update policy

terraform-modules · Jan 2, 2024 · cae04a2 · cae04a2
1 parent e39c62f
commit cae04a2
Showing 1 changed file with 41 additions and 31 deletions.
diff --git a/s3-config-org/main.tf b/s3-config-org/main.tf
@@ -23,6 +23,7 @@ locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   logs_region         = data.aws_region.current.name
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  organization_id     = data.aws_organizations_organization.org.id
 
   bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.region)
   key_name    = compact(var.key_name, var.bucket_name, var.bucket_name_prefix)[0]
@@ -70,15 +71,14 @@ resource "aws_s3_bucket_logging" "config_org" {
 resource "aws_s3_bucket_acl" "config_org" {
   count  = 0
   bucket = aws_s3_bucket.config_org.id
-  #  acl    = "private"
-  acl = "log-delivery-write"
+  acl    = "private"
 }
 
 resource "aws_s3_bucket_ownership_controls" "config_org" {
   bucket = aws_s3_bucket.config_org.id
 
   rule {
-    object_ownership = "BucketOwnerEnforced"
+    object_ownership = "BucketOwnerPreferred"
   }
 }
 
@@ -96,41 +96,65 @@ resource "aws_s3_bucket_versioning" "config_org" {
 #---
 data "aws_iam_policy_document" "bucket_policy" {
   statement {
-    sid     = "AWSLoggingAclCheck"
-    effect  = "Allow"
-    actions = ["s3:GetBucketAcl", "s3:ListBucket"]
+    sid    = "ConfigListBucketAccess"
+    effect = "Allow"
+    actions = [
+      "s3:GetObject",
+      "s3:ListBucket",
+    ]
+    resources = [
+      aws_s3_bucket.config_org.arn,
+      format("%v/*", aws_s3_bucket.config_org.arn),
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalOrgId"
+      values   = [local.organization_id]
+    }
+  }
+  statement {
+    sid    = "ConfigAclCheckExistsCheck"
+    effect = "Allow"
+    actions = [
+      "s3:GetBucketAcl",
+      "s3:ListBucket",
+    ]
     principals {
       type        = "Service"
-      identifiers = ["logging.amazonaws.com"]
+      identifiers = ["config.amazonaws.com"]
     }
     resources = [aws_s3_bucket.config_org.arn]
+  }
+  statement {
+    sid     = "ConfigWrite"
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+    resources = [format("%v/AWSLogs/*", aws_s3_bucket.config_org.arn)]
     condition {
       test     = "StringEquals"
       variable = "aws:PrincipalOrgId"
-      values   = [local.organization_id]
+      values   = [data.organization_id]
     }
   }
   statement {
-    sid     = "AWSLoggingWrite"
+    sid     = "ConfigBucketDelivery"
     effect  = "Allow"
     actions = ["s3:PutObject"]
     principals {
       type        = "Service"
-      identifiers = ["logging.amazonaws.com"]
+      identifiers = ["config.amazonaws.com"]
     }
-    resources = [format("%v/*", aws_s3_bucket.config_org.arn)]
+    resources = [format("%v/AWSLogs/*", aws_s3_bucket.config_org.arn)]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"
       values   = ["bucket-owner-full-control"]
     }
-    condition {
-      test     = "StringEquals"
-      variable = "aws:PrincipalOrgId"
-      values   = [data.organization_id]
-    }
   }
-  # key access
 }
 
 #---
@@ -150,20 +174,6 @@ resource "aws_s3_bucket_public_access_block" "config_org" {
   restrict_public_buckets = true
 }
 
-## #---
-## # 180s delay needed for bucket to create and policy to apply, before
-## # creating a logging to point to it
-## #---
-## resource "null_resource" "policy_delay" {
-##   triggers = {
-##     bucket = aws_s3_bucket.config_org.id
-##   }
-##   provisioner "local-exec" {
-##     when    = create
-##     command = "sleep 180"
-##   }
-## }
-
 resource "time_sleep" "policy_delay" {
   triggers = {
     bucket = aws_s3_bucket.config_org.id