| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 |
- /*
- Configuration of S3 bucket for backups
- Uses server side encryption to secure
- data.
- */
- // S3 bucket for cluster storage
- # tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
- resource "aws_s3_bucket" "storage" {
- # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
- # checkov:skip=CKV_AWS_144: Cross-region replication TODO
-
- bucket = "xdr-${var.environment}-vmray-backups"
- force_destroy = var.instance_termination_protection ? false : true # reverse of termination protection, destroy if no termination protection
- }
- resource "aws_s3_bucket_acl" "s3_acl_storage" {
- bucket = aws_s3_bucket.storage.id
- acl = "private"
- }
- resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_storage" {
- bucket = aws_s3_bucket.storage.id
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = aws_kms_key.s3.arn
- sse_algorithm = "aws:kms"
- }
- }
- }
- resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_storage" {
- bucket = aws_s3_bucket.storage.id
- rule {
- id = "DeleteAfter90Days"
- status = "Enabled"
- abort_incomplete_multipart_upload {
- days_after_initiation = 7
- }
- expiration {
- days = 90
- }
- noncurrent_version_expiration {
- noncurrent_days = 93 # If they've expired and not been synced back, be able to rescue them
- }
- noncurrent_version_transition {
- noncurrent_days = 30
- storage_class = "STANDARD_IA"
- }
- }
- }
- resource "aws_s3_bucket_public_access_block" "awsconfig_bucket_block_public_access" {
- block_public_acls = true
- block_public_policy = true
- bucket = aws_s3_bucket.storage.id
- ignore_public_acls = true
- restrict_public_buckets = true
- }
- resource "aws_s3_bucket_versioning" "versioning" {
- bucket = aws_s3_bucket.storage.id
- versioning_configuration {
- status = "Enabled"
- }
- }
|
