xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: added AllowSSLRequestsOnly bucket policy statement

Browse Source
This commit is contained in:
xpk 2023-03-25 12:36:54 +08:00
parent d2ddc8dcf1
commit 9ecb677dde
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
1 changed files with 25 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
modules/terraform-setup/main.tf
View File

@ -4,17 +4,17 @@ resource "aws_s3_bucket" "s3bucket" {
resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
depends_on = [aws_s3_bucket.s3bucket]
bucket = aws_s3_bucket.s3bucket.id
bucket = aws_s3_bucket.s3bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_ownership_controls" "bucket-ownership-setting" {
depends_on = [aws_s3_bucket_public_access_block.s3-public-access-settings]
bucket = aws_s3_bucket.s3bucket.id
bucket = aws_s3_bucket.s3bucket.id
rule {
object_ownership = "BucketOwnerPreferred"
@ -27,7 +27,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-lifecycle-config" {
bucket = aws_s3_bucket.s3bucket.bucket
rule {
id = "default"
id = "default"
status = "Enabled"
dynamic "noncurrent_version_expiration" {
@ -52,7 +52,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "bucket-lifecycle-config" {
}
resource "aws_s3_bucket_versioning" "bucket-versioning" {
count = var.enable-bucket-versioning ? 1 : 0
count = var.enable-bucket-versioning ? 1 : 0
bucket = aws_s3_bucket.s3bucket.id
versioning_configuration {
status = "Enabled"
@ -63,7 +63,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "bucket-encryption
bucket = aws_s3_bucket.s3bucket.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
sse_algorithm = "AES256"
}
}
}
@ -86,13 +86,25 @@ resource "aws_s3_bucket_policy" "bucket-policy" {
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${var.bucket-name}/*",
"arn:aws:s3:::${var.bucket-name}-tfstate"
"arn:aws:s3:::${var.bucket-name}"
],
"Principal": {
"AWS": [
"arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"
]
}
},
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::${var.bucket-name}/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
@ -100,9 +112,9 @@ EOT
}
resource "aws_dynamodb_table" "tfstate-lock-table" {
name = var.ddb-table-name
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
name = var.ddb-table-name
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
point_in_time_recovery {
enabled = true
}
@ -116,4 +128,4 @@ resource "aws_dynamodb_table" "tfstate-lock-table" {
}
}
data aws_caller_identity this {}
data "aws_caller_identity" "this" {}