Skip to content

Commit

Permalink
S3 bucket module changes (#1510)
Browse files Browse the repository at this point in the history
* move sse config and bucket versioning to their own resources

* remove sse resources now provided in s3-bucket module

* rename module directory

* Revert "rename module directory"
Was probable a bit over zealous. Will leave as is for now.
This reverts commit e5540d9.

* add mfa_delete argument

* put mfa_delete argument in the right resource...

* add kms_master_key_id argument
  • Loading branch information
timburke-hackit authored Nov 23, 2023
1 parent ba49d31 commit e6d147e
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 38 deletions.
22 changes: 0 additions & 22 deletions terraform/core/10-aws-s3-buckets.tf
Original file line number Diff line number Diff line change
Expand Up @@ -436,17 +436,6 @@ module "rds_export_storage" {
bucket_identifier = "rds-shapshot-export-storage"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "rds_export_storage_encryption" {
bucket = module.rds_export_storage.bucket_id

rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
bucket_key_enabled = true
}
}

module "deprecated_rds_export_storage" {
source = "../modules/s3-bucket"

Expand All @@ -458,17 +447,6 @@ module "deprecated_rds_export_storage" {
bucket_identifier = "rds-export-storage"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "deprecated_rds_export_storage_encryption" {
bucket = module.deprecated_rds_export_storage.bucket_id

rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
bucket_key_enabled = true
}
}

module "addresses_api_rds_export_storage" {
source = "../modules/s3-bucket"

Expand Down
40 changes: 24 additions & 16 deletions terraform/modules/s3-bucket/10-s3-bucket.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,15 +34,15 @@ data "aws_iam_policy_document" "key_policy" {
}
}

dynamic statement {
dynamic "statement" {
for_each = var.bucket_key_policy_statements
content {

content {
sid = lookup(statement.value, "sid", "")
effect = lookup(statement.value, "effect", "")
actions = lookup(statement.value, "actions", [])
resources = ["*"]

principals {
type = lookup(statement.value.principals, "type", "")
identifiers = lookup(statement.value.principals, "identifiers", [])
Expand Down Expand Up @@ -83,15 +83,15 @@ data "aws_iam_policy_document" "bucket_policy_document" {
}
}

dynamic statement {
dynamic "statement" {
for_each = var.bucket_policy_statements
content {

content {
sid = lookup(statement.value, "sid", "")
effect = lookup(statement.value, "effect", "")
actions = lookup(statement.value, "actions", [])
resources = lookup(statement.value, "resources", [])

principals {
type = lookup(statement.value.principals, "type", "")
identifiers = lookup(statement.value.principals, "identifiers", [])
Expand All @@ -107,17 +107,25 @@ resource "aws_s3_bucket" "bucket" {

force_destroy = (var.environment == "dev")

server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.key.arn
sse_algorithm = "aws:kms"
}
}

resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
bucket = aws_s3_bucket.bucket.id

rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.key.arn
sse_algorithm = "aws:kms"
}
bucket_key_enabled = true
}
}

versioning {
enabled = true
resource "aws_s3_bucket_versioning" "bucket" {
bucket = aws_s3_bucket.bucket.id
versioning_configuration {
status = "Enabled"
mfa_delete = "Disabled"
}
}

Expand Down

0 comments on commit e6d147e

Please sign in to comment.