| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374 |
- # Prepares the S3 bucket for object storage
- # tfsec:ignore:aws-s3-enable-bucket-logging - We should log, but we don't
- resource "aws_s3_bucket" "s3_emr" {
- # checkov:skip=CKV_AWS_18:checkov also things we should log.
- bucket_prefix = replace("${local.unique_id}-", "_", "-") # No underscores in s3 names
- #logging {
- # target_bucket = "target-bucket"
- #}
- tags = merge(local.tags, { Prefix = local.unique_id })
- }
- resource "aws_s3_bucket_versioning" "s3_emr" {
- bucket = aws_s3_bucket.s3_emr.id
- versioning_configuration {
- status = "Enabled"
- }
- }
- resource "aws_s3_bucket_server_side_encryption_configuration" "s3_emr" {
- bucket = aws_s3_bucket.s3_emr.bucket
- rule {
- apply_server_side_encryption_by_default {
- #kms_master_key_id = "aws/s3" # Better to use a cmk
- sse_algorithm = "aws:kms"
- }
- }
- }
- resource "aws_s3_bucket_acl" "s3_emr" {
- bucket = aws_s3_bucket.s3_emr.id
- acl = "private"
- }
- resource "aws_s3_bucket_public_access_block" "s3_emr" {
- bucket = aws_s3_bucket.s3_emr.id
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
- }
- # Clean up incomplete uploads. These files aren't big enough to benefit from IA pricing
- # and RRS is more expensive than standard.
- resource "aws_s3_bucket_lifecycle_configuration" "s3_emr" {
- bucket = aws_s3_bucket.s3_emr.id
- rule {
- id = "AbortIncomplete"
- status = "Enabled"
- abort_incomplete_multipart_upload {
- days_after_initiation = 7
- }
- }
- rule {
- id = "DeleteAfter"
- status = "Enabled"
- expiration {
- days = 7
- }
- }
- }
- resource "aws_s3_object" "food-services" {
- bucket = aws_s3_bucket.s3_emr.id
- key = "aws_examples/food_establishment_data.csv"
- source = "data/food_establishment_data.csv"
- source_hash = filemd5("data/food_establishment_data.csv") # Update if this changes
- tags = local.tags
- }
|
