From c9055b097806274aa75f4e217b2840c8c433f007 Mon Sep 17 00:00:00 2001
From: fabasoad <fabasoad@gmail.com>
Date: Sat, 14 Aug 2021 15:42:04 +0900
Subject: [PATCH] Fix checkov warnings

---
 .github/workflows/terraform.yml |  3 ---
 .github/workflows/tf-lint.yml   |  2 +-
 s3.tf                           | 26 +++++++++++++++++++++++++-
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 127c728..6106325 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -11,7 +11,6 @@ on:
       - 'bugfix/**'
       - 'dependabot/*'
       - 'feature/**'
-      - 'test-*'
 
 jobs:
   terraform:
@@ -20,8 +19,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
-      - name: Prepare bundle
-        run: ./build_bundle.sh
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
diff --git a/.github/workflows/tf-lint.yml b/.github/workflows/tf-lint.yml
index 3604029..b703c3c 100644
--- a/.github/workflows/tf-lint.yml
+++ b/.github/workflows/tf-lint.yml
@@ -18,4 +18,4 @@ jobs:
         with:
           cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
       - name: Terraform Lint
-        run: cd terraform && terraform fmt -check
+        run: terraform fmt -check
diff --git a/s3.tf b/s3.tf
index 61fd503..c87af89 100644
--- a/s3.tf
+++ b/s3.tf
@@ -1,12 +1,36 @@
 locals {
+  bucket_name = "business-card-bucket"
   payload_path = "${path.module}/${var.app}-payload.zip"
 }
 
+resource "aws_s3_bucket_public_access_block" "business_card_bucket_access" {
+  bucket = aws_s3_bucket.business_card_bucket.id
+
+  block_public_acls   = true
+  block_public_policy = true
+}
+
 resource "aws_s3_bucket" "business_card_bucket" {
-  bucket = "business-card-bucket"
+  bucket = local.bucket_name
   versioning {
     enabled = true
   }
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+  dynamic "logging" {
+    for_each = []
+    content {
+      target_bucket = logging.value["target_bucket"]
+      target_prefix = "logs/${local.bucket_name}"
+    }
+  }
+  #checkov:skip=CKV_AWS_144:No need to have cross-region replication
+  #checkov:skip=CKV_AWS_145:No need to encrypt with KMS
 }
 
 resource "aws_s3_bucket_object" "business_card_payload" {