AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130
							locals {
  bucket_name  = "xdr-github-enterprise-${var.environment}-github-actions"
  accounts     = [var.aws_account_id]
  account_arns = [for a in local.accounts : "arn:${var.aws_partition}:iam::${a}:root"]
}

# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
resource "aws_s3_bucket" "bucket" {
  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
  # checkov:skip=CKV_AWS_144: TODO: cross replication

  bucket = local.bucket_name
  tags   = merge(local.standard_tags, var.tags)
}

resource "aws_s3_bucket_acl" "s3_acl_bucket" {
  bucket = aws_s3_bucket.bucket.id
  acl    = "private"
}

resource "aws_s3_bucket_versioning" "s3_version_bucket" {
  bucket = aws_s3_bucket.bucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
  bucket = aws_s3_bucket.bucket.id

  rule {
    id     = "STANDARD_IA"
    status = "Enabled"

    abort_incomplete_multipart_upload {
      days_after_initiation = 2
    }

    transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
  bucket = aws_s3_bucket.bucket.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.bucketkey.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "public_access_block" {
  bucket                  = aws_s3_bucket.bucket.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
  # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
  depends_on = [aws_s3_bucket_policy.policy]
}

data "aws_iam_policy_document" "policy" {
  statement {
    sid    = "AccountAllow"
    effect = "Allow"

    resources = [
      aws_s3_bucket.bucket.arn,
      "${aws_s3_bucket.bucket.arn}/*",
    ]

    actions = [
      "s3:GetObject",
      "s3:ListBucket",
    ]

    principals {
      type        = "AWS"
      identifiers = local.account_arns
    }
  }
}

resource "aws_s3_bucket_policy" "policy" {
  bucket = aws_s3_bucket.bucket.id

  policy = data.aws_iam_policy_document.policy.json
}

//AWS Provider outdated arguments <4.4.0
/*resource "aws_s3_bucket" "bucket" {
  bucket = local.bucket_name
  acl    = "private"

  versioning {
    enabled = true
  }

  tags = merge(local.standard_tags, var.tags)

  lifecycle_rule {
    id      = "STANDARD_IA"
    enabled = true

    abort_incomplete_multipart_upload_days = 2

    transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }

  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.bucketkey.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}
*/