaded to the website bucket. |
| Lifecycle rule | Automatically expires log objects older than 90 days. |
The website bucket is configured with a logging block that points all access logs
to the logs bucket under the logs/ prefix.
Architecture
Prerequisites
- OpenTofu ≥ 1.6.0 or Terraform ≥ 1.6.0
- A T-Cloud Public account (Open Telekom Cloud) with IAM credentials (AK/SK)
- The OTC provider authenticates via environment variables (recommended):
export OS_ACCESS_KEY="your-access-key"
export OS_SECRET_KEY="your-secret-key"
Quick start
-
Create your variables file – copy the example and fill in your values:
cp terraform.tfvars.example terraform.tfvars⚠️ Bucket names must be globally unique across all OBS (3–63 characters, lowercase letters, numbers, and hyphens only). Date suffixes help avoid collisions.
-
Initialize the working directory:
tofu init -
Review the planned changes:
tofu plan -
Apply:
tofu apply -
Test – after apply, the static site URL will be shown in the output:
http://<website-bucket-domain>/index.htmlAccess the page a few times to generate logs, then check the logs bucket domain to verify logs are appearing under the
logs/prefix. Keep in mind that logs are not updated instantenously but after a delay.
Variables
| Variable | Description | Default |
|---|---|---|
otc_region |
T-Cloud Public region (e.g. eu-de, eu-nl) |
eu-de |
website_bucket_name |
Globally unique name for the public website bucket (required) | — |
logs_bucket_name |
Globally unique name for the access-log bucket (required) | — |
common_tags |
Tags applied to all resources | ManagedBy=OpenTofu, Environment=production |
Outputs
| Output | Description |
|---|---|
website_bucket_name |
Name of the website bucket |
website_domain |
Domain name to access the static site |
logs_bucket_name |
Name of the access-log bucket |
logs_bucket_domain |
Domain name of the access-log bucket |
How OBS logging works
Server-side access logging for OBS requires:
- A target bucket whose ACL is set to
log-delivery-write— this authorises the OBS logging service to write objects to it. - A
loggingblock on the source bucket pointing to the target bucket and optionally specifying a key prefix.
This is analogous to S3 server access logging on AWS — same concept, same IAM/ACL pattern.
Notes
- Credentials are not stored in this repository. Set them via the
OS_ACCESS_KEY/OS_SECRET_KEYenvironment variables, or use a backend that supports secret management. - The region affects both the IAM auth URL and where buckets are created. Make sure your credentials are valid for the chosen region.
- CORS rules are commented out in
main.tf— uncomment and adjust them if your static site makes cross-origin requests. - The managed-by tag says
OpenTofubut the code works identically with HashiCorp Terraform.
License
This example is provided as-is for educational purposes. Use it freely.