From a9b8f6024fc0a053c79cc1135ba66d78be12758f Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 19 Oct 2020 13:50:38 -0400 Subject: [PATCH 01/14] add ip and vpce restriction --- main.tf | 23 +++++++++++++++++++++++ variables.tf | 13 +++++++++++++ 2 files changed, 36 insertions(+) diff --git a/main.tf b/main.tf index 3d50a9b..afc3262 100644 --- a/main.tf +++ b/main.tf @@ -31,6 +31,18 @@ locals { # "boc:tf_module_version" = var._module_version "boc:created_by" = "terraform" } + condition_allowed_cidr = { + "test": "NotIpAddress" + "variable": "aws:sourceIp" + "values": var.allowed_cidr + } + condition_allowed_endpoints = { + "test": "StringNotEquals" + "variable": "aws:sourceVpce" + "values": var.allowed_endpoints + } + s3_bucket_conditions_list = list(local.condition_allowed_cidr,local.condition_allowed_endpoints) + s3_bucket_conditions = [ for x in local.s3_bucket_conditions_list: x if length(x.values)>0 ] } #--- @@ -117,6 +129,17 @@ data "aws_iam_policy_document" "this" { values = ["false"] } } + statement { + dynamic "condition" { + for_each = local.s3_bucket_conditions + iterator = c + content { + test = c.value.test + variable = c.value.variable + values = c.value.values + } + } + } } #--- diff --git a/variables.tf b/variables.tf index 7ea57bb..bbc654e 100644 --- a/variables.tf +++ b/variables.tf @@ -32,3 +32,16 @@ variable "access_log_bucket" { type = string # default = null } + +variable "allowed_cidr" { + description = "List of allowed source IPs (NOT from within the VPC)" + type = list(string) + default = [ ] +} + +variable "allowed_endpoints" { + description = "List of allowed VPC endpoint IDs" + type = list(string) + default = [ ] +} + From a37fcc8963ec1fd82b74fdd1a8530c161384f8be Mon Sep 17 00:00:00 2001 From: ashle001 Date: Wed, 21 Oct 2020 15:12:31 -0400 Subject: [PATCH 02/14] add statement attributes --- main.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/main.tf b/main.tf index afc3262..ef28fe9 100644 --- a/main.tf +++ b/main.tf @@ -130,6 +130,13 @@ data "aws_iam_policy_document" "this" { } } statement { + sid = "IPAddressRestriction" + effect = "Deny" + actions = ["s3:*"] + principals { + type = "AWS" + identifiers = ["*"] + } dynamic "condition" { for_each = local.s3_bucket_conditions iterator = c From d3b455f1df576c9ae7be2035d990e89ef53c6e43 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 22 Oct 2020 10:10:14 -0400 Subject: [PATCH 03/14] sid and statement attributes --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ef28fe9..1121787 100644 --- a/main.tf +++ b/main.tf @@ -130,13 +130,14 @@ data "aws_iam_policy_document" "this" { } } statement { - sid = "IPAddressRestriction" + sid = "RemoteAccessBucketRestrictions" effect = "Deny" actions = ["s3:*"] principals { type = "AWS" identifiers = ["*"] } + resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"] dynamic "condition" { for_each = local.s3_bucket_conditions iterator = c From b24bee113e742e0b9af5d6562bd3ae8d50da1e93 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 22 Oct 2020 14:11:36 -0400 Subject: [PATCH 04/14] disable versioning --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 1121787..a3cdcfc 100644 --- a/main.tf +++ b/main.tf @@ -64,7 +64,7 @@ resource "aws_s3_bucket" "this" { } versioning { - enabled = true + enabled = false } logging { From 880d30356024e4736db2944b6bdcc3840111ddd4 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 22 Oct 2020 14:19:15 -0400 Subject: [PATCH 05/14] enable versioning --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index a3cdcfc..1121787 100644 --- a/main.tf +++ b/main.tf @@ -64,7 +64,7 @@ resource "aws_s3_bucket" "this" { } versioning { - enabled = false + enabled = true } logging { From 62a4e3315db4fd4fd25b764499df42b9a5e68476 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 26 Oct 2020 08:04:02 -0400 Subject: [PATCH 06/14] set force_destroy=true --- main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 1121787..ff06fbe 100644 --- a/main.tf +++ b/main.tf @@ -49,8 +49,9 @@ locals { # s3 bucket #--- resource "aws_s3_bucket" "this" { - bucket = var.bucket_name - acl = "private" + bucket = var.bucket_name + acl = "private" + force_destroy = true server_side_encryption_configuration { rule { From 55b1a1d0e02865fa67648103cf12abd0add3ba85 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 26 Oct 2020 08:19:23 -0400 Subject: [PATCH 07/14] set force_destroy=false --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ff06fbe..ce8ca37 100644 --- a/main.tf +++ b/main.tf @@ -51,7 +51,7 @@ locals { resource "aws_s3_bucket" "this" { bucket = var.bucket_name acl = "private" - force_destroy = true + force_destroy = false server_side_encryption_configuration { rule { From 0109b00795261d050a4ca2eca8bc21cd3c39c5f5 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 26 Oct 2020 09:00:57 -0400 Subject: [PATCH 08/14] set force_destroy variable --- main.tf | 2 +- variables.tf | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ce8ca37..9681e6d 100644 --- a/main.tf +++ b/main.tf @@ -51,7 +51,7 @@ locals { resource "aws_s3_bucket" "this" { bucket = var.bucket_name acl = "private" - force_destroy = false + force_destroy = var.force_destroy server_side_encryption_configuration { rule { diff --git a/variables.tf b/variables.tf index bbc654e..0e42780 100644 --- a/variables.tf +++ b/variables.tf @@ -45,3 +45,8 @@ variable "allowed_endpoints" { default = [ ] } +variable "force_destroy" { + description = "Protect or delete bucket" + type = string + default = "false" +} From 8d275b76b3becfceb761163b4ad22e6857c30395 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 26 Oct 2020 09:17:09 -0400 Subject: [PATCH 09/14] convert force_destry to boolean --- variables.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/variables.tf b/variables.tf index 0e42780..7514849 100644 --- a/variables.tf +++ b/variables.tf @@ -46,7 +46,7 @@ variable "allowed_endpoints" { } variable "force_destroy" { - description = "Protect or delete bucket" - type = string - default = "false" + description = "Sets both force_destroy and lifecycle prevent_destroy accordingly to allow the bucket and contents to be deleted. The deletion may take a very long time""Protect or delete bucket" + type = bool + default = false } From 5c21508dbc2dacc984bbdf94e35f3e1924185af0 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 26 Oct 2020 09:19:38 -0400 Subject: [PATCH 10/14] convert force_destry to boolean --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 7514849..c010c78 100644 --- a/variables.tf +++ b/variables.tf @@ -46,7 +46,7 @@ variable "allowed_endpoints" { } variable "force_destroy" { - description = "Sets both force_destroy and lifecycle prevent_destroy accordingly to allow the bucket and contents to be deleted. The deletion may take a very long time""Protect or delete bucket" + description = "Sets both force_destroy and lifecycle prevent_destroy accordingly to allow the bucket and contents to be deleted...The deletion may take a very long time""Protect or delete bucket" type = bool default = false } From 9dfb6ebc42c568d5262dff912b038ba962f0ccc5 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 26 Oct 2020 09:20:44 -0400 Subject: [PATCH 11/14] convert force_destry to boolean --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index c010c78..8bb28ad 100644 --- a/variables.tf +++ b/variables.tf @@ -46,7 +46,7 @@ variable "allowed_endpoints" { } variable "force_destroy" { - description = "Sets both force_destroy and lifecycle prevent_destroy accordingly to allow the bucket and contents to be deleted...The deletion may take a very long time""Protect or delete bucket" + description = "Sets both force_destroy and lifecycle prevent_destroy accordingly to allow the bucket and contents to be deleted. The deletion may take a very long time" type = bool default = false } From 5a326513420aa8449e56888ab250cdc4c48697b0 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 26 Oct 2020 09:45:38 -0400 Subject: [PATCH 12/14] add variable for lifecycle prevent_destroy --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9681e6d..7ab2609 100644 --- a/main.tf +++ b/main.tf @@ -74,7 +74,7 @@ resource "aws_s3_bucket" "this" { } lifecycle { - prevent_destroy = false + prevent_destroy = var.force_destroy } tags = merge( From 5f904806d5bcd326046e05904eee9c5bb8deb566 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 26 Oct 2020 09:52:49 -0400 Subject: [PATCH 13/14] set prevent_destroy to false --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 7ab2609..9681e6d 100644 --- a/main.tf +++ b/main.tf @@ -74,7 +74,7 @@ resource "aws_s3_bucket" "this" { } lifecycle { - prevent_destroy = var.force_destroy + prevent_destroy = false } tags = merge( From 9aa3d649f6de6d98d8074a570ba4486709c3674b Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 26 Oct 2020 10:13:22 -0400 Subject: [PATCH 14/14] fix lifecycle --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 8bb28ad..58a6c06 100644 --- a/variables.tf +++ b/variables.tf @@ -46,7 +46,7 @@ variable "allowed_endpoints" { } variable "force_destroy" { - description = "Sets both force_destroy and lifecycle prevent_destroy accordingly to allow the bucket and contents to be deleted. The deletion may take a very long time" + description = "Sets force_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time" type = bool default = false }