locals { # Convert accounts to arns. Technically, we don't need these in ARN format, but it makes updates slightly clearer # Include customer accounts based on a flag customer_accounts_included = var.customer_access ? local.customer_accounts : [] customer_accounts_arn = [for a in local.customer_accounts_included : "arn:${var.aws_partition}:iam::${a}:root"] # Include XDR accounts xdr_accounts = [for a in local.account_list : "arn:${var.aws_partition}:iam::${a}:root"] # Include any statically added accounts extra_accounts = [for a in var.extra_accounts : "arn:${var.aws_partition}:iam::${a}:root"] # Final list: final_accounts = concat(local.customer_accounts_arn, local.xdr_accounts, local.extra_accounts) } # tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required resource "aws_s3_bucket" "bucket" { # checkov:skip=CKV_AWS_18: see tfsec S3 logging above # checkov:skip=CKV_AWS_19: False positive due to var.encryption # checkov:skip=CKV_AWS_21: versioning Suspended for this bucket # checkov:skip=CKV_AWS_144: TODO: cross replication # checkov:skip=CKV_AWS_145: False positive due to var.encryption bucket = var.name tags = merge(local.standard_tags, var.tags) } resource "aws_s3_bucket_acl" "s3_acl_bucket" { bucket = aws_s3_bucket.bucket.id acl = "private" } # tfsec:ignore:aws-s3-enable-versioning versioning Suspended for this bucket resource "aws_s3_bucket_versioning" "s3_version_bucket" { bucket = aws_s3_bucket.bucket.id versioning_configuration { status = "Suspended" } } #FIXME: Does this keep a cross-account dependency? #resource "aws_s3_bucket_logging" "example" { #bucket = aws_s3_bucket.example.id # target_bucket = "dps-s3-logs" # target_prefix = "aws_terraform_s3_state_access_logs/" #} resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" { bucket = aws_s3_bucket.bucket.id rule { id = "CleanUp" status = "Enabled" abort_incomplete_multipart_upload { days_after_initiation = 7 } filter { prefix = "" } expiration { days = 0 expired_object_delete_marker = false } } } resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" { bucket = aws_s3_bucket.bucket.id rule { apply_server_side_encryption_by_default { kms_master_key_id = var.encryption == "SSE-KMS" ? aws_kms_key.bucketkey[0].arn : null sse_algorithm = var.encryption == "SSE-KMS" ? "aws:kms" : "AES256" } } } /*resource "aws_s3_bucket" "bucket" { bucket = var.name acl = "private" versioning { enabled = false } tags = merge(local.standard_tags, var.tags) # FIXME: Does this keep a cross-account dependency? #logging { # target_bucket = "dps-s3-logs" # target_prefix = "aws_terraform_s3_state_access_logs/" #} lifecycle_rule { enabled = true prefix = "" abort_incomplete_multipart_upload_days = 7 expiration { days = 0 expired_object_delete_marker = false } } server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = var.encryption == "SSE-KMS" ? aws_kms_key.bucketkey[0].arn : null sse_algorithm = var.encryption == "SSE-KMS" ? "aws:kms" : "AES256" } } } } */ resource "aws_s3_bucket_public_access_block" "public_access_block" { bucket = aws_s3_bucket.bucket.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } data "aws_iam_policy_document" "s3" { statement { sid = "AccountAllow" effect = "Allow" resources = [ "${aws_s3_bucket.bucket.arn}", "${aws_s3_bucket.bucket.arn}/*", ] actions = [ "s3:GetObject", "s3:ListBucket", ] principals { type = "AWS" identifiers = local.final_accounts } } } resource "aws_s3_bucket_policy" "policy" { bucket = aws_s3_bucket.bucket.id policy = data.aws_iam_policy_document.s3.json }