Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
AFS
/
xdr-terraform-modules
2
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Мод: 780e3d9967
Салаанууд Тагууд
xdr-terraform-m...
/
base
/
codebuild_portal_lambda
/
s3.tf

s3.tf 2.1 KB
Түүх Анхны өгөгдөл

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. locals {
    2. 

  2.   bucket_name  = "xdr-${var.environment}-codebuild-portal-data-sync"
    3. 

  3.   accounts     = [var.aws_account_id]
    4. 

  4.   account_arns = [for a in local.accounts : "arn:${var.aws_partition}:iam::${a}:root"]
    5. 

  5. }
    6. 

  6. 

  7. #S3 bucket for codebuild output
    8. 

  8. # tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
    9. 

  9. resource "aws_s3_bucket" "bucket" {
    10. 

  10.   # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
    11. 

  11.   # checkov:skip=CKV_AWS_21: versioning Suspended for this bucket
    12. 

  12.   # checkov:skip=CKV_AWS_144: TODO: cross replication
    13. 

  13. 

  14.   bucket        = local.bucket_name
    15. 

  15.   force_destroy = true
    16. 

  16.   tags          = merge(local.standard_tags, var.tags)
    17. 

  17. }
    18. 

  18. 

  19. resource "aws_s3_bucket_acl" "s3_acl_bucket" {
    20. 

  20.   bucket = aws_s3_bucket.bucket.id
    21. 

  21.   acl    = "private"
    22. 

  22. }
    23. 

  23. 

  24. # tfsec:ignore:aws-s3-enable-versioning versioning Suspended for this bucket
    25. 

  25. resource "aws_s3_bucket_versioning" "s3_version_bucket" {
    26. 

  26.   bucket = aws_s3_bucket.bucket.id
    27. 

  27.   versioning_configuration {
    28. 

  28.     status = "Suspended"
    29. 

  29.   }
    30. 

  30. }
    31. 

  31. 

  32. resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
    33. 

  33.   bucket = aws_s3_bucket.bucket.id
    34. 

  34. 

  35.   rule {
    36. 

  36.     apply_server_side_encryption_by_default {
    37. 

  37.       kms_master_key_id = aws_kms_key.s3_codebuild.arn
    38. 

  38.       sse_algorithm     = "aws:kms"
    39. 

  39.     }
    40. 

  40.   }
    41. 

  41. }
    42. 

  42. 

  43. resource "aws_s3_bucket_public_access_block" "public_access_block" {
    44. 

  44.   bucket                  = aws_s3_bucket.bucket.id
    45. 

  45.   block_public_acls       = true
    46. 

  46.   block_public_policy     = true
    47. 

  47.   ignore_public_acls      = true
    48. 

  48.   restrict_public_buckets = true
    49. 

  49. 

  50.   # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
    51. 

  51.   # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
    52. 

  52.   depends_on = [aws_s3_bucket_policy.artifacts]
    53. 

  53. }
    54. 

  54. 

  55. resource "aws_s3_bucket_policy" "artifacts" {
    56. 

  56.   bucket = aws_s3_bucket.bucket.id
    57. 

  57.   policy = data.aws_iam_policy_document.artifacts.json
    58. 

  58. }
    59. 

  59. 

  60. data "aws_iam_policy_document" "artifacts" {
    61. 

  61.   statement {
    62. 

  62.     sid       = "AllowS3Access"
    63. 

  63.     actions   = ["s3:GetObject", "s3:GetObjectVersion"]
    64. 

  64.     effect    = "Allow"
    65. 

  65.     resources = ["${aws_s3_bucket.bucket.arn}/*"]
    66. 

  66.     principals {
    67. 

  67.       type        = "AWS"
    68. 

  68.       identifiers = local.account_arns
    69. 

  69.     }
    70. 

  70.   }
    71. 

  71. }
    72.