From 4ca377b72058a899a717954f81041e13ea54375c Mon Sep 17 00:00:00 2001
From: Chris Harrison <36608309+chris3ware@users.noreply.github.com>
Date: Fri, 6 Sep 2024 10:28:36 +0100
Subject: [PATCH] feat(cdn): Remove default public acl on S3 bucket (#23)
---
.trunk/configs/.tflint.hcl | 6 +++-
terraform/cdn/.terraform.lock.hcl | 58 ++++++++++++++-----------------
terraform/cdn/main.tf | 52 +++++++++++----------------
terraform/cdn/outputs.tf | 3 --
terraform/cdn/providers.tf | 13 +++----
terraform/cdn/static/index.html | 1 +
terraform/cdn/variables.tf | 2 --
terraform/org/outputs.tf | 1 +
terraform/org/providers.tf | 2 +-
terraform/org/variables.tf | 1 +
terraform/vpc-peer/main.tf | 6 ++--
terraform/vpc-peer/peering.tf | 4 +--
terraform/vpc-peer/providers.tf | 2 +-
terraform/vpc/providers.tf | 2 +-
14 files changed, 71 insertions(+), 82 deletions(-)
diff --git a/.trunk/configs/.tflint.hcl b/.trunk/configs/.tflint.hcl
index 4e61780..d01a8b7 100644
--- a/.trunk/configs/.tflint.hcl
+++ b/.trunk/configs/.tflint.hcl
@@ -1,3 +1,7 @@
+config {
+ plugin_dir = "~/.local/share/tflint/plugins"
+}
+
plugin "terraform" {
enabled = true
preset = "all"
@@ -7,4 +11,4 @@ plugin "aws" {
enabled = true
version = "0.32.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
-}
+}
\ No newline at end of file
diff --git a/terraform/cdn/.terraform.lock.hcl b/terraform/cdn/.terraform.lock.hcl
index 3d231de..4f38f31 100644
--- a/terraform/cdn/.terraform.lock.hcl
+++ b/terraform/cdn/.terraform.lock.hcl
@@ -1,42 +1,38 @@
-# This file is maintained automatically by "terraform init".
+# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
-provider "registry.terraform.io/hashicorp/aws" {
- version = "4.24.0"
- constraints = ">= 3.71.0, >= 3.75.0, >= 4.5.0"
+provider "registry.opentofu.org/hashicorp/aws" {
+ version = "5.65.0"
+ constraints = ">= 3.71.0, >= 4.40.0, >= 5.12.0, >= 5.24.0, >= 5.27.0, >= 5.37.0"
hashes = [
- "h1:qe2OTeEpcdnY2ZwLLahEc4P+pnnItzOYvB/5y8LcIRg=",
- "zh:3b58916e93cab4249bef6fcf6fb2ae3bbf0cb67a876e669205e1f785ffce88a4",
- "zh:5a51329c4d91ecdc2879a7d4acbc1dfd521ca6cd9a64f0d6f8c01d99a23fc98d",
- "zh:5c65414467db9b4bbf2f83fb1188543d1015514bab8a2336b38fcccb507fc7ca",
- "zh:65fc1514f0f1a06463b70694add57589c31debba625d78e25a9434e521a7a290",
- "zh:71b357f85d47cdb806df850b950193abae7ed14201edeba184be4c1672631f50",
- "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
- "zh:a1a89a7fb35fa6160963dae13861033493bd5f3e6bc5fd18a0fd745a066378be",
- "zh:a9482369470168f3830a4a688506426769e1beb09fbdae25633acc508c0a9457",
- "zh:bf93cb9d15a822bbb0510d3333f763d3d117ca56da350a30ff769049c6851b4c",
- "zh:c17a405fe50bb16947b189a30e2c6e5983105023fa0c45bb57fb5e63232b316d",
- "zh:d0c2a0bec642444fd2eb1ecc13e5716bcfe30c80aae5622c8a5692b7af143a57",
- "zh:dd469fa460f4ce8ebd6a107babf13b1aebee9b2e274f216155f62c23df67c228",
+ "h1:nT0VS72bhbIBkPFSwEjiCFeN6NAiVVJ0TBjmGmFLoQw=",
+ "zh:15cb1116168255f15c8ba0bbdea3c3d15d4e1af8f05dad81c4df72f973792e73",
+ "zh:39157802cfcc55d2940150f2e29f3df80903bfaff57e04d8a445b59febaae43c",
