Skip to content
Jump to bottom

Ip vpce restriction #22

Merged
merged 14 commits into from
Oct 27, 2020
Merged

Ip vpce restriction #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
a9b8f60
add ip and vpce restriction
ashle001 Oct 19, 2020
a37fcc8
add statement attributes
ashle001 Oct 21, 2020
d3b455f
sid and statement attributes
ashle001 Oct 22, 2020
b24bee1
disable versioning
ashle001 Oct 22, 2020
880d303
enable versioning
ashle001 Oct 22, 2020
62a4e33
set force_destroy=true
ashle001 Oct 26, 2020
55b1a1d
set force_destroy=false
ashle001 Oct 26, 2020
0109b00
set force_destroy variable
ashle001 Oct 26, 2020
8d275b7
convert force_destry to boolean
ashle001 Oct 26, 2020
5c21508
convert force_destry to boolean
ashle001 Oct 26, 2020
9dfb6eb
convert force_destry to boolean
ashle001 Oct 26, 2020
5a32651
add variable for lifecycle prevent_destroy
ashle001 Oct 26, 2020
5f90480
set prevent_destroy to false
ashle001 Oct 26, 2020
9aa3d64
fix lifecycle
ashle001 Oct 26, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
36 changes: 34 additions & 2 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,27 @@ locals {
# "boc:tf_module_version" = var._module_version
"boc:created_by" = "terraform"
}
condition_allowed_cidr = {
"test": "NotIpAddress"
"variable": "aws:sourceIp"
"values": var.allowed_cidr
}
condition_allowed_endpoints = {
"test": "StringNotEquals"
"variable": "aws:sourceVpce"
"values": var.allowed_endpoints
}
s3_bucket_conditions_list = list(local.condition_allowed_cidr,local.condition_allowed_endpoints)
s3_bucket_conditions = [ for x in local.s3_bucket_conditions_list: x if length(x.values)>0 ]
}

#---
# s3 bucket
#---
resource "aws_s3_bucket" "this" {
bucket = var.bucket_name
acl = "private"
bucket = var.bucket_name
acl = "private"
force_destroy = var.force_destroy

server_side_encryption_configuration {
rule {
Expand Down Expand Up @@ -117,6 +130,25 @@ data "aws_iam_policy_document" "this" {
values = ["false"]
}
}
statement {
sid = "RemoteAccessBucketRestrictions"
effect = "Deny"
actions = ["s3:*"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"]
dynamic "condition" {
for_each = local.s3_bucket_conditions
iterator = c
content {
test = c.value.test
variable = c.value.variable
values = c.value.values
}
}
}
}

#---
Expand Down
18 changes: 18 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,21 @@ variable "access_log_bucket" {
type = string
# default = null
}

variable "allowed_cidr" {
description = "List of allowed source IPs (NOT from within the VPC)"
type = list(string)
default = [ ]
}

variable "allowed_endpoints" {
description = "List of allowed VPC endpoint IDs"
type = list(string)
default = [ ]
}

variable "force_destroy" {
description = "Sets force_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time"
type = bool
default = false
}