173 lines
3.9 KiB
HCL
173 lines
3.9 KiB
HCL
resource "aws_s3_bucket" "this" {
|
|
bucket = var.bucket_name
|
|
}
|
|
|
|
resource "aws_s3_bucket_public_access_block" "block_public_access" {
|
|
bucket = aws_s3_bucket.this.id
|
|
|
|
block_public_acls = true
|
|
block_public_policy = true
|
|
ignore_public_acls = true
|
|
restrict_public_buckets = true
|
|
}
|
|
|
|
# Add SecureTransport restriction by default
|
|
data "aws_iam_policy_document" "bucket_policy" {
|
|
source_policy_documents = [var.bucket_policy_json]
|
|
|
|
statement {
|
|
sid = "AllowSSLRequestsOnly"
|
|
actions = ["s3:*"]
|
|
effect = "Deny"
|
|
principals {
|
|
type = "*"
|
|
identifiers = ["*"]
|
|
}
|
|
resources = [
|
|
aws_s3_bucket.this.arn,
|
|
"${aws_s3_bucket.this.arn}/*"
|
|
]
|
|
condition {
|
|
test = "Bool"
|
|
values = [false]
|
|
variable = "aws:SecureTransport"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_policy" "bucket_policy" {
|
|
bucket = aws_s3_bucket.this.id
|
|
# policy = var.bucket_policy_json
|
|
policy = data.aws_iam_policy_document.bucket_policy.json
|
|
}
|
|
|
|
resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" {
|
|
count = var.enable_bucket_lifecycle ? 1 : 0
|
|
bucket = aws_s3_bucket.this.id
|
|
rule {
|
|
id = "CurrentVersion"
|
|
|
|
expiration {
|
|
days = var.current_version_expiration_days
|
|
}
|
|
|
|
status = "Enabled"
|
|
|
|
transition {
|
|
days = 15
|
|
storage_class = "INTELLIGENT_TIERING"
|
|
}
|
|
}
|
|
|
|
rule {
|
|
id = "NonCurrentVersion"
|
|
|
|
noncurrent_version_expiration {
|
|
noncurrent_days = var.noncurrent_version_expiration_days
|
|
}
|
|
|
|
noncurrent_version_transition {
|
|
noncurrent_days = 15
|
|
storage_class = "INTELLIGENT_TIERING"
|
|
}
|
|
|
|
status = var.enable_versioning ? "Enabled" : "Disabled"
|
|
}
|
|
}
|
|
|
|
|
|
resource "aws_s3_bucket_intelligent_tiering_configuration" "intel_tiering_config" {
|
|
bucket = aws_s3_bucket.this.id
|
|
name = "IntelligentTieringArchiveConfigurations"
|
|
|
|
tiering {
|
|
access_tier = "DEEP_ARCHIVE_ACCESS"
|
|
days = 180 # minimum
|
|
}
|
|
tiering {
|
|
access_tier = "ARCHIVE_ACCESS"
|
|
days = 90
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_logging" "logging" {
|
|
count = var.enable_bucket_logging ? 1 : 0
|
|
bucket = aws_s3_bucket.this.id
|
|
target_bucket = var.logging_bucket_id
|
|
target_prefix = "s3-log/"
|
|
}
|
|
|
|
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
|
|
count = var.enable_encryption ? 1 : 0
|
|
bucket = aws_s3_bucket.this.id
|
|
rule {
|
|
apply_server_side_encryption_by_default {
|
|
kms_master_key_id = var.encryption_key_arn
|
|
sse_algorithm = length(var.encryption_key_arn) > 0 ? "aws:kms" : "AES256"
|
|
}
|
|
bucket_key_enabled = length(var.encryption_key_arn) > 0 ? true : false
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_versioning" "versioning" {
|
|
count = var.enable_versioning ? 1 : 0
|
|
bucket = aws_s3_bucket.this.id
|
|
versioning_configuration {
|
|
status = "Enabled"
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_replication_configuration" "replication" {
|
|
count = var.enable_replication && var.enable_versioning ? 1 : 0
|
|
role = var.replication_role_arn
|
|
bucket = aws_s3_bucket.this.id
|
|
|
|
|
|
rule {
|
|
id = "replrule1"
|
|
status = "Enabled"
|
|
delete_marker_replication {
|
|
status = "Enabled"
|
|
}
|
|
|
|
source_selection_criteria {
|
|
replica_modifications {
|
|
status = "Enabled"
|
|
}
|
|
sse_kms_encrypted_objects {
|
|
status = "Enabled"
|
|
}
|
|
}
|
|
|
|
destination {
|
|
bucket = var.replication_dest_bucket_name
|
|
storage_class = "INTELLIGENT_TIERING"
|
|
|
|
account = var.replication_destination_aws_account_id
|
|
|
|
encryption_configuration {
|
|
replica_kms_key_id = var.replication_destination_kms_key_arn
|
|
}
|
|
|
|
access_control_translation {
|
|
owner = "Destination"
|
|
}
|
|
|
|
replication_time {
|
|
status = "Enabled"
|
|
time {
|
|
minutes = 15
|
|
}
|
|
}
|
|
|
|
metrics {
|
|
status = "Enabled"
|
|
event_threshold {
|
|
minutes = 15
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|