| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 |
- locals {
- bucket_name = "xdr-${var.environment}-codebuild-portal-data-sync"
- accounts = [var.aws_account_id]
- account_arns = [for a in local.accounts : "arn:${var.aws_partition}:iam::${a}:root"]
- }
- #S3 bucket for codebuild output
- resource "aws_s3_bucket" "bucket" {
- bucket = local.bucket_name
- force_destroy = true
- tags = merge(local.standard_tags, var.tags)
- }
- resource "aws_s3_bucket_acl" "s3_acl_bucket" {
- bucket = aws_s3_bucket.bucket.id
- acl = "private"
- }
- resource "aws_s3_bucket_versioning" "s3_version_bucket" {
- bucket = aws_s3_bucket.bucket.id
- versioning_configuration {
- status = "Suspended"
- }
- }
- resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
- bucket = aws_s3_bucket.bucket.id
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = aws_kms_key.s3_codebuild.arn
- sse_algorithm = "aws:kms"
- }
- }
- }
- resource "aws_s3_bucket_public_access_block" "public_access_block" {
- bucket = aws_s3_bucket.bucket.id
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
- # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
- # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
- depends_on = [aws_s3_bucket_policy.artifacts]
- }
- resource "aws_s3_bucket_policy" "artifacts" {
- bucket = aws_s3_bucket.bucket.id
- policy = data.aws_iam_policy_document.artifacts.json
- }
- data "aws_iam_policy_document" "artifacts" {
- statement {
- sid = "AllowS3Access"
- actions = ["s3:GetObject", "s3:GetObjectVersion"]
- effect = "Allow"
- resources = ["${aws_s3_bucket.bucket.arn}/*"]
- principals {
- type = "AWS"
- identifiers = local.account_arns
- }
- }
- }
|
