Merge pull request #2 from geekcell/harden-access-log-bucket

feat: allow bucket versioning configuration. add policy for denying i…
geekcell · May 9, 2023 · 101d775 · 101d775
2 parents e772ab3 + f57511f
commit 101d775
Show file tree

Hide file tree

Showing 14 changed files with 140 additions and 111 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -8,7 +8,7 @@ end_of_line = lf
 indent_size = 2
 indent_style = space
 insert_final_newline = true
-max_line_length = 80
+max_line_length = 120
 trim_trailing_whitespace = true
 
 [*.md]

diff --git a/.github/.templatesyncignore b/.github/.templatesyncignore
@@ -0,0 +1,9 @@
+README.md
+.github/workflows/*
+.terraform-docs.yml
+docs/20-badges.md
+docs/assets/logo.svg
+*.tf
+test/*
+go.mod
+go.sum
diff --git a/.github/labels.yaml b/.github/labels.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,7 +1,7 @@
 ---
-####################################
-## Draft releases on Push to main ##
-####################################
+#####################
+## Create releases ##
+#####################
 
 #
 # Documentation:
@@ -13,9 +13,8 @@ on:
   push:
     branches: [ main ]
     tags: [ 'v*.*.*' ]
-
-permissions:
-  contents: write
+  pull_request:
+    types: [ labeled ]
 
 #################
 # Start the job #
@@ -26,6 +25,7 @@ jobs:
   ###############
   create-release:
     name: Create Release
+    if: github.event.action != 'labeled'
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
@@ -75,3 +75,22 @@ jobs:
           tag_name: ${{ steps.tag.outputs.value }}
           draft: false
           prerelease: false
+
+  ###########################
+  # Release preview comment #
+  ###########################
+  release-check:
+    if: github.event.action == 'labeled'
+    runs-on: ubuntu-latest
+    steps:
+      ############################
+      # Checkout the source code #
+      ############################
+      - name: Checkout Code
+        uses: actions/checkout@v3.1.0
+
+      #######################
+      # Post status comment #
+      #######################
+      - name: Post bumpr status comment
+        uses: haya14busa/action-bumpr@v1
diff --git a/.github/workflows/sync-templates.yaml b/.github/workflows/sync-templates.yaml
@@ -10,7 +10,9 @@
 
 name: Sync templates
 on:
-  workflow_dispatch:
+  workflow_dispatch: # Trigger manually
+  schedule:
+    - cron:  "0 0 1 * *"  # Run at 00:00 on the first day of every month
 
 ##########################
 # Prevent duplicate jobs #
@@ -36,7 +38,7 @@ jobs:
       - name: Sync labels
         uses: EndBug/label-sync@v2.3.1
         with:
-          config-file: https://raw.githubusercontent.com/geekcell/template-terraform-module/main/.github/labels.yaml
+          config-file: https://gist.githubusercontent.com/Ic3w0lf/f5520c5f19d7098966f692c120f7a197/raw/75b134f76fbc55e2e64bd66f04e571d6d74b815e/terraform-aws-module-labels.yaml
 
   #######################
   # Sync template files #
@@ -50,33 +52,12 @@ jobs:
       ############################
       - name: Checkout Code
         uses: actions/checkout@v3.1.0
-        with:
-          token: ${{ secrets.GEEKCELL_PAT_WORKFLOWS }}
-
-      ########################
-      # Patch template files #
-      ########################
-      - name: Force patching of template files
-        run: |
-          yes y | make setup/update-template
-
-      ####################
-      # Update README.md #
-      ####################
-      - name: Terraform docs
-        uses: terraform-docs/gh-actions@v1.0.0
-        with:
-          config-file: .terraform-docs.yml
-          git-push: false
 
