From b5bc513b955b82f4f281da203b51b730bb7bb389 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 6 May 2022 19:55:26 -0400 Subject: [PATCH] refactor for aws provider v4 --- cloudtrail/README.md | 4 ++++ cloudtrail/s3.tf | 39 ++++++++++++++++++++++++++++----------- 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/cloudtrail/README.md b/cloudtrail/README.md index a3af4b0..200a961 100644 --- a/cloudtrail/README.md +++ b/cloudtrail/README.md @@ -145,8 +145,12 @@ No modules. | [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_sns_topic.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | | [aws_sns_topic_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | | [aws_sns_topic_subscription.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | diff --git a/cloudtrail/s3.tf b/cloudtrail/s3.tf index 47596e6..126f237 100644 --- a/cloudtrail/s3.tf +++ b/cloudtrail/s3.tf @@ -3,27 +3,43 @@ resource "aws_s3_bucket" "this" { acl = "private" force_destroy = false - logging { - target_bucket = var.access_log_bucket - target_prefix = format("%s/%s/", var.access_log_bucket_prefix, local.bucket_name) - } - tags = merge( local.base_tags, var.tags, { "Name" = local.name }, ) +} - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = var.kms_key_arn - sse_algorithm = "aws:kms" - } +resource "aws_s3_bucket_server_side_encryption_configuration" "this" { + bucket = aws_s3_bucket.this.id + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = var.kms_key_arn + sse_algorithm = "aws:kms" } } } +resource "aws_s3_bucket_logging" "this" { + bucket = aws_s3_bucket.this.id + target_bucket = var.access_log_bucket + target_prefix = format("%s/%s/", var.access_log_bucket_prefix, local.bucket_name) +} + +resource "aws_s3_bucket_acl" "this" { + count = 0 + bucket = aws_s3_bucket.this.id + acl = "private" +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + + rule { + object_ownership = "BucketOwnerEnforced" + } +} + #--- # bucket policy (apply also encryption key usage here?) # deny unencrypted uploads policy statement removed for default encryption @@ -86,3 +102,4 @@ resource "null_resource" "policy_delay" { command = "sleep 180" } } +