OBS Server-Side Access Logging – Example

This project demonstrates how to configure OBS (Object Storage Service) server-side access logging on T-Cloud Public (formerly Open Telekom Cloud) using OpenTofu / Terraform.

OBS Service Side Logging

It provisions two OBS buckets: one that serves a static website, and a separate bucket that collects its access logs — following the security best practice of separating public content from log data.

What gets created

Resource Purpose
Website bucket Publicly readable bucket with static-website hosting enabled (index.html / error.html).
Logs bucket Private bucket (log-delivery-write ACL) that receives server-side access logs from the website bucket.
index.html object A minimal "Hello World" page uploaded to the website bucket.
Lifecycle rule Automatically expires log objects older than 90 days.

The website bucket is configured with a logging block that points all access logs to the logs bucket under the logs/ prefix.

Architecture

Client HTTPS Website Bucket public read server side access logging Logs Bucket log delivery write 90 day lifecycle rule Auto deleted

Prerequisites

  • OpenTofu ≥ 1.6.0 or Terraform ≥ 1.6.0
  • A T-Cloud Public account (Open Telekom Cloud) with IAM credentials (AK/SK)
  • The OTC provider authenticates via environment variables (recommended):
export OS_ACCESS_KEY="your-access-key"
export OS_SECRET_KEY="your-secret-key"

Quick start

  1. Create your variables file – copy the example and fill in your values:

    cp terraform.tfvars.example terraform.tfvars

    ⚠️ Bucket names must be globally unique across all OBS (3–63 characters, lowercase letters, numbers, and hyphens only). Date suffixes help avoid collisions.

  2. Initialize the working directory:

    tofu init
  3. Review the planned changes:

    tofu plan
  4. Apply:

    tofu apply
  5. Test – after apply, the static site URL will be shown in the output:

    http://<website-bucket-domain>/index.html

    Access the page a few times to generate logs, then check the logs bucket domain to verify logs are appearing under the logs/ prefix. Keep in mind that logs are not updated instantenously but after a delay.

Variables

Variable Description Default
otc_region T-Cloud Public region (e.g. eu-de, eu-nl) eu-de
website_bucket_name Globally unique name for the public website bucket (required)
logs_bucket_name Globally unique name for the access-log bucket (required)
common_tags Tags applied to all resources ManagedBy=OpenTofu, Environment=production

Outputs

Output Description
website_bucket_name Name of the website bucket
website_domain Domain name to access the static site
logs_bucket_name Name of the access-log bucket
logs_bucket_domain Domain name of the access-log bucket

How OBS logging works

Server-side access logging for OBS requires:

  1. A target bucket whose ACL is set to log-delivery-write — this authorises the OBS logging service to write objects to it.
  2. A logging block on the source bucket pointing to the target bucket and optionally specifying a key prefix.

This is analogous to S3 server access logging on AWS — same concept, same IAM/ACL pattern.

Notes

  • Credentials are not stored in this repository. Set them via the OS_ACCESS_KEY / OS_SECRET_KEY environment variables, or use a backend that supports secret management.
  • The region affects both the IAM auth URL and where buckets are created. Make sure your credentials are valid for the chosen region.
  • CORS rules are commented out in main.tf — uncomment and adjust them if your static site makes cross-origin requests.
  • The managed-by tag says OpenTofu but the code works identically with HashiCorp Terraform.

License

This example is provided as-is for educational purposes. Use it freely.