Merge pull request #825 from ministryofjustice/feature/refactor-confi…

…g-agg-bucket Refactor config aggregation bucket to use s3 module
ministryofjustice · Oct 13, 2023 · 0cf9bc7 · 0cf9bc7
2 parents 30ad5a1 + aa3d801
commit 0cf9bc7
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 22 deletions.
diff --git a/modules/config-aggregation-bucket/main.tf b/modules/config-aggregation-bucket/main.tf
@@ -7,7 +7,7 @@ data "aws_caller_identity" "current" {}
 
 locals {
   caller_identity                     = data.aws_caller_identity.current
-  bucket_policy_allowed_object_prefix = formatlist("${aws_s3_bucket.bucket.arn}/AWSLogs/%s/Config/*", concat([local.caller_identity.id], var.enrolled_account_ids))
+  bucket_policy_allowed_object_prefix = formatlist("${module.bucket.bucket.arn}/AWSLogs/%s/Config/*", concat([local.caller_identity.id], var.enrolled_account_ids))
 }
 
 # S3 bucket policy for a logging bucket in another account
@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "bucket_policy" {
     sid       = "AWSConfigBucketPermissionsCheck"
     effect    = "Allow"
     actions   = ["s3:GetBucketAcl"]
-    resources = [aws_s3_bucket.bucket.arn]
+    resources = [module.bucket.bucket.arn]
 
     principals {
       type        = "Service"
@@ -33,7 +33,7 @@ data "aws_iam_policy_document" "bucket_policy" {
     sid       = "AWSConfigBucketExistenceCheck"
     effect    = "Allow"
     actions   = ["s3:ListBucket"]
-    resources = [aws_s3_bucket.bucket.arn]
+    resources = [module.bucket.bucket.arn]
 
     principals {
       type        = "Service"
@@ -61,32 +61,28 @@ data "aws_iam_policy_document" "bucket_policy" {
   }
 }
 
-resource "aws_s3_bucket" "bucket" {
+module "bucket" {
+  source = "../s3"
+
   bucket_prefix = var.bucket_prefix
-  acl           = "private"
 
-  # NB: AWS Config can't deliver to buckets with object lock turned on, which is why
-  # it's not configured.
+  bucket_acl = "private"
+
+  attach_policy = true
+  policy        = data.aws_iam_policy_document.bucket_policy.json
 
-  server_side_encryption_configuration {
-    rule {
+  enable_versioning = true
+
+  server_side_encryption_configuration = {
+    rule = {
       # You can't use a different KMS key as Config stores objects already encrypted with
       # the AWS managed S3 KMS key
-      apply_server_side_encryption_by_default {
+      apply_server_side_encryption_by_default = {
         kms_master_key_id = "aws/s3"
         sse_algorithm     = "aws:kms"
       }
     }
   }
 
-  versioning {
-    enabled = true
-  }
-
-  tags = var.tags
-}
-
-resource "aws_s3_bucket_policy" "bucket_policy" {
-  bucket = aws_s3_bucket.bucket.id
-  policy = data.aws_iam_policy_document.bucket_policy.json
+  additional_tags = var.tags
 }
diff --git a/modules/config-aggregation-bucket/outputs.tf b/modules/config-aggregation-bucket/outputs.tf
@@ -1,7 +1,7 @@
 output "s3_bucket_arn" {
-  value = aws_s3_bucket.bucket.arn
+  value = module.bucket.bucket.arn
 }
 
 output "s3_bucket_name" {
-  value = aws_s3_bucket.bucket.bucket
+  value = module.bucket.bucket.bucket
 }