108 lines
2.0 KiB
HCL
108 lines
2.0 KiB
HCL
|
|
|
|
data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
|
|
statement {
|
|
sid = "AWSCloudTrailAclCheck"
|
|
|
|
principals {
|
|
type = "Service"
|
|
identifiers = ["cloudtrail.amazonaws.com"]
|
|
}
|
|
|
|
actions = [
|
|
"s3:GetBucketAcl",
|
|
]
|
|
|
|
resources = [
|
|
"arn:aws:s3:::${local.ct-bucket-name}",
|
|
]
|
|
}
|
|
|
|
statement {
|
|
sid = "AWSCloudTrailWrite"
|
|
|
|
principals {
|
|
type = "Service"
|
|
identifiers = ["config.amazonaws.com", "cloudtrail.amazonaws.com"]
|
|
}
|
|
|
|
actions = [
|
|
"s3:PutObject"
|
|
]
|
|
|
|
resources = [
|
|
"arn:aws:s3:::${local.ct-bucket-name}/*"
|
|
]
|
|
}
|
|
|
|
statement {
|
|
sid = "ReadAccessForAccountOwner"
|
|
|
|
principals {
|
|
type = "AWS"
|
|
identifiers = [data.aws_caller_identity.this.account_id]
|
|
}
|
|
|
|
actions = [
|
|
"s3:Get*"
|
|
]
|
|
|
|
resources = [
|
|
"arn:aws:s3:::${local.ct-bucket-name}",
|
|
"arn:aws:s3:::${local.ct-bucket-name}/*"
|
|
]
|
|
}
|
|
|
|
}
|
|
|
|
|
|
resource "aws_s3_bucket" "ct-bucket" {
|
|
bucket = local.ct-bucket-name
|
|
policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
|
|
|
|
versioning {
|
|
enabled = false
|
|
}
|
|
|
|
server_side_encryption_configuration {
|
|
rule {
|
|
apply_server_side_encryption_by_default {
|
|
kms_master_key_id = aws_kms_key.ctbucket-key.arn
|
|
sse_algorithm = "aws:kms"
|
|
}
|
|
}
|
|
}
|
|
tags = var.default-tags
|
|
|
|
lifecycle_rule {
|
|
id = "${local.resource-prefix}-ctbucket-lifecycle-rule"
|
|
enabled = true
|
|
|
|
transition {
|
|
days = 30
|
|
storage_class = "INTELLIGENT_TIERING"
|
|
}
|
|
|
|
expiration {
|
|
days = var.cloudtrail-retain-days
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
|
|
bucket = aws_s3_bucket.ct-bucket.id
|
|
|
|
block_public_acls = true
|
|
block_public_policy = true
|
|
ignore_public_acls = true
|
|
restrict_public_buckets = true
|
|
}
|
|
|
|
resource "aws_s3_bucket_ownership_controls" "ctbucket-ownership-setting" {
|
|
bucket = aws_s3_bucket.ct-bucket.id
|
|
|
|
rule {
|
|
object_ownership = "BucketOwnerPreferred"
|
|
}
|
|
} |