| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 |
- locals {
- # Technically, we don't need these in ARN format, but it makes updates slightly clearer
- xdr_accounts = [ for a in var.account_list: "arn:${var.aws_partition}:iam::${a}:root" ]
- extra_accounts = [ for a in var.extra_accounts: "arn:${var.aws_partition}:iam::${a}:root" ]
- accounts = concat(local.xdr_accounts, local.extra_accounts)
- }
- resource "aws_s3_bucket" "bucket" {
- bucket = var.name
- acl = "private"
- versioning {
- enabled = false
- }
- tags = merge(var.standard_tags, var.tags)
- # FIXME: Does this keep a cross-account dependency?
- #logging {
- # target_bucket = "dps-s3-logs"
- # target_prefix = "aws_terraform_s3_state_access_logs/"
- #}
- lifecycle_rule {
- enabled = true
- prefix = ""
- abort_incomplete_multipart_upload_days = 7
- expiration {
- days = 0
- expired_object_delete_marker = false
- }
- }
- server_side_encryption_configuration {
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = var.encryption == "SSE-KMS" ? aws_kms_key.bucketkey[0].arn : null
- sse_algorithm = var.encryption == "SSE-KMS" ? "aws:kms" : "AES256"
- }
- }
- }
- }
- resource "aws_s3_bucket_public_access_block" "public_access_block" {
- bucket = aws_s3_bucket.bucket.id
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
- }
- data "aws_iam_policy_document" "s3" {
- statement {
- sid = "AccountAllow"
- effect = "Allow"
- resources = [
- "${aws_s3_bucket.bucket.arn}",
- "${aws_s3_bucket.bucket.arn}/*",
- ]
- actions = [
- "s3:GetObject",
- "s3:ListBucket",
- ]
- principals {
- type = "AWS"
- identifiers = local.accounts
- }
- }
- }
- resource "aws_s3_bucket_policy" "policy" {
- bucket = aws_s3_bucket.bucket.id
- policy = data.aws_iam_policy_document.s3.json
- }
|
