generated from dxw/terraform-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy paths3-logs.tf
82 lines (65 loc) · 2.03 KB
/
s3-logs.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# https://github.com/aquasecurity/tfsec/issues/2081
# tfsec:ignore:aws-s3-enable-bucket-logging
resource "aws_s3_bucket" "logs" {
count = local.enable_logs_bucket ? 1 : 0
bucket = "${local.project_name}-tfvars-logs"
}
resource "aws_s3_bucket_policy" "logs" {
count = local.enable_logs_bucket ? 1 : 0
bucket = aws_s3_bucket.logs[0].id
policy = templatefile(
"${path.module}/policies/s3-bucket-policy.json.tpl",
{
statement = <<EOT
[
${templatefile("${path.module}/policies/s3-bucket-policy-statements/enforce-tls.json.tpl", { bucket_arn = aws_s3_bucket.logs[0].arn })},
${templatefile("${path.module}/policies/s3-bucket-policy-statements/log-delivery-access.json.tpl", {
log_bucket_arn = aws_s3_bucket.logs[0].arn
source_bucket_arns = jsonencode([aws_s3_bucket.tfvars.arn])
account_id = local.aws_account_id
})}
]
EOT
}
)
}
resource "aws_s3_bucket_public_access_block" "logs" {
count = local.enable_logs_bucket ? 1 : 0
bucket = aws_s3_bucket.logs[0].id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_versioning" "logs" {
count = local.enable_logs_bucket ? 1 : 0
bucket = aws_s3_bucket.logs[0].id
versioning_configuration {
status = "Enabled"
}
}
# Using SSE-KMS is not supported for logging buckets
# tfsec:ignore:aws-s3-encryption-customer-key
resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
count = local.enable_logs_bucket ? 1 : 0
bucket = aws_s3_bucket.logs[0].id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_lifecycle_configuration" "logs" {
count = local.enable_logs_bucket && local.logging_bucket_retention != 0 ? 1 : 0
bucket = aws_s3_bucket.logs[0].id
rule {
id = "all_expire"
filter {
prefix = ""
}
expiration {
days = local.logging_bucket_retention
}
status = "Enabled"
}
}