AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141
							locals {
  bucket_name = "xdr-${var.splunk_prefix}-${var.environment}-phantom-archives"
  principals = [
    "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin",
    "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
    aws_iam_role.phantom_s3_role.arn
  ]
}

# tfsec:ignore:aws-s3-enable-bucket-logging TODO: enable everywhere at a later date if required
resource "aws_s3_bucket" "bucket" {
  # checkov:skip=CKV_AWS_18: see tfsec S3 logging above
  # checkov:skip=CKV_AWS_144: TODO: cross replication
  
  bucket = local.bucket_name
  tags   = merge(local.standard_tags, var.tags)
}
resource "aws_s3_bucket_versioning" "s3_version_bucket" {
  bucket = aws_s3_bucket.bucket.id
  versioning_configuration {
    status = "Enabled"
  }
}
resource "aws_s3_bucket_acl" "s3_acl_bucket" {
  bucket = aws_s3_bucket.bucket.id
  acl    = "private"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
  bucket = aws_s3_bucket.bucket.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.bucketkey.arn
      sse_algorithm     = "aws:kms"
    }
  }
}
resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
  bucket = aws_s3_bucket.bucket.id
  rule {
    id     = "INTELLIGENT_TIERING"
    status = "Enabled"
    abort_incomplete_multipart_upload {
      days_after_initiation = 2
    }
    transition {
      days          = 30
      storage_class = "INTELLIGENT_TIERING"
    }
    transition {
      days          = 365
      storage_class = "DEEP_ARCHIVE"
    }
    expiration {
      days = 7 * 365
    }
  }
}
resource "aws_s3_bucket_public_access_block" "public_access_block" {
  bucket                  = aws_s3_bucket.bucket.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true

  # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
  # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
  depends_on = [aws_s3_bucket_policy.policy]
}
resource "aws_s3_bucket_policy" "policy" {
  depends_on = [aws_iam_role.phantom_s3_role]

  bucket = aws_s3_bucket.bucket.id

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "AllowThisAccount",
  "Statement": [
    {
      "Sid": "AccountAllow",
      "Effect": "Allow",
      "Principal": {
        "AWS": ${jsonencode(local.principals)}
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "${aws_s3_bucket.bucket.arn}",
        "${aws_s3_bucket.bucket.arn}/*"
      ]
    }
  ]
}
POLICY
}

//AWS Provider outdated arguments <4.4.0
/*resource "aws_s3_bucket" "bucket" {
  bucket = local.bucket_name
  acl    = "private"

  versioning {
    enabled = true
  }

  tags = merge(local.standard_tags, var.tags)

  lifecycle_rule {
    id      = "INTELLIGENT_TIERING"
    enabled = true

    abort_incomplete_multipart_upload_days = 2

    transition {
      days          = 30
      storage_class = "INTELLIGENT_TIERING"
    }

    transition {
      days          = 365
      storage_class = "DEEP_ARCHIVE"
    }

    expiration {
      days = 7*365
    }
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.bucketkey.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}
*/