mu to enable loadbalancer access logs by default

[srp]

Currently the ALB mu creates has no access logs enabled. Instead, by default, it should create an s3 bucket and enable logging, but allow users to choose their own bucket.

[cplee]

@srp thanks for the suggestion and PR!

Since mu is an opinionated tool, i believe it should offer all capabilities in one of 2 manners:

• if mu has an opinion on something, then it should offer a sane default with the ability to customize in mu.yml
• if mu does not have an opinion, then it should still allow customization but via a consistent mechanism. that mechanism is via the custom cloudformation templates.

In this example, there are specific things that should have an opinion and sane default added. For example, s3 access logs. The defaults should have mu creating a new S3 bucket for access logs and configuring the ALB to write logs to the bucket. There should an option in mu.yml to customize this behavior:

environments:
- name: production
  loadbalancer:
    # by overriding the bucket name, mu no longer tries to create/update the bucket. 
    logBucketName: my-bucket-name
    logBucketPrefix: production-access-logs

fwiw, if you want to do this via custom cloudformation, this is what it would look like in your mu.yml:

environments:
  - name: production

templates:
  mu-loadbalancer-production:
    Resources:
      Properties:
        LoadBalancerAttributes:
          - Key: access_logs.s3.enabled
            Value: true
          - Key: access_logs.s3.prefix
            Value: !Sub ${Namespace}/access-log
          - Key: access_logs.s3.bucket
            Value: !Sub myorg-logs-${EnvironmentName}

[srp]

Thanks for clarifying the philosophy! Assuming you weren't talking hypothetically that mu should enable logging by default, I'll work on a different PR to make that happen.

Incidentally, it seemed like the latter example didn't work for me. I didn't spend a lot of time on it, so maybe I messed something else up, but it seemed like mu decides what Cloudformation Parameters to expose and pass in before the templates are merged in, meaning that ${Namespace} and ${EnvironmentName} aren't defined. If that's really what's happening, is that also something that should be improved?

By the way, huge thanks for mu! It's making my life a lot easier and cleaner.

[cplee]

@srp i was definitely not speaking hypothetically...please do enable logging by default! looking forward to the PR. thanks for your help!