首页 发现 帮助
注册 登录
AFS
/
xdr-terraform-modules
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: 842895b4b6
分支列表 标签列表
xdr-terraform-m...
/
base
/
CA_Infrastructure
/
subordinate_CAs
/
crl.tf

crl.tf 2.0 KB
文件历史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. resource "aws_s3_bucket" "crl" {
    2. 

  2.   provider = aws.common # COMMON SERVICES
    3. 

  3.   bucket = "xdr-subordinate-crl"
    4. 

  4. 

  5.   # CRLs are small, but regenerated every expiration/2 days, (every 3.5 days by default), so there will be a good number of versions
    6. 

  6.   versioning {
    7. 

  7.     enabled = true
    8. 

  8.   }
    9. 

  9. 

  10.   # TODO: Enable S3 logging... everywhere. We don't have a C2 bucket for this.
    11. 

  11.   #logging {
    12. 

  12.   #  target_bucket = module.xdr_config_logging_bucket.s3_bucket_name
    13. 

  13.   #  target_prefix = "${var.aws_account_id}-${var.aws_region}-awsconfig/"
    14. 

  14.   #}
    15. 

  15. 

  16.   lifecycle_rule {
    17. 

  17.     id = "CleanUp"
    18. 

  18.     enabled = true
    19. 

  19.     abort_incomplete_multipart_upload_days = 7
    20. 

  20.     # Clean up old versions after a year
    21. 

  21.     noncurrent_version_expiration {
    22. 

  22.       days = 365
    23. 

  23.     }
    24. 

  24.   }
    25. 

  25. 

  26.   server_side_encryption_configuration {
    27. 

  27.     rule {
    28. 

  28.       apply_server_side_encryption_by_default {
    29. 

  29.         sse_algorithm = "AES256" # Default keys are fine. We don't really need encryption here.
    30. 

  30.       }
    31. 

  31.     }
    32. 

  32.   }
    33. 

  33. 

  34.   tags = merge(var.standard_tags, var.tags)
    35. 

  35. }
    36. 

  36. 

  37. data "aws_iam_policy_document" "acmpca_bucket_access" {
    38. 

  38.   statement {
    39. 

  39.     actions = [
    40. 

  40.       "s3:GetBucketAcl",
    41. 

  41.       "s3:GetBucketLocation",
    42. 

  42.       "s3:PutObject",
    43. 

  43.       "s3:PutObjectAcl",
    44. 

  44.     ]
    45. 

  45. 

  46.     resources = [
    47. 

  47.       aws_s3_bucket.crl.arn,
    48. 

  48.       "${aws_s3_bucket.crl.arn}/*",
    49. 

  49.     ]
    50. 

  50. 

  51.     principals {
    52. 

  52.       identifiers = ["acm-pca.amazonaws.com"]
    53. 

  53.       type        = "Service"
    54. 

  54.     }
    55. 

  55.   }
    56. 

  56. }
    57. 

  57. 

  58. resource "aws_s3_bucket_policy" "crl" {
    59. 

  59.   provider = aws.common # COMMON SERVICES
    60. 

  60.   bucket = aws_s3_bucket.crl.id
    61. 

  61.   policy = data.aws_iam_policy_document.acmpca_bucket_access.json
    62. 

  62. }
    63. 

  63. 

  64. # Publicly available CRL so clients can validate
    65. 

  65. #resource "aws_s3_bucket_public_access_block" "crl_bucket_block_public_access" {
    66. 

  66. #  provider = aws.common # COMMON SERVICES
    67. 

  67. #  bucket                  = aws_s3_bucket.crl.id
    68. 

  68. #  block_public_acls       = false # Not supported for CRLs, see https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-error-crl-acm-ca/
    69. 

  69. #  block_public_policy     = true
    70. 

  70. #  ignore_public_acls      = true
    71. 

  71. #  restrict_public_buckets = true
    72. 

  72. #  depends_on = [ aws_s3_bucket.crl ]
    73. 

  73. #}
    74.