| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148 |
- locals {
- # Convert accounts to arns. Technically, we don't need these in ARN format, but it makes updates slightly clearer
- # Include customer accounts based on a flag
- customer_accounts_included = var.customer_access ? local.customer_accounts : []
- customer_accounts_arn = [for a in local.customer_accounts_included : "arn:${var.aws_partition}:iam::${a}:root"]
- # Include XDR accounts
- xdr_accounts = [for a in local.account_list : "arn:${var.aws_partition}:iam::${a}:root"]
- # Include any statically added accounts
- extra_accounts = [for a in var.extra_accounts : "arn:${var.aws_partition}:iam::${a}:root"]
- # Final list:
- final_accounts = concat(local.customer_accounts_arn, local.xdr_accounts, local.extra_accounts)
- }
- resource "aws_s3_bucket" "bucket" {
- bucket = var.name
- tags = merge(local.standard_tags, var.tags)
- }
- resource "aws_s3_bucket_acl" "s3_acl_bucket" {
- bucket = aws_s3_bucket.bucket.id
- acl = "private"
- }
- resource "aws_s3_bucket_versioning" "s3_version_bucket" {
- bucket = aws_s3_bucket.bucket.id
- versioning_configuration {
- status = "Suspended"
- }
- }
- #FIXME: Does this keep a cross-account dependency?
- #resource "aws_s3_bucket_logging" "example" {
- #bucket = aws_s3_bucket.example.id
- # target_bucket = "dps-s3-logs"
- # target_prefix = "aws_terraform_s3_state_access_logs/"
- #}
- resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
- bucket = aws_s3_bucket.bucket.id
- rule {
- id = "CleanUp"
- status = "Enabled"
- abort_incomplete_multipart_upload {
- days_after_initiation = 7
- }
- filter {
- prefix = ""
- }
- expiration {
- days = 0
- expired_object_delete_marker = false
- }
- }
- }
- resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
- bucket = aws_s3_bucket.bucket.id
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = var.encryption == "SSE-KMS" ? aws_kms_key.bucketkey[0].arn : null
- sse_algorithm = var.encryption == "SSE-KMS" ? "aws:kms" : "AES256"
- }
- }
- }
- /*resource "aws_s3_bucket" "bucket" {
- bucket = var.name
- acl = "private"
- versioning {
- enabled = false
- }
- tags = merge(local.standard_tags, var.tags)
- # FIXME: Does this keep a cross-account dependency?
- #logging {
- # target_bucket = "dps-s3-logs"
- # target_prefix = "aws_terraform_s3_state_access_logs/"
- #}
- lifecycle_rule {
- enabled = true
- prefix = ""
- abort_incomplete_multipart_upload_days = 7
- expiration {
- days = 0
- expired_object_delete_marker = false
- }
- }
- server_side_encryption_configuration {
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = var.encryption == "SSE-KMS" ? aws_kms_key.bucketkey[0].arn : null
- sse_algorithm = var.encryption == "SSE-KMS" ? "aws:kms" : "AES256"
- }
- }
- }
- }
- */
- resource "aws_s3_bucket_public_access_block" "public_access_block" {
- bucket = aws_s3_bucket.bucket.id
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
- }
- data "aws_iam_policy_document" "s3" {
- statement {
- sid = "AccountAllow"
- effect = "Allow"
- resources = [
- "${aws_s3_bucket.bucket.arn}",
- "${aws_s3_bucket.bucket.arn}/*",
- ]
- actions = [
- "s3:GetObject",
- "s3:ListBucket",
- ]
- principals {
- type = "AWS"
- identifiers = local.final_accounts
- }
- }
- }
- resource "aws_s3_bucket_policy" "policy" {
- bucket = aws_s3_bucket.bucket.id
- policy = data.aws_iam_policy_document.s3.json
- }
|