-      #############
-      # Create PR #
-      #############
-      - name: Create PR
-        uses: peter-evans/create-pull-request@v4.2.0
+      #######################
+      # Sync template files #
+      #######################
+      - name: actions-template-sync
+        uses: AndreasAugustin/actions-template-sync@v0.7.3
         with:
-          token: ${{ secrets.GEEKCELL_PAT_WORKFLOWS }}
-          title: Updated template files
-          commit-message: Update template files from main repo
-          branch: update-template-files
-          delete-branch: true
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          source_repo_path: geekcell/terraform-aws-module-template
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
@@ -1,10 +1,14 @@
 formatter: "md table"
 header-from: main.tf
 
+recursive:
+  # Enable this if your module has submodules
+  enabled: false
+
 content: |-
-  {{ include "docs/logo.md" }}
+  {{ include "docs/10-header.md" }}
 
-  {{ include "docs/badges.md" }}
+  {{ include "docs/20-badges.md" }}
 
   {{ .Header }}
 

diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 <!-- BEGIN_TF_DOCS -->
-[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/template-terraform-module/main/docs/assets/logo.svg)](https://www.geekcell.io/)
+[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/)
 
 ### Code Quality
 [![License](https://img.shields.io/github/license/geekcell/terraform-aws-s3-access-log-bucket)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/blob/master/LICENSE)
@@ -8,6 +8,9 @@
 [![Validate](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml)
 [![Lint](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml)
 
+<!--
+Comment in if Bridgecrew is configured
+
 ### Security
 [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-s3-access-log-bucket/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-s3-access-log-bucket&benchmark=INFRASTRUCTURE+SECURITY)
 
@@ -33,6 +36,8 @@
 [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-s3-access-log-bucket/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-s3-access-log-bucket&benchmark=HIPAA)
 [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-s3-access-log-bucket/fedramp_moderate)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-s3-access-log-bucket&benchmark=FEDRAMP+%28MODERATE%29)
 
+-->
+
 # Terraform AWS S3 Access Log Bucket
 
 This Terraform module provides a preconfigured solution for setting up S3
@@ -56,12 +61,16 @@ tracking activity in your ALB or Cognito.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_deny_non_secure_transport"></a> [deny\_non\_secure\_transport](#input\_deny\_non\_secure\_transport) | Whether to attach a policy to the bucket to deny all non-SSL requests. | `bool` | `true` | no |
 | <a name="input_expiration"></a> [expiration](#input\_expiration) | The number of days after which to expunge the objects. | `number` | `365` | no |
+| <a name="input_mfa"></a> [mfa](#input\_mfa) | MFA device ARN including a TOTP token to enable MFA delete. | `string` | `null` | no |
+| <a name="input_mfa_delete"></a> [mfa\_delete](#input\_mfa\_delete) | Specifies whether MFA delete is enabled in the bucket. | `string` | `"Disabled"` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the bucket. | `string` | n/a | yes |
 | <a name="input_noncurrent_version_expiration"></a> [noncurrent\_version\_expiration](#input\_noncurrent\_version\_expiration) | The number of days after which to delete the noncurrent object. | `number` | `90` | no |
 | <a name="input_noncurrent_version_transitions"></a> [noncurrent\_version\_transitions](#input\_noncurrent\_version\_transitions) | Transition to another storage class for noncurrent\_versions. | <pre>list(object({<br>    noncurrent_days = number<br>    storage_class   = string<br>  }))</pre> | <pre>[<br>  {<br>    "noncurrent_days": 30,<br>    "storage_class": "STANDARD_IA"<br>  }<br>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to add to the AWS Customer Managed Key. | `map(any)` | `{}` | no |
 | <a name="input_transitions"></a> [transitions](#input\_transitions) | Transition to another storage class. | <pre>list(object({<br>    days          = number<br>    storage_class = string<br>  }))</pre> | <pre>[<br>  {<br>    "days": 30,<br>    "storage_class": "STANDARD_IA"<br>  },<br>  {<br>    "days": 60,<br>    "storage_class": "GLACIER"<br>  },<br>  {<br>    "days": 180,<br>    "storage_class": "DEEP_ARCHIVE"<br>  }<br>]</pre> | no |
+| <a name="input_versioning"></a> [versioning](#input\_versioning) | Enables versioning of objects in the bucket. | `string` | `"Enabled"` | no |
 
