탐색 도움말
가입하기 로그인
AFS
/
xdr-terraform-modules
2
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
트리: 31ca1916fa
브랜치 태그
xdr-terraform-m...
/
base
/
CA_Infrastructure
/
root_CA
/
crl.tf

crl.tf 2.2 KB
히스토리 Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 
  1. resource "aws_s3_bucket" "crl" {
    2. 

  2.   bucket = "xdr-root-crl"
    3. 

  3. 

  4.   # CRLs are small, but regenerated every expiration/2 days, (every 3.5 days by default), so there will be a good number of versions
    5. 

  5.   versioning {
    6. 

  6.     enabled = true
    7. 

  7.   }
    8. 

  8. 

  9.   # TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
    10. 

  10.   #logging {
    11. 

  11.   #  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
    12. 

  12.   #  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
    13. 

  13.   #}
    14. 

  14. 

  15.   lifecycle_rule {
    16. 

  16.     id = "CleanUp"
    17. 

  17.     enabled = true
    18. 

  18.     abort_incomplete_multipart_upload_days = 7
    19. 

  19.     # Clean up old versions after a year
    20. 

  20.     noncurrent_version_expiration {
    21. 

  21.       days = 365
    22. 

  22.     }
    23. 

  23.   }
    24. 

  24. 

  25.   server_side_encryption_configuration {
    26. 

  26.     rule {
    27. 

  27.       apply_server_side_encryption_by_default {
    28. 

  28.         sse_algorithm = "AES256" # Default keys are fine. We don't really need encryption here.
    29. 

  29.       }
    30. 

  30.     }
    31. 

  31.   }
    32. 

  32. 

  33.   tags = merge(var.standard_tags, var.tags)
    34. 

  34. }
    35. 

  35. 

  36. data "aws_iam_policy_document" "acmpca_bucket_access" {
    37. 

  37.   statement {
    38. 

  38.     actions = [
    39. 

  39.       "s3:GetBucketAcl",
    40. 

  40.       "s3:GetBucketLocation",
    41. 

  41.       "s3:PutObject",
    42. 

  42.       "s3:PutObjectAcl",
    43. 

  43.     ]
    44. 

  44. 

  45.     resources = [
    46. 

  46.       aws_s3_bucket.crl.arn,
    47. 

  47.       "${aws_s3_bucket.crl.arn}/*",
    48. 

  48.     ]
    49. 

  49. 

  50.     principals {
    51. 

  51.       identifiers = ["acm-pca.amazonaws.com"]
    52. 

  52.       type        = "Service"
    53. 

  53.     }
    54. 

  54. 

  55.     # TODO: Consider restricting this to the account, but may need to add Get permissions?
    56. 

  56.     # "Condition":{
    57. 

  57.     #       "StringEquals":{
    58. 

  58.     #          "aws:SourceAccount":"account",
    59. 

  59.     #          "aws:SourceArn":"arn:partition:acm-pca:region:account:certificate-authority/CA-ID"
    60. 

  60.     #       }
    61. 

  61.     #    }
    62. 

  62. 

  63.   }
    64. 

  64. }
    65. 

  65. 

  66. resource "aws_s3_bucket_policy" "crl" {
    67. 

  67.   bucket = aws_s3_bucket.crl.id
    68. 

  68.   policy = data.aws_iam_policy_document.acmpca_bucket_access.json
    69. 

  69. }
    70. 

  70. 

  71. # We want the CRL publicly accessible for zero trust websites and such.
    72. 

  72. #resource "aws_s3_bucket_public_access_block" "crl_bucket_block_public_access" {
    73. 

  73. #  bucket                  = aws_s3_bucket.crl.id
    74. 

  74. #  block_public_acls       = false # Not supported for CRLs, see https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-error-crl-acm-ca/
    75. 

  75. #  block_public_policy     = true
    76. 

  76. #  ignore_public_acls      = true
    77. 

  77. #  restrict_public_buckets = true
    78. 

  78. #  depends_on = [ aws_s3_bucket.crl ]
    79. 

  79. #}
    80.