-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
s3.tf
56 lines (46 loc) · 1.34 KB
/
s3.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
/*
Configuration of S3 bucket for certs and replay
storage. Uses server side encryption to secure
session replays and SSL certificates.
*/
// S3 bucket for cluster storage
// For demo purposes, don't need bucket logging
// tfsec:ignore:aws-s3-enable-bucket-logging
resource "aws_s3_bucket" "storage" {
bucket = var.s3_bucket_name
force_destroy = true
}
resource "aws_s3_bucket_acl" "storage" {
depends_on = [aws_s3_bucket_ownership_controls.storage]
bucket = aws_s3_bucket.storage.bucket
acl = "private"
}
resource "aws_s3_bucket_ownership_controls" "storage" {
bucket = aws_s3_bucket.storage.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}
// For demo purposes, CMK is not needed
// tfsec:ignore:aws-s3-encryption-customer-key
resource "aws_s3_bucket_server_side_encryption_configuration" "storage" {
bucket = aws_s3_bucket.storage.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_versioning" "storage" {
bucket = aws_s3_bucket.storage.bucket
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_public_access_block" "storage" {
bucket = aws_s3_bucket.storage.bucket
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}