+ "zh:490d9e0185b3a4d4c4808f5f1ed317dffe1aebab8c89b2cdde82c27b25112254",
+ "zh:539182c184bae1b51819ae21b72853404904c0004e54311266b1801cb7ac2088",
+ "zh:797bb51e72ac12020c67bb8a68f234faa1756f07fb3d74583a899b3fe0c82fc0",
+ "zh:8bf337c34dfda9031e44beb52c5b8c19d164e8560b40d771b13eb5e6493faa40",
+ "zh:99539be3efbfea97f7eae7aecba3825a8591f9e933591b8a5c6fdc4539d5ca91",
+ "zh:a255b97db8c6c3801e93c000f16eb5a25d40c05f2dc88e89b0ad61b71fa7b19c",
+ "zh:b4d4a1f433ac0d95bab2e538a824788defdc57144c5a252fc895b4358efefaac",
+ "zh:f40ff9b8ee7677adb1d340afc0a749a846439110fa0a00457e54a674a6d5705e",
]
}
-provider "registry.terraform.io/hashicorp/random" {
+provider "registry.opentofu.org/hashicorp/random" {
version = "3.3.2"
constraints = "~> 3.3.2"
hashes = [
- "h1:Fu0IKMy46WsO5Y6KfuH9IFkkuxZjE/gIcgtB7GWkTtc=",
- "zh:038293aebfede983e45ee55c328e3fde82ae2e5719c9bd233c324cfacc437f9c",
- "zh:07eaeab03a723d83ac1cc218f3a59fceb7bbf301b38e89a26807d1c93c81cef8",
- "zh:427611a4ce9d856b1c73bea986d841a969e4c2799c8ac7c18798d0cc42b78d32",
- "zh:49718d2da653c06a70ba81fd055e2b99dfd52dcb86820a6aeea620df22cd3b30",
- "zh:5574828d90b19ab762604c6306337e6cd430e65868e13ef6ddb4e25ddb9ad4c0",
- "zh:7222e16f7833199dabf1bc5401c56d708ec052b2a5870988bc89ff85b68a5388",
- "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
- "zh:b1b2d7d934784d2aee98b0f8f07a8ccfc0410de63493ae2bf2222c165becf938",
- "zh:b8f85b6a20bd264fcd0814866f415f0a368d1123cd7879c8ebbf905d370babc8",
- "zh:c3813133acc02bbebddf046d9942e8ba5c35fc99191e3eb057957dafc2929912",
- "zh:e7a41dbc919d1de800689a81c240c27eec6b9395564630764ebb323ea82ac8a9",
- "zh:ee6d23208449a8eaa6c4f203e33f5176fa795b4b9ecf32903dffe6e2574732c2",
+ "h1:m0fg+H1nspsKGEgZiLrxmPnlHebN+GbPK8bj6shhfz0=",
+ "zh:06940c8bc66b49e27c4a7030242df2211be2635bc061b656c9110b521f0d6f71",
+ "zh:0aa9d7f1d7971b662485ca2474fc13ab2dba7951ad56f37d08ccf92c2e918bec",
+ "zh:0e265e4154792c79865c27c55661f63c3df56e9ab961f47c4014f255e4aa3c33",
+ "zh:2d8305ed9ddd1907b81a208170c7599ffb99eacf2639cf40b5c7fe384585ee87",
+ "zh:43c7dd999908ead0e98a053c294b7d53546c45d6317e9124df39f6ed31e5fce8",
+ "zh:5ddce4cb91ddda675071166d975cc5af2ccb5efabbf327e9e5d21f0b93c9ab6c",
+ "zh:777ef4bba1f1875c4bcda9c2207bb00a24758a2a6c9097446c84d7cc20356673",
+ "zh:81542311f3d1fac213c9c25d3650de2a0d54cc480ec9c5abc16d88f9802b82b0",
+ "zh:9031150598307c66e61c13f7ca7b750ff8c4e373dc912f869d8ca81f9d1b4a2e",
+ "zh:9c8caf2248dadd21480bd2705680d76e9939f2b5956b6863789bbe0ec5457892",
]
}
diff --git a/terraform/cdn/main.tf b/terraform/cdn/main.tf
index 7ee8d6e..cc13741 100644
--- a/terraform/cdn/main.tf
+++ b/terraform/cdn/main.tf
@@ -1,12 +1,13 @@
+# trunk-ignore-all(trivy) Bucket should be public initially before moving behind cloud front
+# logging and version not required for demo
locals {
- #* Bucket name is shared between the resource and the policy. This overcomes cycle dependancy between the two
+ #* Bucket name is shared between the resource and the policy. This overcomes cycle dependency between the two
bucket_name = "ans-cdn-top10cats-demo-${random_string.random.result}"
#* Do not create the CNAME when the demo domain name is not specified
