| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 |
- # S3 bucket for codebuild output
- # tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
- # tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
- # tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
- resource "aws_s3_bucket" "artifacts" {
- # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
- # checkov:skip=CKV_AWS_144: TODO: cross replication
-
- bucket = "xdr-codebuild-artifacts"
- force_destroy = true
- }
- resource "aws_s3_bucket_acl" "s3_acl_artifacts" {
- bucket = aws_s3_bucket.artifacts.id
- acl = "private"
- }
- resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_artifacts" {
- bucket = aws_s3_bucket.artifacts.id
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
- sse_algorithm = "aws:kms"
- }
- }
- }
- resource "aws_s3_bucket_policy" "artifacts" {
- bucket = aws_s3_bucket.artifacts.id
- policy = data.aws_iam_policy_document.artifacts.json
- }
- data "aws_iam_policy_document" "artifacts" {
- statement {
- sid = "AllowS3Access"
- actions = ["s3:GetObject", "s3:GetObjectVersion"]
- effect = "Allow"
- resources = ["${aws_s3_bucket.artifacts.arn}/*"]
- principals {
- type = "AWS"
- identifiers = sort([for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"])
- }
- }
- }
- resource "aws_s3_bucket_public_access_block" "artifacts" {
- bucket = aws_s3_bucket.artifacts.id
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
- }
- resource "aws_s3_bucket_versioning" "artifacts" {
- bucket = aws_s3_bucket.artifacts.id
- versioning_configuration {
- status = "Enabled"
- }
- }
|
