bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity
Files
bdfc525e715a4ef3c2751637aa0603767d3067bf
orchard/provisioners/modules/aws-s3/s3.tf
Evan Cohen-Doty 1b706fe858 59 Add S3 Bucket Provisioner
2026-02-04 11:32:12 -08:00

137 lines
3.3 KiB
HCL
Raw Blame History

# Disable warnings about MFA delete and IAM access analyzer (currently cannot support them)
# kics-scan disable=c5b31ab9-0f26-4a49-b8aa-4cc064392f4d,e592a0c5-5bdb-414c-9066-5dba7cdea370
# Bucket to actually store artifacts
resource "aws_s3_bucket" "s3_bucket" {
bucket = var.bucket
tags = {
Name = "Orchard S3 Provisioning Bucket"
Environment = var.environment
}
}
# Control public access
resource "aws_s3_bucket_public_access_block" "s3_bucket_public_access_block" {
bucket = aws_s3_bucket.s3_bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
/*
Our lifecycle rule is as follows:
- Standard storage
-> OneZone IA storage after 30 days
-> Glacier storage after 180 days
*/
resource "aws_s3_bucket_lifecycle_configuration" "s3_bucket_lifecycle_configuration" {
bucket = aws_s3_bucket.s3_bucket.id
rule {
id = "Standard to OneZone"
filter {}
status = "Enabled"
transition {
days = 30
storage_class = "ONEZONE_IA"
}
}
rule {
id = "OneZone to Glacier"
filter {}
status = "Enabled"
transition {
days = 180
storage_class = "GLACIER"
}
}
}
# Enable versioning but without MFA delete enabled
resource "aws_s3_bucket_versioning" "s3_bucket_versioning" {
bucket = aws_s3_bucket.s3_bucket.id
versioning_configuration {
status = "Enabled"
}
}
# Give preference to the bucket owner
resource "aws_s3_bucket_ownership_controls" "s3_bucket_ownership_controls" {
bucket = aws_s3_bucket.s3_bucket.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}
# Set access control list to private
resource "aws_s3_bucket_acl" "s3_bucket_acl" {
depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_ownership_controls]
bucket = aws_s3_bucket.s3_bucket.id
acl = var.acl
}
# Bucket for logging
resource "aws_s3_bucket" "logging" {
bucket = "orchard-logging-bucket"
tags = {
Name = "Orchard S3 Logging Bucket"
Environment = var.environment
}
}
# Versioning for the logging bucket
resource "aws_s3_bucket_versioning" "orchard_logging_bucket_versioning" {
bucket = aws_s3_bucket.logging.id
versioning_configuration {
status = "Enabled"
}
}
# Policies for the main s3 bucket and the logging bucket
resource "aws_s3_bucket_policy" "s3_bucket_https_policy" {
bucket = aws_s3_bucket.s3_bucket.id
policy = data.aws_iam_policy_document.s3_reject_https_policy.json
}
resource "aws_s3_bucket_policy" "logging_policy" {
bucket = aws_s3_bucket.logging.bucket
policy = data.aws_iam_policy_document.logging_bucket_policy.json
}
# Set up the logging bucket with folders with logs for both buckets
resource "aws_s3_bucket_logging" "s3_bucket_logging" {
bucket = aws_s3_bucket.s3_bucket.bucket
target_bucket = aws_s3_bucket.logging.bucket
target_prefix = "s3_log/"
target_object_key_format {
partitioned_prefix {
partition_date_source = "EventTime"
}
}
}
resource "aws_s3_bucket_logging" "logging_bucket_logging" {
bucket = aws_s3_bucket.logging.bucket
target_bucket = aws_s3_bucket.logging.bucket
target_prefix = "log/"
target_object_key_format {
partitioned_prefix {
partition_date_source = "EventTime"
}
}
}
View Git Blame Copy Permalink