From cae04a2e924bb883ae8cbbdaf54724fa5c1ef5a6 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 2 Jan 2024 13:00:50 -0500 Subject: [PATCH] update policy --- s3-config-org/main.tf | 72 ++++++++++++++++++++++++------------------- 1 file changed, 41 insertions(+), 31 deletions(-) diff --git a/s3-config-org/main.tf b/s3-config-org/main.tf index d872372..c9b2829 100644 --- a/s3-config-org/main.tf +++ b/s3-config-org/main.tf @@ -23,6 +23,7 @@ locals { account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id logs_region = data.aws_region.current.name account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + organization_id = data.aws_organizations_organization.org.id bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.region) key_name = compact(var.key_name, var.bucket_name, var.bucket_name_prefix)[0] @@ -70,15 +71,14 @@ resource "aws_s3_bucket_logging" "config_org" { resource "aws_s3_bucket_acl" "config_org" { count = 0 bucket = aws_s3_bucket.config_org.id - # acl = "private" - acl = "log-delivery-write" + acl = "private" } resource "aws_s3_bucket_ownership_controls" "config_org" { bucket = aws_s3_bucket.config_org.id rule { - object_ownership = "BucketOwnerEnforced" + object_ownership = "BucketOwnerPreferred" } } @@ -96,41 +96,65 @@ resource "aws_s3_bucket_versioning" "config_org" { #--- data "aws_iam_policy_document" "bucket_policy" { statement { - sid = "AWSLoggingAclCheck" - effect = "Allow" - actions = ["s3:GetBucketAcl", "s3:ListBucket"] + sid = "ConfigListBucketAccess" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:ListBucket", + ] + resources = [ + aws_s3_bucket.config_org.arn, + format("%v/*", aws_s3_bucket.config_org.arn), + ] + condition { + test = "StringEquals" + variable = "aws:PrincipalOrgId" + values = [local.organization_id] + } + } + statement { + sid = "ConfigAclCheckExistsCheck" + effect = "Allow" + actions = [ + "s3:GetBucketAcl", + "s3:ListBucket", + ] principals { type = "Service" - identifiers = ["logging.amazonaws.com"] + identifiers = ["config.amazonaws.com"] } resources = [aws_s3_bucket.config_org.arn] + } + statement { + sid = "ConfigWrite" + effect = "Allow" + actions = ["s3:PutObject"] + principals { + type = "Service" + identifiers = ["config.amazonaws.com"] + } + resources = [format("%v/AWSLogs/*", aws_s3_bucket.config_org.arn)] condition { test = "StringEquals" variable = "aws:PrincipalOrgId" - values = [local.organization_id] + values = [data.organization_id] } } statement { - sid = "AWSLoggingWrite" + sid = "ConfigBucketDelivery" effect = "Allow" actions = ["s3:PutObject"] principals { type = "Service" - identifiers = ["logging.amazonaws.com"] + identifiers = ["config.amazonaws.com"] } - resources = [format("%v/*", aws_s3_bucket.config_org.arn)] + resources = [format("%v/AWSLogs/*", aws_s3_bucket.config_org.arn)] condition { test = "StringEquals" variable = "s3:x-amz-acl" values = ["bucket-owner-full-control"] } - condition { - test = "StringEquals" - variable = "aws:PrincipalOrgId" - values = [data.organization_id] - } } - # key access } #--- @@ -150,20 +174,6 @@ resource "aws_s3_bucket_public_access_block" "config_org" { restrict_public_buckets = true } -## #--- -## # 180s delay needed for bucket to create and policy to apply, before -## # creating a logging to point to it -## #--- -## resource "null_resource" "policy_delay" { -## triggers = { -## bucket = aws_s3_bucket.config_org.id -## } -## provisioner "local-exec" { -## when = create -## command = "sleep 180" -## } -## } - resource "time_sleep" "policy_delay" { triggers = { bucket = aws_s3_bucket.config_org.id