-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathmain.tf
66 lines (53 loc) · 2.97 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
resource "aws_s3_bucket" "this" {
#checkov:skip=CKV_AWS_18:This solution does not require access logging for S3 based health checks (false positive)
#checkov:skip=CKV_AWS_21:This solution does not require versioning for S3 based health checks (false positive)
#checkov:skip=CKV_AWS_144:This solution does not require cross region replication for S3 based health checks (false positive)
#checkov:skip=CKV_AWS_145:This solution does not require encryption for S3 based health checks (false positive)
#checkov:skip=CKV2_AWS_6:This solution does require public access for S3 based health checks (false positive)
#checkov:skip=CKV2_AWS_61:This solution does not require lifecycle for S3 based health checks (false positive)
#checkov:skip=CKV2_AWS_62:This solution does not events notification lifecycle for S3 based health checks (false positive)
bucket = format("%s-%s-%s", var.q.bucket, data.aws_region.this.name, local.rp2_id)
force_destroy = var.q.force_destroy
lifecycle {
create_before_destroy = true
}
}
resource "aws_s3_account_public_access_block" "this" {
#checkov:skip=CKV_AWS_53:This solution leverages block public ACLs feature as TRUE (false positive)
#checkov:skip=CKV_AWS_54:This solution leverages block public policy feature as TRUE (false positive)
#checkov:skip=CKV_AWS_55:This solution leverages ignore public ACLs feature as TRUE (false positive)
#checkov:skip=CKV_AWS_56:This solution leverages restrict public buckets feature as TRUE (false positive)
block_public_acls = var.q.block_access
block_public_policy = var.q.block_access
ignore_public_acls = var.q.block_access
restrict_public_buckets = var.q.block_access
}
resource "aws_s3_bucket_public_access_block" "this" {
#checkov:skip=CKV_AWS_53:This solution does require public access for S3 based health checks (false positive)
#checkov:skip=CKV_AWS_54:This solution does require public access for S3 based health checks (false positive)
#checkov:skip=CKV_AWS_55:This solution does require public access for S3 based health checks (false positive)
#checkov:skip=CKV_AWS_56:This solution does require public access for S3 based health checks (false positive)
bucket = aws_s3_bucket.this.id
block_public_acls = var.q.block_access
block_public_policy = var.q.block_access
ignore_public_acls = var.q.block_access
restrict_public_buckets = var.q.block_access
depends_on = [aws_s3_account_public_access_block.this]
}
resource "aws_s3_bucket_policy" "this" {
count = var.q.block_access ? 0 : 1
bucket = aws_s3_bucket.this.id
policy = data.aws_iam_policy_document.this.json
depends_on = [aws_s3_bucket_public_access_block.this]
}
resource "aws_s3_bucket_ownership_controls" "this" {
bucket = aws_s3_bucket.this.id
rule {
object_ownership = var.q.object_ownership
}
}
resource "aws_s3_bucket_logging" "this" {
bucket = aws_s3_bucket.this.id
target_bucket = data.terraform_remote_state.s3.outputs.id
target_prefix = var.q.logs_prefix
}