| 1234567891011121314151617181920212223242526272829303132333435363738394041 |
- #S3 bucket for codebuild output
- #tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
- #tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
- resource "aws_s3_bucket" "artifacts" {
- bucket = "xdr-codebuild-artifacts"
- force_destroy = true
- }
- resource "aws_s3_bucket_acl" "s3_acl_artifacts" {
- bucket = aws_s3_bucket.artifacts.id
- acl = "private"
- }
- resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_artifacts" {
- bucket = aws_s3_bucket.artifacts.id
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
- sse_algorithm = "aws:kms"
- }
- }
- }
- resource "aws_s3_bucket_policy" "artifacts" {
- bucket = aws_s3_bucket.artifacts.id
- policy = data.aws_iam_policy_document.artifacts.json
- }
- data "aws_iam_policy_document" "artifacts" {
- statement {
- sid = "AllowS3Access"
- actions = ["s3:GetObject", "s3:GetObjectVersion"]
- effect = "Allow"
- resources = ["${aws_s3_bucket.artifacts.arn}/*"]
- principals {
- type = "AWS"
- identifiers = sort([for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"])
- }
- }
- }
|
