s3.tf 2.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990
  1. locals {
  2. bucket_name = "xdr-${var.environment}-codebuild-portal-data-sync"
  3. accounts = [var.aws_account_id]
  4. account_arns = [for a in local.accounts : "arn:${var.aws_partition}:iam::${a}:root"]
  5. }
  6. #S3 bucket for codebuild output
  7. resource "aws_s3_bucket" "bucket" {
  8. #provider = aws.common # COMMON SERVICES
  9. bucket = local.bucket_name
  10. force_destroy = true
  11. tags = merge(var.standard_tags, var.tags)
  12. }
  13. resource "aws_s3_bucket_acl" "s3_acl_bucket" {
  14. #provider = aws.common # COMMON SERVICES
  15. bucket = aws_s3_bucket.bucket.id
  16. acl = "private"
  17. }
  18. resource "aws_s3_bucket_versioning" "s3_version_bucket" {
  19. #provider = aws.common # COMMON SERVICES
  20. bucket = aws_s3_bucket.bucket.id
  21. versioning_configuration {
  22. status = "Suspended"
  23. }
  24. }
  25. resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
  26. #provider = aws.common # COMMON SERVICES
  27. bucket = aws_s3_bucket.bucket.id
  28. rule {
  29. apply_server_side_encryption_by_default {
  30. kms_master_key_id = aws_kms_key.s3_codebuild.arn
  31. sse_algorithm = "aws:kms"
  32. }
  33. }
  34. }
  35. resource "aws_s3_bucket_public_access_block" "public_access_block" {
  36. bucket = aws_s3_bucket.bucket.id
  37. block_public_acls = true
  38. block_public_policy = true
  39. ignore_public_acls = true
  40. restrict_public_buckets = true
  41. # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
  42. # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
  43. depends_on = [aws_s3_bucket_policy.artifacts]
  44. }
  45. resource "aws_s3_bucket_policy" "artifacts" {
  46. bucket = aws_s3_bucket.bucket.id
  47. policy = data.aws_iam_policy_document.artifacts.json
  48. }
  49. data "aws_iam_policy_document" "artifacts" {
  50. statement {
  51. sid = "AllowS3Access"
  52. actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
  53. effect = "Allow"
  54. resources = [ "${aws_s3_bucket.bucket.arn}/*" ]
  55. principals {
  56. type = "AWS"
  57. identifiers = local.account_arns
  58. }
  59. }
  60. }
  61. //AWS Provider outdated arguments <4.4.0
  62. /*resource "aws_s3_bucket" "bucket" {
  63. bucket = local.bucket_name
  64. force_destroy = true
  65. acl = "private"
  66. tags = merge(var.standard_tags, var.tags)
  67. versioning {
  68. enabled = false
  69. }
  70. server_side_encryption_configuration {
  71. rule {
  72. apply_server_side_encryption_by_default {
  73. kms_master_key_id = aws_kms_key.s3_codebuild.arn
  74. sse_algorithm = "aws:kms"
  75. }
  76. }
  77. }
  78. }
  79. */