首頁 探索 說明
註冊 登入
AFS
/
xdr-terraform-modules
2
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: 6041805cd8
分支列表 標籤列表
xdr-terraform-m...
/
base
/
globally_accessible_bucket
/
main.tf

main.tf 1.7 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778 
  1. locals {
    2. 

  2.   # Technically, we don't need these in ARN format, but it makes updates slightly clearer
    3. 

  3.   accounts = [ for a in var.account_list: "arn:${var.aws_partition}:iam::${a}:root" ]
    4. 

  4. }
    5. 

  5. 

  6. resource "aws_s3_bucket" "bucket" {
    7. 

  7.   bucket = var.name
    8. 

  8.   acl    = "private"
    9. 

  9. 

  10.   versioning {
    11. 

  11.     enabled = false
    12. 

  12.   }
    13. 

  13. 

  14.   tags = merge(var.standard_tags, var.tags)
    15. 

  15. 

  16.   # FIXME: Does this keep a cross-account dependency?
    17. 

  17.   #logging {
    18. 

  18.   #  target_bucket = "dps-s3-logs"
    19. 

  19.   #  target_prefix = "aws_terraform_s3_state_access_logs/"
    20. 

  20.   #}
    21. 

  21. 

  22.   lifecycle_rule {
    23. 

  23.     enabled                                = true
    24. 

  24.     prefix                                 = ""
    25. 

  25.     abort_incomplete_multipart_upload_days = 7
    26. 

  26. 

  27.     expiration {
    28. 

  28.       days                         = 0
    29. 

  29.       expired_object_delete_marker = false
    30. 

  30.     }
    31. 

  31.   }
    32. 

  32. 

  33.   server_side_encryption_configuration {
    34. 

  34.     rule {
    35. 

  35.       apply_server_side_encryption_by_default {
    36. 

  36.         kms_master_key_id = aws_kms_key.bucketkey.arn
    37. 

  37.         sse_algorithm     = "aws:kms"
    38. 

  38.       }
    39. 

  39.     }
    40. 

  40.   }
    41. 

  41. 

  42. }
    43. 

  43. 

  44. resource "aws_s3_bucket_public_access_block" "public_access_block" {
    45. 

  45.   bucket                  = aws_s3_bucket.bucket.id
    46. 

  46.   block_public_acls       = true
    47. 

  47.   block_public_policy     = true
    48. 

  48.   ignore_public_acls      = true
    49. 

  49.   restrict_public_buckets = true
    50. 

  50. }
    51. 

  51. 

  52. resource "aws_s3_bucket_policy" "policy" {
    53. 

  53.   bucket = aws_s3_bucket.bucket.id
    54. 

  54. 

  55.   policy = <<POLICY
    56. 

  56. {
    57. 

  57.   "Version": "2012-10-17",
    58. 

  58.   "Id": "AllowAllAccounts",
    59. 

  59.   "Statement": [
    60. 

  60.     {
    61. 

  61.       "Sid": "AccountAllow",
    62. 

  62.       "Effect": "Allow",
    63. 

  63.       "Principal": {
    64. 

  64.         "AWS": ${jsonencode(local.accounts)}
    65. 

  65.       },
    66. 

  66.       "Action": [
    67. 

  67.         "s3:GetObject",
    68. 

  68.         "s3:ListBucket"
    69. 

  69.       ],
    70. 

  70.       "Resource": [
    71. 

  71.         "${aws_s3_bucket.bucket.arn}",
    72. 

  72.         "${aws_s3_bucket.bucket.arn}/*"
    73. 

  73.       ]
    74. 

  74.     }
    75. 

  75.   ]
    76. 

  76. }
    77. 

  77. POLICY
    78. 

  78. }
    79.