alternate_cname = var.demo_domain_name != null ? "merlin.${var.demo_domain_name}" : null
#* Use the default CloudFront certificate when the demo domain name is not specified
use_default_cert = var.demo_domain_name == null
}
-
data "aws_iam_policy_document" "bucket_policy" {
statement {
sid = "AllowPublicAccessToS3Bucket"
@@ -18,8 +19,8 @@ data "aws_iam_policy_document" "bucket_policy" {
resources = ["arn:aws:s3:::${local.bucket_name}/*", ]
}
}
-
data "aws_iam_policy_document" "bucket_policy_with_oai" {
+ count = var.enable_cloudfront ? 1 : 0
statement {
sid = "AllowAccessFromCloudFrontToS3Bucket"
principals {
@@ -30,35 +31,34 @@ data "aws_iam_policy_document" "bucket_policy_with_oai" {
resources = ["arn:aws:s3:::${local.bucket_name}/*"]
}
}
-
data "aws_iam_policy_document" "bucket_policy_combined" {
source_policy_documents = [(
var.secure_s3_bucket ?
- data.aws_iam_policy_document.bucket_policy_with_oai.json :
+ data.aws_iam_policy_document.bucket_policy_with_oai[0].json :
data.aws_iam_policy_document.bucket_policy.json
)
]
}
-
resource "random_string" "random" {
length = 12
special = false
upper = false
}
-
module "template_files" {
- source = "hashicorp/dir/template"
- version = "~> v1.0.2"
+ source = "git::https://github.com/hashicorp/terraform-template-dir.git?ref=556bd64989e7099fabb90c6b883b5d4d92da3ae8"
base_dir = "${path.module}/static"
}
module "s3_bucket" {
- source = "terraform-aws-modules/s3-bucket/aws"
- version = "~> v3.3.0"
+ source = "git::https://github.com/terraform-aws-modules/terraform-aws-s3-bucket.git?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a"
- bucket = local.bucket_name
- force_destroy = true
+ bucket = local.bucket_name
+ block_public_acls = false
+ block_public_policy = false
+ ignore_public_acls = false
+ restrict_public_buckets = false
+ force_destroy = true
attach_policy = true
policy = data.aws_iam_policy_document.bucket_policy_combined.json
@@ -68,27 +68,22 @@ module "s3_bucket" {
error_document = "error.html"
}
}
-
module "s3_bucket_object" {
for_each = module.template_files.files
- source = "terraform-aws-modules/s3-bucket/aws//modules/object"
- version = "~> v3.3.0"
+ source = "git::https://github.com/terraform-aws-modules/terraform-aws-s3-bucket.git//modules/object?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a"
bucket = module.s3_bucket.s3_bucket_id
key = each.key
content_type = each.value.content_type
file_source = each.value.source_path
}
-
data "aws_cloudfront_cache_policy" "this" {
count = var.enable_cloudfront ? 1 : 0
name = "Managed-CachingOptimized"
}
-
module "cdn" {
- count = var.enable_cloudfront ? 1 : 0
- source = "terraform-aws-modules/cloudfront/aws"
- version = "~> 2.9.3"
+ count = var.enable_cloudfront ? 1 : 0
+ source = "git::https://github.com/terraform-aws-modules/terraform-aws-cloudfront.git?ref=a0f0506106a4c8815c1c32596e327763acbef2c2"
aliases = var.demo_domain_name != null ? [local.alternate_cname] : null
@@ -126,31 +121,26 @@ module "cdn" {
viewer_certificate = {
