forked from infrablocks/terraform-aws-encrypted-bucket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
126 lines (101 loc) · 4.42 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
locals {
sse_s3_algorithm = "AES256"
sse_kms_algorithm = "aws:kms"
sse_algorithm = var.kms_key_arn == null ? local.sse_s3_algorithm : local.sse_kms_algorithm
kms_master_key_id = var.kms_key_arn == "" ? null : var.kms_key_arn
enable_versioning = var.enable_versioning == "yes" ? "Enabled" : "Disabled"
enable_mfa_delete = (var.enable_mfa_delete == "" ? var.mfa_delete == "true" : var.enable_mfa_delete == "yes") ? "Enabled" : "Disabled"
enable_access_logging = var.enable_access_logging == "yes"
enable_bucket_key = var.enable_bucket_key == "yes"
allow_destroy_when_objects_present = var.allow_destroy_when_objects_present == "yes"
deny_encryption_using_incorrect_algorithm_fragment = templatefile(
"${path.module}/policy-fragments/deny-encryption-using-incorrect-algorithm.json.tpl",
{
bucket_name = var.bucket_name
sse_algorithm = local.sse_algorithm
}
)
deny_encryption_using_incorrect_key_fragment = templatefile(
"${path.module}/policy-fragments/deny-encryption-using-incorrect-key.json.tpl",
{
bucket_name = var.bucket_name
kms_key_arn = var.kms_key_arn
}
)
deny_unencrypted_inflight_operations_fragment = templatefile(
"${path.module}/policy-fragments/deny-unencrypted-inflight-operations.json.tpl",
{
bucket_name = var.bucket_name
}
)
}
data "template_file" "encrypted_bucket_policy" {
template = coalesce(var.bucket_policy_template, file("${path.module}/policies/bucket-policy.json.tpl"))
vars = {
bucket_name = var.bucket_name
deny_encryption_using_incorrect_algorithm_fragment = local.deny_encryption_using_incorrect_algorithm_fragment
deny_encryption_using_incorrect_key_fragment = local.sse_algorithm == local.sse_kms_algorithm ? local.deny_encryption_using_incorrect_key_fragment : ""
deny_unencrypted_inflight_operations_fragment = local.deny_unencrypted_inflight_operations_fragment
# required for backwards compatibility
deny_unencrypted_object_upload_fragment = local.deny_encryption_using_incorrect_algorithm_fragment
}
}
resource "aws_s3_bucket" "encrypted_bucket" {
bucket = var.bucket_name
force_destroy = local.allow_destroy_when_objects_present
tags = merge({
Name = var.bucket_name
}, var.tags)
}
resource "aws_s3_bucket_server_side_encryption_configuration" "encrypted_bucket_server_side_encryption_configuration" {
bucket = aws_s3_bucket.encrypted_bucket.id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = local.kms_master_key_id
sse_algorithm = local.sse_kms_algorithm
}
bucket_key_enabled = local.enable_bucket_key
}
}
resource "aws_s3_bucket_ownership_controls" "encrypted_bucket_ownership_controls" {
bucket = aws_s3_bucket.encrypted_bucket.id
rule {
object_ownership = "ObjectWriter"
}
}
resource "aws_s3_bucket_public_access_block" "public_access_block" {
bucket = aws_s3_bucket.encrypted_bucket.id
block_public_acls = var.public_access_block.block_public_acls
block_public_policy = var.public_access_block.block_public_policy
ignore_public_acls = var.public_access_block.ignore_public_acls
restrict_public_buckets = var.public_access_block.restrict_public_buckets
}
resource "aws_s3_bucket_acl" "encrypted_bucket_acl" {
depends_on = [
aws_s3_bucket_ownership_controls.encrypted_bucket_ownership_controls,
aws_s3_bucket_public_access_block.public_access_block
]
bucket = aws_s3_bucket.encrypted_bucket.id
acl = var.acl
}
resource "aws_s3_bucket_logging" "encrypted_bucket_logging" {
bucket = aws_s3_bucket.encrypted_bucket.id
for_each = local.enable_access_logging ? toset(["logging"]) : toset([])
target_bucket = var.access_log_bucket_name
target_prefix = var.access_log_object_key_prefix
}
resource "aws_s3_bucket_versioning" "encrypted_bucket_versioning" {
bucket = aws_s3_bucket.encrypted_bucket.id
versioning_configuration {
status = local.enable_versioning
mfa_delete = local.enable_mfa_delete
}
}
data "aws_iam_policy_document" "encrypted_bucket_policy_document" {
source_json = var.source_policy_json
override_json = data.template_file.encrypted_bucket_policy.rendered
}
resource "aws_s3_bucket_policy" "encrypted_bucket" {
bucket = aws_s3_bucket.encrypted_bucket.id
policy = data.aws_iam_policy_document.encrypted_bucket_policy_document.json
}