 ## Outputs
 
@@ -79,11 +88,12 @@ tracking activity in your ALB or Cognito.
 ## Resources
 
 - resource.aws_s3_bucket.main (main.tf#21)
-- resource.aws_s3_bucket_lifecycle_configuration.main (main.tf#52)
-- resource.aws_s3_bucket_metric.main (main.tf#85)
-- resource.aws_s3_bucket_policy.main (main.tf#27)
-- resource.aws_s3_bucket_public_access_block.main (main.tf#32)
-- resource.aws_s3_bucket_server_side_encryption_configuration.main (main.tf#41)
+- resource.aws_s3_bucket_lifecycle_configuration.main (main.tf#62)
+- resource.aws_s3_bucket_metric.main (main.tf#95)
+- resource.aws_s3_bucket_policy.main (main.tf#37)
+- resource.aws_s3_bucket_public_access_block.main (main.tf#42)
+- resource.aws_s3_bucket_server_side_encryption_configuration.main (main.tf#51)
+- resource.aws_s3_bucket_versioning.main (main.tf#27)
 - data source.aws_elb_service_account.main (data.tf#1)
 - data source.aws_iam_policy_document.main (data.tf#3)
 

diff --git a/data.tf b/data.tf
@@ -2,22 +2,45 @@ data "aws_elb_service_account" "main" {}
 
 data "aws_iam_policy_document" "main" {
 
-  statement {
-    sid = "AllowElasticLoadBalancerToWriteAccessLogs"
+  dynamic "statement" {
+    for_each = var.deny_non_secure_transport ? [1] : []
 
-    effect = "Allow"
+    content {
+      actions = ["s3:*"]
+      effect  = "Deny"
+      sid     = "DenyNonSecureTransport"
 
-    principals {
-      type        = "AWS"
-      identifiers = [data.aws_elb_service_account.main.arn]
+      resources = [
+        aws_s3_bucket.main.arn,
+        "${aws_s3_bucket.main.arn}/*"
+      ]
+
+      principals {
+        type        = "*"
+        identifiers = ["*"]
+      }
+
+      condition {
+        test     = "Bool"
+        variable = "aws:SecureTransport"
+        values   = ["false"]
+      }
     }
+  }
+
+  statement {
+    actions = ["s3:PutObject"]
+    effect  = "Allow"
+    sid     = "AllowElasticLoadBalancerToWriteAccessLogs"
 
-    actions = [
-      "s3:PutObject"
-    ]
 
     resources = [
       "${aws_s3_bucket.main.arn}/*"
     ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [data.aws_elb_service_account.main.arn]
+    }
   }
 }
diff --git a/docs/10-header.md b/docs/10-header.md
@@ -0,0 +1 @@
+[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/)
diff --git a/docs/badges.md → docs/20-badges.md b/docs/badges.md → docs/20-badges.md
@@ -5,6 +5,9 @@
 [![Validate](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml)
 [![Lint](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml)
 
+<!--
+Comment in if Bridgecrew is configured
+
 ### Security
 [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-s3-access-log-bucket/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-s3-access-log-bucket&benchmark=INFRASTRUCTURE+SECURITY)
 
@@ -29,3 +32,5 @@
 [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-s3-access-log-bucket/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-s3-access-log-bucket&benchmark=NIST-800-53)
 [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-s3-access-log-bucket/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-s3-access-log-bucket&benchmark=HIPAA)
 [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-s3-access-log-bucket/fedramp_moderate)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-s3-access-log-bucket&benchmark=FEDRAMP+%28MODERATE%29)
+
+-->
diff --git a/docs/assets/logo.svg b/docs/assets/logo.svg
diff --git a/docs/logo.md b/docs/logo.md