acm_certificate_arn = local.use_default_cert ? null : module.acm[0].acm_certificate_arn
- mminimum_protocol_version = local.use_default_cert ? null : "TLSv1.2_2021"
+ minimum_protocol_version = local.use_default_cert ? null : "TLSv1.2_2021"
ssl_support_method = local.use_default_cert ? null : "sni-only"
cloudfront_default_certificate = local.use_default_cert
}
}
-
data "aws_route53_zone" "demo" {
count = var.demo_domain_name != null ? 1 : 0
name = var.demo_domain_name
}
-
module "acm" {
- count = var.demo_domain_name != null ? 1 : 0
- source = "terraform-aws-modules/acm/aws"
- version = "~> 4.0.1"
+ count = var.demo_domain_name != null ? 1 : 0
+ source = "git::https://github.com/terraform-aws-modules/terraform-aws-acm.git?ref=0ca52d1497e5a54ed86f9daac0440d27afc0db8b"
domain_name = local.alternate_cname
zone_id = data.aws_route53_zone.demo[0].zone_id
wait_for_validation = true
}
-
module "cname_record" {
- count = var.demo_domain_name != null ? 1 : 0
- source = "terraform-aws-modules/route53/aws//modules/records"
- version = "~> 2.9.0"
+ count = var.demo_domain_name != null ? 1 : 0
+ source = "git::https://github.com/terraform-aws-modules/terraform-aws-route53.git//modules/records?ref=32613266e7c1f2a3e4e7cd7d5808e31df8c0b81d"
zone_id = data.aws_route53_zone.demo[0].zone_id
records = [
diff --git a/terraform/cdn/outputs.tf b/terraform/cdn/outputs.tf
index c95ecee..c516525 100644
--- a/terraform/cdn/outputs.tf
+++ b/terraform/cdn/outputs.tf
@@ -2,17 +2,14 @@ output "s3_website_url" {
description = "The S3 Bucket website endpoint"
value = "http://${module.s3_bucket.s3_bucket_website_endpoint}"
}
-
output "cloudfront_url" {
description = "The CloudFront distribution domain name"
value = module.cdn[*].cloudfront_distribution_domain_name
}
-
output "certificat_arn" {
description = "The arn of the ACM certificate"
value = module.acm[*].acm_certificate_arn
}
-
output "alternate_cname" {
description = "The CNAME records associated with CloudFront"
value = var.demo_domain_name != null ? "https://${local.alternate_cname}" : null
diff --git a/terraform/cdn/providers.tf b/terraform/cdn/providers.tf
index a5ca94b..6759af1 100644
--- a/terraform/cdn/providers.tf
+++ b/terraform/cdn/providers.tf
@@ -4,16 +4,16 @@ provider "aws" {
default_tags {
tags = {
- "Project" = "aws-network-specialty"
- "Environment" = "general"
- "Demo" = "CDN"
- "Terraform" = true
+ "3ware:project-id" = "aws-network-speciality"
+ "3ware:environment-type" = "dev"
+ "3ware:service" = "cdn"
+ "3ware:tofu" = true
}
}
}
terraform {
- required_version = ">= 1.2.0"
+ required_version = ">= 1.7.2"
required_providers {
aws = {
source = "hashicorp/aws"
@@ -25,8 +25,9 @@ terraform {
}
}
- backend "remote" {
+ cloud {
organization = "3ware"
+ hostname = "app.terraform.io"
workspaces {
name = "aws-net-spec-cdn"
}
diff --git a/terraform/cdn/static/index.html b/terraform/cdn/static/index.html
index db562f6..d17908e 100644
--- a/terraform/cdn/static/index.html
+++ b/terraform/cdn/static/index.html
@@ -65,6 +65,7 @@
+ // trunk-ignore(prettier)
Content judged by none other than...... Merlin...
