| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140 |
- locals {
- bucket_name = "xdr-${var.splunk_prefix}-${var.environment}-splunk-apps"
- accounts = [var.aws_account_id]
- account_arns = [for a in local.accounts : "arn:${var.aws_partition}:iam::${a}:root"]
- }
- resource "aws_s3_bucket" "bucket" {
- bucket = local.bucket_name
- tags = merge(local.standard_tags, var.tags)
- }
- resource "aws_s3_bucket_acl" "s3_acl_bucket" {
- bucket = aws_s3_bucket.bucket.id
- acl = "private"
- }
- # tfsec:ignore:aws-s3-enable-versioning no versioning needed
- resource "aws_s3_bucket_versioning" "s3_version_bucket" {
- bucket = aws_s3_bucket.bucket.id
- versioning_configuration {
- status = "Suspended"
- }
- }
- resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
- bucket = aws_s3_bucket.bucket.id
- rule {
- id = "APPS_POLICY"
- status = "Enabled"
- abort_incomplete_multipart_upload {
- days_after_initiation = 2
- }
- transition {
- days = 30
- storage_class = "INTELLIGENT_TIERING"
- }
- # Clean up old versions after a year
- # noncurrent_version_expiration {
- # noncurrent_days = 365
- # }
- }
- }
- resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
- bucket = aws_s3_bucket.bucket.id
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = aws_kms_key.bucketkey.arn
- sse_algorithm = "aws:kms"
- }
- }
- }
- resource "aws_s3_bucket_public_access_block" "public_access_block" {
- bucket = aws_s3_bucket.bucket.id
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
- # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
- # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
- depends_on = [aws_s3_bucket_policy.policy]
- }
- data "aws_iam_policy_document" "policy" {
- statement {
- sid = "AccountAllow"
- effect = "Allow"
- resources = [
- "${aws_s3_bucket.bucket.arn}",
- "${aws_s3_bucket.bucket.arn}/*"
- ]
- actions = [
- "s3:GetObject",
- "s3:ListBucket",
- ]
- principals {
- type = "AWS"
- identifiers = local.account_arns
- }
- }
- }
- resource "aws_s3_bucket_policy" "policy" {
- bucket = aws_s3_bucket.bucket.id
- policy = data.aws_iam_policy_document.policy.json
- }
- //AWS Provider outdated arguments <4.4.0
- /*resource "aws_s3_bucket" "bucket" {
- bucket = local.bucket_name
- acl = "private"
- versioning {
- enabled = false
- }
- tags = merge(local.standard_tags, var.tags)
- #logging {
- # target_bucket = "dps-s3-logs"
- # target_prefix = "aws_terraform_s3_state_access_logs/"
- #}
- lifecycle_rule {
- id = "APPS_POLICY"
- enabled = true
- abort_incomplete_multipart_upload_days = 2
- transition {
- days = 30
- storage_class = "INTELLIGENT_TIERING"
- }
- # expiration {
- # days = 365
- # }
- }
- server_side_encryption_configuration {
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = aws_kms_key.bucketkey.arn
- sse_algorithm = "aws:kms"
- }
- }
- }
- }
- */
|
