From 31c7ad81c8f6f6c150d447d6cc8a8b7a199f339b Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 6 May 2022 20:12:50 -0400 Subject: [PATCH] refactor for aws provider v4 --- s3-access-logs/README.md | 3 ++ s3-access-logs/main.tf | 63 +++++++++++++++++++++++----------------- 2 files changed, 39 insertions(+), 27 deletions(-) diff --git a/s3-access-logs/README.md b/s3-access-logs/README.md index ee504ea..248632d 100644 --- a/s3-access-logs/README.md +++ b/s3-access-logs/README.md @@ -58,10 +58,13 @@ No modules. | Name | Type | |------|------| | [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_object.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource | | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | diff --git a/s3-access-logs/main.tf b/s3-access-logs/main.tf index fcdc35f..c3928b1 100644 --- a/s3-access-logs/main.tf +++ b/s3-access-logs/main.tf @@ -65,20 +65,7 @@ locals { resource "aws_s3_bucket" "logs" { bucket = local.bucket_name # acl = "log-delivery-write" - acl = "private" - - # uses aws/kms key so log delivery works properly - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - } - } - } - - versioning { - enabled = false - } + # acl = "private" lifecycle { prevent_destroy = true @@ -108,6 +95,41 @@ resource "aws_s3_bucket_public_access_block" "logs" { restrict_public_buckets = true } +resource "aws_s3_bucket_versioning" "logs" { + bucket = aws_s3_bucket.logs.id + versioning_configuration { + status = "Disabled" + } +} + +#--- +# set ownership controls +# see documentation: +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls +# https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.logs.id + rule { + object_ownership = "BucketOwnerEnforced" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "logs" { + bucket = aws_s3_bucket.logs.id + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } +} + +resource "aws_s3_bucket_acl" "logs" { + # count = 0 + bucket = aws_s3_bucket.logs.id + acl = "private" +} + #--- # create "directories" #--- @@ -134,16 +156,3 @@ resource "null_resource" "policy_delay" { command = "sleep 120" } } - -#--- -# set ownership controls -# see documentation: -# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls -# https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html -resource "aws_s3_bucket_ownership_controls" "this" { - bucket = aws_s3_bucket.logs.id - - rule { - object_ownership = "BucketOwnerEnforced" - } -}