-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy paths3.tf
101 lines (90 loc) · 3.12 KB
/
s3.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
data "aws_caller_identity" "current" {}
#Versioning not added as per guidnance from the S3 to S3 Cross account tutorial DataSync documentation. Read https://docs.aws.amazon.com/datasync/latest/userguide/tutorial_s3-s3-cross-account-transfer.html
#tfsec:ignore:aws-s3-enable-versioning
module "source-bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = ">=3.5.0"
bucket = "${random_pet.prefix.id}-source-bucket"
control_object_ownership = true
object_ownership = "BucketOwnerEnforced"
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
logging = {
target_bucket = module.s3_log_delivery_bucket.s3_bucket_id
target_prefix = "log/"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "source-bucket" {
bucket = module.source-bucket.s3_bucket_id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.source-kms.arn
sse_algorithm = "aws:kms"
}
}
}
resource "aws_kms_key" "source-kms" {
description = "KMS key for encrypting source S3 buckets"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
deletion_window_in_days = 7
enable_key_rotation = true
}
resource "aws_kms_key_policy" "source-kms-key-policy" {
key_id = aws_kms_key.source-kms.id
policy = jsonencode({
Id = "SourceKMSKeyPolicy"
Statement = [
{
Action = [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:PutKeyPolicy",
"kms:Get*",
"kms:List*"
]
Effect = "Allow"
Principal = {
AWS = [
"${data.aws_caller_identity.current.arn}",
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
]
}
Resource = "${aws_kms_key.source-kms.arn}"
Sid = "Enable IAM User Permissions"
},
]
Version = "2012-10-17"
})
}
##############################################################################
# Create Source S3 bucket for Server Access Logs (Optional if already exists)
##############################################################################
#TFSEC Bucket logging for server access logs supressed.
#tfsec:ignore:aws-s3-enable-bucket-logging
module "s3_log_delivery_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = ">=3.5.0"
bucket = "${random_pet.prefix.id}-s3-log-bucket"
control_object_ownership = true
object_ownership = "BucketOwnerEnforced"
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
versioning = {
enabled = true
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "s3-log-bucket" {
bucket = module.s3_log_delivery_bucket.s3_bucket_id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.source-kms.arn
sse_algorithm = "aws:kms"
}
}
}