xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: added AllowSSLRequestsOnly bucket policy statement

Browse Source
This commit is contained in:
xpk 2023-03-25 12:36:54 +08:00
parent d2ddc8dcf1
commit 9ecb677dde
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
1 changed files with 25 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
modules/terraform-setup/main.tf
View File

@ -4,17 +4,17 @@ resource "aws_s3_bucket" "s3bucket" {
resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" { resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
depends_on = [aws_s3_bucket.s3bucket] depends_on = [aws_s3_bucket.s3bucket]
bucket = aws_s3_bucket.s3bucket.id bucket = aws_s3_bucket.s3bucket.id
block_public_acls = true block_public_acls = true
block_public_policy = true block_public_policy = true
ignore_public_acls = true ignore_public_acls = true
restrict_public_buckets = true restrict_public_buckets = true
} }
resource "aws_s3_bucket_ownership_controls" "bucket-ownership-setting" { resource "aws_s3_bucket_ownership_controls" "bucket-ownership-setting" {
depends_on = [aws_s3_bucket_public_access_block.s3-public-access-settings] depends_on = [aws_s3_bucket_public_access_block.s3-public-access-settings]
bucket = aws_s3_bucket.s3bucket.id bucket = aws_s3_bucket.s3bucket.id
rule { rule {
object_ownership = "BucketOwnerPreferred" object_ownership = "BucketOwnerPreferred"
@ -27,7 +27,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-lifecycle-config" {
bucket = aws_s3_bucket.s3bucket.bucket bucket = aws_s3_bucket.s3bucket.bucket
rule { rule {
id = "default" id = "default"
status = "Enabled" status = "Enabled"
dynamic "noncurrent_version_expiration" { dynamic "noncurrent_version_expiration" {
@ -52,7 +52,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-lifecycle-config" {
} }
resource "aws_s3_bucket_versioning" "bucket-versioning" { resource "aws_s3_bucket_versioning" "bucket-versioning" {
count = var.enable-bucket-versioning ? 1 : 0 count = var.enable-bucket-versioning ? 1 : 0
bucket = aws_s3_bucket.s3bucket.id bucket = aws_s3_bucket.s3bucket.id
versioning_configuration { versioning_configuration {
status = "Enabled" status = "Enabled"
@ -63,7 +63,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "bucket-encryption
bucket = aws_s3_bucket.s3bucket.bucket bucket = aws_s3_bucket.s3bucket.bucket
rule { rule {
apply_server_side_encryption_by_default { apply_server_side_encryption_by_default {
sse_algorithm = "AES256" sse_algorithm = "AES256"
} }
} }
} }
@ -86,13 +86,25 @@ resource "aws_s3_bucket_policy" "bucket-policy" {
"Effect": "Allow", "Effect": "Allow",
"Resource": [ "Resource": [
"arn:aws:s3:::${var.bucket-name}/*", "arn:aws:s3:::${var.bucket-name}/*",
"arn:aws:s3:::${var.bucket-name}-tfstate" "arn:aws:s3:::${var.bucket-name}"
], ],
"Principal": { "Principal": {
"AWS": [ "AWS": [
"arn:aws:iam::${data.aws_caller_identity.this.account_id}:root" "arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"
] ]
} }
},
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::${var.bucket-name}/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
} }
] ]
} }
@ -100,9 +112,9 @@ EOT
} }
resource "aws_dynamodb_table" "tfstate-lock-table" { resource "aws_dynamodb_table" "tfstate-lock-table" {
name = var.ddb-table-name name = var.ddb-table-name
billing_mode = "PAY_PER_REQUEST" billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID" hash_key = "LockID"
point_in_time_recovery { point_in_time_recovery {
enabled = true enabled = true
} }
@ -116,4 +128,4 @@ resource "aws_dynamodb_table" "tfstate-lock-table" {
} }
} }
data aws_caller_identity this {} data "aws_caller_identity" "this" {}