diff --git a/terraform/cdn/variables.tf b/terraform/cdn/variables.tf
index ed9d76d..70bc5d1 100644
--- a/terraform/cdn/variables.tf
+++ b/terraform/cdn/variables.tf
@@ -3,13 +3,11 @@ variable "enable_cloudfront" {
type = bool
default = false
}
-
variable "demo_domain_name" {
description = "Route53 domain name registered for the demo"
type = string
default = null
}
-
variable "secure_s3_bucket" {
description = "Set to true to restrict access to the S3 bucket to the CloudFront OAI"
type = bool
diff --git a/terraform/org/outputs.tf b/terraform/org/outputs.tf
index e69de29..8b13789 100644
--- a/terraform/org/outputs.tf
+++ b/terraform/org/outputs.tf
@@ -0,0 +1 @@
+
diff --git a/terraform/org/providers.tf b/terraform/org/providers.tf
index b2023a1..d3eef1c 100644
--- a/terraform/org/providers.tf
+++ b/terraform/org/providers.tf
@@ -13,7 +13,7 @@ provider "aws" {
}
terraform {
- required_version = ">= 1.2.0"
+ required_version = ">= 1.7.2"
required_providers {
aws = {
source = "hashicorp/aws"
diff --git a/terraform/org/variables.tf b/terraform/org/variables.tf
index e69de29..8b13789 100644
--- a/terraform/org/variables.tf
+++ b/terraform/org/variables.tf
@@ -0,0 +1 @@
+
diff --git a/terraform/vpc-peer/main.tf b/terraform/vpc-peer/main.tf
index 7f45066..12c87f5 100644
--- a/terraform/vpc-peer/main.tf
+++ b/terraform/vpc-peer/main.tf
@@ -98,9 +98,9 @@ resource "aws_security_group_rule" "ingress" {
for rule in local.ingress_rules_per_vpc : "${rule.description}-${rule.protocol}" => rule
}
type = "ingress"
- from_port = lookup(each.value, "port")
- to_port = lookup(each.value, "port")
- protocol = lookup(each.value, "protocol")
+ from_port = each.value["port"]
+ to_port = each.value["port"]
+ protocol = each.value["protocol"]
cidr_blocks = lookup(each.value, "cidr_blocks", [])
ipv6_cidr_blocks = lookup(each.value, "ipv6_cidr_blocks", [])
security_group_id = aws_security_group.this[each.value.vpc_name].id
diff --git a/terraform/vpc-peer/peering.tf b/terraform/vpc-peer/peering.tf
index cd1611d..b9ca592 100644
--- a/terraform/vpc-peer/peering.tf
+++ b/terraform/vpc-peer/peering.tf
@@ -14,8 +14,8 @@ module "vpc_peering" {
aws.peer = aws
}
- this_vpc_id = module.vpc["${each.value.this_vpc_id}"].vpc_id
- peer_vpc_id = module.vpc["${each.value.that_vpc_id}"].vpc_id
+ this_vpc_id = module.vpc[each.value.this_vpc_id].vpc_id
+ peer_vpc_id = module.vpc[each.value.that_vpc_id].vpc_id
auto_accept_peering = true
}
diff --git a/terraform/vpc-peer/providers.tf b/terraform/vpc-peer/providers.tf
index a38c54f..082be6f 100644
--- a/terraform/vpc-peer/providers.tf
+++ b/terraform/vpc-peer/providers.tf
@@ -13,7 +13,7 @@ provider "aws" {
}
terraform {
- required_version = ">= 1.2.0"
+ required_version = ">= 1.7.2"
required_providers {
aws = {
source = "hashicorp/aws"
diff --git a/terraform/vpc/providers.tf b/terraform/vpc/providers.tf
index 2e845d1..b10263d 100644
--- a/terraform/vpc/providers.tf
+++ b/terraform/vpc/providers.tf
@@ -13,7 +13,7 @@ provider "aws" {
}
terraform {
- required_version = ">= 1.2.0"
+ required_version = ">= 1.7.2"
required_providers {
aws = {
source = "hashicorp/aws"