AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990
							/* 
Configuration of S3 bucket for certs and replay
storage. Uses server side encryption to secure
session replays and SSL certificates.
*/

// S3 bucket for cluster storage
# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
resource "aws_s3_bucket" "storage" {
  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
  # checkov:skip=CKV_AWS_144: Cross-region replication TODO
  bucket        = "${var.instance_name}-${var.environment}"
  force_destroy = var.instance_termination_protection ? false : true # reverse of termination protection, destroy if no termination protection
}

resource "aws_s3_bucket_acl" "s3_acl_storage" {
  bucket = aws_s3_bucket.storage.id
  acl    = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_storage" {
  bucket = aws_s3_bucket.storage.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.s3.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_storage" {
  bucket = aws_s3_bucket.storage.id

  rule {
    id     = "DeleteAfter90Days"
    status = "Enabled"

    abort_incomplete_multipart_upload {
      days_after_initiation = 7
    }

    expiration {
      days = 90
    }
  }
}

resource "aws_s3_bucket_public_access_block" "awsconfig_bucket_block_public_access" {
  block_public_acls       = true
  block_public_policy     = true
  bucket                  = aws_s3_bucket.storage.id
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# Versioning prevents accidental deletion of records
resource "aws_s3_bucket_versioning" "storage" {
  bucket = aws_s3_bucket.storage.id
  versioning_configuration {
    status = "Enabled"
  }
}

//AWS Provider outdated arguments <4.4.0
/*resource "aws_s3_bucket" "storage" {
  bucket        = "${var.instance_name}-${var.environment}"
  acl           = "private"
  force_destroy = var.instance_termination_protection ? false : true # reverse of termination protection, destroy if no termination protection

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.s3.arn
        sse_algorithm = "aws:kms"
      }
    }
  }

  lifecycle_rule {
    id = "DeleteAfter90Days"
    enabled = true
    abort_incomplete_multipart_upload_days = 7

    expiration {
      days = 90
    }
  }
}
*/