AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171
							# The centralized bucket for AWS config
module "xdr_config_logging_bucket" {
  source = "../../thirdparty/terraform-aws-s3logging-bucket"

  bucket_name = "xdr-config-${var.environment}-access-logs"
  lifecycle_rules = [
    {
      id                                     = "expire-old-logs"
      enabled                                = true
      prefix                                 = ""
      expiration                             = 30
      noncurrent_version_expiration          = 30
      abort_incomplete_multipart_upload_days = 7
    }
  ]
  tags               = merge(local.standard_tags, var.tags)
  versioning_enabled = true
}

resource "aws_s3_bucket" "xdr_config_bucket" {
  bucket = "xdr-config-${var.environment}"
  tags   = merge(local.standard_tags, var.tags)
}

resource "aws_s3_bucket_acl" "xdr_config_bucket" {
  bucket = aws_s3_bucket.xdr_config_bucket.id
  acl    = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "xdr_config_bucket" {
  bucket = aws_s3_bucket.xdr_config_bucket.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.config_encryption.arn
    }
  }
}

resource "aws_s3_bucket_logging" "xdr_config_bucket" {
  bucket        = aws_s3_bucket.xdr_config_bucket.id
  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
}

resource "aws_s3_bucket_versioning" "xdr_config_bucket" {
  bucket = aws_s3_bucket.xdr_config_bucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_public_access_block" "awsconfig_bucket_block_public_access" {
  block_public_acls       = true
  block_public_policy     = true
  bucket                  = aws_s3_bucket.xdr_config_bucket.id
  ignore_public_acls      = true
  restrict_public_buckets = true
}

data "aws_iam_policy_document" "awsconfig_bucket_policy" {
  statement {
    sid    = "AWSConfigBucketPermissionsCheck"
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }
    actions   = ["s3:GetBucketAcl"]
    resources = [aws_s3_bucket.xdr_config_bucket.arn]
  }
  statement {
    sid    = "AWSConfigBucketExistenceCheck"
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }
    actions   = ["s3:ListBucket"]
    resources = [aws_s3_bucket.xdr_config_bucket.arn]
  }
  statement {
    sid    = "AWSConfigBucketDelivery"
    effect = "Allow"
    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }
    actions   = ["s3:PutObject"]
    resources = ["${aws_s3_bucket.xdr_config_bucket.arn}/AWSLogs/*"]
    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
  }
}

resource "aws_s3_bucket_policy" "awsconfig_bucket_policy" {
  bucket = aws_s3_bucket.xdr_config_bucket.id
  policy = data.aws_iam_policy_document.awsconfig_bucket_policy.json

  # Ordering bug, see https://github.com/terraform-providers/terraform-provider-aws/issues/7628
  depends_on = [aws_s3_bucket_public_access_block.awsconfig_bucket_block_public_access]
}

resource "aws_kms_key" "config_encryption" {
  description             = "This key is used to encrypt AWS config"
  deletion_window_in_days = 30
  policy                  = data.aws_iam_policy_document.config_encryption_key_policy.json
  enable_key_rotation     = true
  tags                    = merge(local.standard_tags, var.tags)
}

resource "aws_kms_alias" "config_encryption" {
  name          = "alias/aws_config"
  target_key_id = aws_kms_key.config_encryption.key_id
}

data "aws_iam_policy_document" "config_encryption_key_policy" {
  statement {
    actions   = ["kms:*"]
    effect    = "Allow"
    resources = ["*"]

    principals {
      type        = "AWS"
      identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
    }
  }

  statement {
    actions   = ["kms:GenerateDataKey*"]
    effect    = "Allow"
    resources = ["*"]

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }
  }

  statement {
    actions = [
      "kms:Encrypt*",
      "kms:Decrypt*",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:Describe*",
    ]
    effect    = "Allow"
    resources = ["*"]

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }
  }

  statement {
    actions   = ["kms:Describe*"]
    effect    = "Allow"
    resources = ["*"]

    principals {
      type        = "Service"
      identifiers = ["config.amazonaws.com"]
    }
  }
}