AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113
							locals {
  action_runner_distribution_object_key = "actions-runner-${var.runner_os}.${var.runner_os == "linux" ? "tar.gz" : "zip"}"
}

# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
# tfsec:ignore:aws-s3-enable-versioning versioning Suspended for this bucket
resource "aws_s3_bucket" "action_dist" {
  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
  # checkov:skip=CKV_AWS_19: False positive due to var.encryption
  # checkov:skip=CKV_AWS_21: versioning Suspended for this bucket
  # checkov:skip=CKV_AWS_144: TODO: cross replication
  # checkov:skip=CKV_AWS_145: False positive due to var.encryption

  bucket        = var.distribution_bucket_name
  force_destroy = true
  tags          = var.tags
}

resource "aws_s3_bucket_acl" "action_dist_acl" {
  bucket = aws_s3_bucket.action_dist.id
  acl    = "private"
}

resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
  bucket = aws_s3_bucket.action_dist.id

  rule {
    id     = "lifecycle_config"
    status = "Enabled"

    abort_incomplete_multipart_upload {
      days_after_initiation = 7
    }

    transition {
      days          = 35
      storage_class = "INTELLIGENT_TIERING"
    }


  }
}

# tfsec:ignore:aws-s3-encryption-customer-key Risk is low for AES-256 encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "action_dist" {
  bucket = aws_s3_bucket.action_dist.id
  count  = try(var.server_side_encryption_configuration, null) != null ? 1 : 0

# tfsec:ignore:aws-s3-enable-bucket-encryption FalsePos
  dynamic "rule" {
    for_each = [lookup(var.server_side_encryption_configuration, "rule", {})]

    content {
      bucket_key_enabled = lookup(rule.value, "bucket_key_enabled", null)

      dynamic "apply_server_side_encryption_by_default" {
        for_each = length(keys(lookup(rule.value, "apply_server_side_encryption_by_default", {}))) == 0 ? [] : [
        lookup(rule.value, "apply_server_side_encryption_by_default", {})]

        content {
          sse_algorithm     = apply_server_side_encryption_by_default.value.sse_algorithm
          kms_master_key_id = lookup(apply_server_side_encryption_by_default.value, "kms_master_key_id", null)
        }
      }
    }
  }
}

resource "aws_s3_bucket_public_access_block" "action_dist" {
  bucket                  = aws_s3_bucket.action_dist.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}


data "aws_iam_policy_document" "action_dist_sse_policy" {
  count = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0

  statement {
    effect = "Deny"

    principals {
      type = "AWS"

      identifiers = [
        "*",
      ]
    }

    actions = [
      "s3:PutObject",
    ]

    resources = [
      "${aws_s3_bucket.action_dist.arn}/*",
    ]

    condition {
      test     = "StringNotEquals"
      variable = "s3:x-amz-server-side-encryption"
      values   = [var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default.sse_algorithm]
    }
  }
}

resource "aws_s3_bucket_policy" "action_dist_sse_policy" {
  count  = try(var.server_side_encryption_configuration.rule.apply_server_side_encryption_by_default, null) != null ? 1 : 0
  bucket = aws_s3_bucket.action_dist.id
  policy = data.aws_iam_policy_document.action_dist_sse_policy[0].json
}