resource "aws_s3_bucket" "crl" { provider = aws.common # COMMON SERVICES bucket = "xdr-subordinate-crl" # CRLs are small, but regenerated every expiration/2 days, (every 3.5 days by default), so there will be a good number of versions versioning { enabled = true } # TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this. #logging { # target_bucket = module.xdr_config_logging_bucket.s3_bucket_name # target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/" #} lifecycle_rule { id = "CleanUp" enabled = true abort_incomplete_multipart_upload_days = 7 # Clean up old versions after a year noncurrent_version_expiration { days = 365 } } server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" # Default keys are fine. We don't really need encryption here. } } } tags = merge(var.standard_tags, var.tags) } data "aws_iam_policy_document" "acmpca_bucket_access" { statement { actions = [ "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:PutObject", "s3:PutObjectAcl", ] resources = [ aws_s3_bucket.crl.arn, "${aws_s3_bucket.crl.arn}/*", ] principals { identifiers = ["acm-pca.amazonaws.com"] type = "Service" } } } resource "aws_s3_bucket_policy" "crl" { provider = aws.common # COMMON SERVICES bucket = aws_s3_bucket.crl.id policy = data.aws_iam_policy_document.acmpca_bucket_access.json } # Publicly available CRL so clients can validate #resource "aws_s3_bucket_public_access_block" "crl_bucket_block_public_access" { # provider = aws.common # COMMON SERVICES # bucket = aws_s3_bucket.crl.id # block_public_acls = false # Not supported for CRLs, see https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-error-crl-acm-ca/ # block_public_policy = true # ignore_public_acls = true # restrict_public_buckets = true # depends_on = [ aws_s3_bucket.crl ] #}