Merge pull request #393 from mdr-engineering/feature/jc_MSOCI-2042_S3_Bucket_Refactor_Update

Feature/jc msoci 2042 s3 bucket refactor update

base/globally_accessible_bucket/files.tf

@@ -9,7 +9,7 @@ output "Files_Copied_to_S3_by_this_Module" {
   value = local.relevant_files
 }
 
-resource "aws_s3_bucket_object" "populate" {
+resource "aws_s3_object" "populate" {
   for_each = toset(local.relevant_files)
 
   bucket = aws_s3_bucket.bucket.bucket

base/globally_accessible_bucket/main.tf

@@ -7,6 +7,63 @@ locals {
 
 resource "aws_s3_bucket" "bucket" {
   bucket = var.name
+
+  tags   = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_s3_bucket_acl" "s3_acl_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_versioning" "s3_version_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  versioning_configuration {
+    status = "Suspended"
+  }
+}
+
+  #FIXME: Does this keep a cross-account dependency?
+  #resource "aws_s3_bucket_logging" "example" {
+  #bucket        = aws_s3_bucket.example.id
+  #  target_bucket = "dps-s3-logs"
+  #  target_prefix = "aws_terraform_s3_state_access_logs/"
+  #}
+
+resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  
+  rule {
+    id     = "CleanUp"
+    status = "Enabled"
+    
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 7
+    }
+    
+    filter {
+      prefix = ""
+    }
+
+    expiration {
+      days                         = 0
+      expired_object_delete_marker = false
+    }
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = var.encryption == "SSE-KMS" ? aws_kms_key.bucketkey[0].arn : null
+      sse_algorithm     = var.encryption == "SSE-KMS" ? "aws:kms" : "AES256"
+      }
+    }
+}
+/*resource "aws_s3_bucket" "bucket" {
+  bucket = var.name
   acl    = "private"
 
   versioning {
@@ -42,6 +99,7 @@ resource "aws_s3_bucket" "bucket" {
   }
 
 }
+*/
 
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
   bucket                  = aws_s3_bucket.bucket.id

base/kinesis_firehose_waf_logs/main.tf

@@ -42,23 +42,34 @@ resource "aws_cloudwatch_log_stream" "kinesis" {
   name           = "aws-waf-logs-splunk"
   log_group_name = aws_cloudwatch_log_group.kinesis.name
 }
-
 resource "aws_s3_bucket" "aws-waf-logs-splunk" {
   bucket = "aws-waf-logs-splunk-${var.environment}-${var.account_name}"
+
+  tags   = merge(var.standard_tags, var.tags, { "Purpose" = "Failed events from AWS Kinesis" })
+}
+
+resource "aws_s3_bucket_acl" "s3_acl_aws-waf-logs-splunk" {
+  bucket = aws_s3_bucket.aws-waf-logs-splunk.id
   acl    = "private"
+}
 
-  versioning { enabled = false }
+resource "aws_s3_bucket_versioning" "s3_version_aws-waf-logs-splunk" {
+  bucket   = aws_s3_bucket.aws-waf-logs-splunk.id
+  
+  versioning_configuration {
+    status = "Suspended"
+  }
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.aws-waf-logs-splunk.arn
-        sse_algorithm     = "aws:kms"
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_aws-waf-logs-splunk" {
+  bucket = aws_s3_bucket.aws-waf-logs-splunk.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.aws-waf-logs-splunk.arn
+      sse_algorithm     = "aws:kms"
       }
     }
-  }
-
-  tags   = merge(var.standard_tags, var.tags, { "Purpose" = "Failed events from AWS Kinesis" })
 }
 
 resource "aws_kms_key" "aws-waf-logs-splunk" {
@@ -200,3 +211,23 @@ EOF
 #           ]
 #        }
 }
+
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "aws-waf-logs-splunk" {
+  bucket = "aws-waf-logs-splunk-${var.environment}-${var.account_name}"
+  acl    = "private"
+
+  versioning { enabled = false }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.aws-waf-logs-splunk.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  tags   = merge(var.standard_tags, var.tags, { "Purpose" = "Failed events from AWS Kinesis" })
+}
+*/

base/palo_alto/bootstrap/main.tf

@@ -2,6 +2,10 @@ resource "aws_s3_bucket" "bucket" {
   count = var.palo_alto_count
 
   bucket = "xdr-palo-alto-bootstrap-${count.index}"
+}
+
+resource "aws_s3_bucket_acl" "s3_acl_bucket" {
+  bucket = aws_s3_bucket.bucket.id
   acl    = "private"
 }
 
@@ -112,3 +116,12 @@ resource "aws_iam_instance_profile" "bootstrap" {
   role = aws_iam_role.bootstrap_role[count.index].name
   path = "/instance/"
 }
+
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "bucket" {
+  count = var.palo_alto_count
+
+  bucket = "xdr-palo-alto-bootstrap-${count.index}"
+  acl    = "private"
+}
+*/

base/shared_ami_key/main.tf

@@ -45,17 +45,24 @@ module "shared_ami_key" {
 
 resource "aws_s3_bucket" "xdr-shared-amis" {
   bucket = var.ami_bucket_name
-  acl  = "private"
+
   tags = merge(var.standard_tags, var.tags)
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = module.shared_ami_key.key_arn
-        sse_algorithm     = "aws:kms"
+resource "aws_s3_bucket_acl" "s3_acl_xdr-shared-amis" {
+  bucket = aws_s3_bucket.xdr-shared-amis.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_xdr-shared-amis" {
+  bucket = aws_s3_bucket.xdr-shared-amis.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = module.shared_ami_key.key_arn
+      sse_algorithm     = "aws:kms"
       }
     }
-  }
 }
 
 resource "aws_iam_role" "vmimport" {
@@ -127,3 +134,20 @@ resource "aws_iam_role_policy" "vmimport" {
 }
 EOF
 }
+
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "xdr-shared-amis" {
+  bucket = var.ami_bucket_name
+  acl  = "private"
+  tags = merge(var.standard_tags, var.tags)
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = module.shared_ami_key.key_arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+*/