Home Explore Help
Register Sign In
AFS
/
xdr-terraform-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a15a8adf5b
Branches Tags
xdr-terraform-m...
/
thirdparty
/
terraform-aws-s3logging-bucket
/
main.tf

main.tf 2.0 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. data "aws_caller_identity" "current" {
    2. 

  2. }
    3. 

  3. 

  4. data "aws_region" "current" {
    5. 

  5. }
    6. 

  6. 

  7. locals {
    8. 

  8.   account_id = data.aws_caller_identity.current.account_id
    9. 

  9.   bucket_name = coalesce(
    10. 

  10.     var.bucket_name,
    11. 

  11.     "${local.account_id}-${local.region}-s3logging-${var.bucket_suffix}"
    12. 

  12.   )
    13. 

  13. 

  14.   region = data.aws_region.current.name
    15. 

  15. }
    16. 

  16. 

  17. resource "aws_s3_bucket" "this" {
    18. 

  18.   bucket = local.bucket_name
    19. 

  19.   acl    = "log-delivery-write"
    20. 

  20.   tags   = var.tags
    21. 

  21. 

  22.   dynamic "lifecycle_rule" {
    23. 

  23.     iterator = rule
    24. 

  24.     for_each = var.lifecycle_rules
    25. 

  25. 

  26.     content {
    27. 

  27.       id      = rule.value.id
    28. 

  28.       enabled = rule.value.enabled
    29. 

  29.       prefix  = lookup(rule.value, "prefix", null)
    30. 

  30.       abort_incomplete_multipart_upload_days = lookup(rule.value, "abort_incomplete_multipart_upload_days", 0)
    31. 

  31. 

  32.       expiration {
    33. 

  33.         days = lookup(rule.value, "expiration", 2147483647)
    34. 

  34.       }
    35. 

  35. 

  36.       noncurrent_version_expiration {
    37. 

  37.         days = lookup(rule.value, "noncurrent_version_expiration", 2147483647)
    38. 

  38.       }
    39. 

  39.     }
    40. 

  40.   }
    41. 

  41. 

  42.   server_side_encryption_configuration {
    43. 

  43.     rule {
    44. 

  44.       apply_server_side_encryption_by_default {
    45. 

  45.         sse_algorithm = "aws:kms"
    46. 

  46.       }
    47. 

  47.     }
    48. 

  48.   }
    49. 

  49. 

  50.   versioning {
    51. 

  51.     enabled = var.versioning_enabled
    52. 

  52.   }
    53. 

  53. 

  54.   lifecycle {
    55. 

  55.     ignore_changes = [versioning[0].mfa_delete]
    56. 

  56.   }
    57. 

  57. 

  58.   # Conformance Pack for CIS requires access logs on all S3 buckets and is a best
    59. 

  59.   # practice.
    60. 

  60.   #
    61. 

  61.   # Logging to the bucket itself is allowed, but if we ingest into splunk, make 
    62. 

  62.   # sure we don't set up a feedback loop (splunk accesses s3 bucket to get a log
    63. 

  63.   # which creates a log which leads to splunk accessing the s3 bucket)
    64. 

  64.   logging {
    65. 

  65.     target_bucket = local.bucket_name
    66. 

  66.     target_prefix = "${data.aws_caller_identity.current.account_id}-${data.aws_region.current.name}-${local.bucket_name}"
    67. 

  67.   }
    68. 

  68. 

  69. }
    70. 

  70. 

  71. resource "aws_s3_bucket_public_access_block" "this" {
    72. 

  72.   bucket                  = aws_s3_bucket.this.id
    73. 

  73.   block_public_acls       = true
    74. 

  74.   block_public_policy     = true
    75. 

  75.   ignore_public_acls      = true
    76. 

  76.   restrict_public_buckets = true
    77. 

  77. }
    78.