AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139
							# tfsec:ignore:aws-s3-block-public-acls 
# tfsec:ignore:aws-s3-specify-public-access-block 
# tfsec:ignore:aws-s3-block-public-policy 
# tfsec:ignore:aws-s3-ignore-public-acls 
# tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
# tfsec:ignore:aws-s3-enable-bucket-logging TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
resource "aws_s3_bucket" "crl" {
	# checkov:skip=CKV_AWS_145: Risk is low for AES-256 encryption
	# checkov:skip=CKV2_AWS_6: see tfsec S3 block policy
	# checkov:skip=CKV_AWS_18: see tfsec S3 logging above
  provider = aws.common # COMMON SERVICES
  bucket   = "xdr-subordinate-crl"

  tags = merge(local.standard_tags, var.tags)

}

# CRLs are small, but regenerated every expiration/2 days, (every 3.5 days by default), so there will be a good number of versions

resource "aws_s3_bucket_versioning" "s3_version_subordinate_crl" {
  provider = aws.common
  bucket   = aws_s3_bucket.crl.id

  versioning_configuration {
    status = "Enabled"
  }
}

# TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
# resource "aws_s3_bucket_logging" "log_bucket_audit_reports" {
#  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
#  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
#}

resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_subordinate_crl" {
  provider = aws.common
  bucket   = aws_s3_bucket.crl.id

  rule {
    id     = "CleanUp"
    status = "Enabled"

    abort_incomplete_multipart_upload {
      days_after_initiation = 7
    }
    # Clean up old versions after a year
    noncurrent_version_expiration {
      noncurrent_days = 365
    }
  }
}

# tfsec:ignore:aws-s3-encryption-customer-key Risk is low for AES-256 encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_subordinate_crl" {
  provider = aws.common
  bucket   = aws_s3_bucket.crl.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

data "aws_iam_policy_document" "acmpca_bucket_access" {
  statement {
    actions = [
      "s3:GetBucketAcl",
      "s3:GetBucketLocation",
      "s3:PutObject",
      "s3:PutObjectAcl",
    ]

    resources = [
      aws_s3_bucket.crl.arn,
      "${aws_s3_bucket.crl.arn}/*",
    ]

    principals {
      identifiers = ["acm-pca.amazonaws.com"]
      type        = "Service"
    }
  }
}

resource "aws_s3_bucket_policy" "crl" {
  provider = aws.common # COMMON SERVICES
  bucket   = aws_s3_bucket.crl.id
  policy   = data.aws_iam_policy_document.acmpca_bucket_access.json
}

# Publicly available CRL so clients can validate
# resource "aws_s3_bucket_public_access_block" "crl_bucket_block_public_access" {
#  provider = aws.common # COMMON SERVICES
#  bucket                  = aws_s3_bucket.crl.id
#  block_public_acls       = false # Not supported for CRLs, see https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-error-crl-acm-ca/
#  block_public_policy     = true
#  ignore_public_acls      = true
#  restrict_public_buckets = true
#  depends_on = [ aws_s3_bucket.crl ]
#}

//AWS Provider outdated arguments <4.4.0
/*resource "aws_s3_bucket" "crl" {
  provider = aws.common # COMMON SERVICES
  bucket = "xdr-subordinate-crl"

  # CRLs are small, but regenerated every expiration/2 days, (every 3.5 days by default), so there will be a good number of versions
  versioning {
    enabled = true
  }

  # TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
  #logging {
  #  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
  #  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
  #}

  lifecycle_rule {
    id = "CleanUp"
    enabled = true
    abort_incomplete_multipart_upload_days = 7
    # Clean up old versions after a year
    noncurrent_version_expiration {
      days = 365
    }
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256" # Default keys are fine. We don't really need encryption here.
      }
    }
  }

  tags = merge(local.standard_tags, var.tags)
}
*/