forked from gurpalw/terraform-aws-s3-cloudtrail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
164 lines (138 loc) · 5.94 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
# Resource Configuration
#
# https://www.terraform.io/docs/configuration/resources.html
# https://www.terraform.io/docs/providers/aws/r/s3_bucket.html
resource "aws_s3_bucket" "default" {
# Rules for Bucket Naming
# - Bucket names must be unique across all existing bucket names in Amazon S3.
# - Bucket names must comply with DNS naming conventions.
# - Bucket names must be at least 3 and no more than 63 characters long.
# - Bucket names can contain lowercase letters, numbers, and hyphens.
# - Bucket names must not contain uppercase characters or underscores.
# - Bucket names must start with a lowercase letter or number.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html#bucketnamingrules
bucket = "${var.name}"
# S3 access control lists (ACLs) enable you to manage access to buckets and objects.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
acl = "private"
# Server access logging provides detailed records for the requests that are made to a bucket.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
logging {
target_bucket = "${var.logging_target_bucket}"
target_prefix = "logs/${var.name}/"
}
# Versioning is a means of keeping multiple variants of an object in the same bucket.
# Versioning-enabled buckets enable you to recover objects from accidental deletion or overwrite.
#
# Once you version-enable a bucket, it can never return to an unversioned state.
# You can, however, suspend versioning on that bucket.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
versioning {
enabled = "true"
mfa_delete = "true"
}
# S3 encrypts your data at the object level as it writes it to disks in its data centers
# and decrypts it for you when you access it.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
# The objects are encrypted using server-side encryption with either
# Amazon S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
# https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
sse_algorithm = "AES256"
}
}
}
# To manage your objects so that they are stored cost effectively throughout their lifecycle, configure their lifecycle.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html
# Dynamic Lifecycle Rule
dynamic "lifecycle_rule" {
for_each = var.create_lifecycle_rule ? [1] : []
content {
enabled = "${var.lifecycle_rule_enabled}"
prefix = "${var.lifecycle_rule_prefix}"
# The STANDARD_IA and ONEZONE_IA storage classes are designed for long-lived and infrequently accessed data.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html#sc-infreq-data-access
transition {
days = "${var.standard_ia_transition_days}"
storage_class = "STANDARD_IA"
}
# The GLACIER storage class is suitable for archiving data where data access is infrequent.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/storage-class-intro.html#sc-glacier
transition {
days = "${var.glacier_transition_days}"
storage_class = "GLACIER"
}
# For a versioned bucket, there are several considerations that guide how Amazon S3 handles the expiration action.
# - The Expiration action applies only to the current version.
# - S3 doesn't take any action if there are one or more object versions and the delete marker is the current version.
# - If the current object version is the only object version and it is also a delete marker,
# S3 removes the expired object delete marker.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html
expiration {
days = "${var.expiration_days}"
}
# Specifies when noncurrent objects transition to a specified storage class.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#intro-lifecycle-rules-actions
noncurrent_version_transition {
days = "${var.glacier_noncurrent_version_transition_days}"
storage_class = "GLACIER"
}
# Specifies when noncurrent object versions expire.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/intro-lifecycle-rules.html#intro-lifecycle-rules-actions
noncurrent_version_expiration {
days = "${var.noncurrent_version_expiration_days}"
}
}
}
# A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error.
# These objects are not recoverable.
# https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#force_destroy
force_destroy = "${var.force_destroy}"
# A mapping of tags to assign to the bucket.
tags = "${var.tags}"
}
# https://www.terraform.io/docs/providers/aws/r/s3_bucket_policy.html
resource "aws_s3_bucket_policy" "default" {
bucket = "${aws_s3_bucket.default.id}"
policy = "${data.aws_iam_policy_document.default.json}"
}
# https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
data "aws_iam_policy_document" "default" {
statement {
sid = "AWSCloudTrailAclCheck"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = [
"s3:GetBucketAcl",
]
resources = [
"arn:aws:s3:::${var.name}",
]
}
statement {
sid = "AWSCloudTrailWrite"
effect = "Allow"
principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
actions = [
"s3:PutObject",
]
resources = [
"arn:aws:s3:::${var.name}/*",
]
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = [
"bucket-owner-full-control",
]
}
}
}