[Issue #1659] Create general purpose s3 bucket (#1762)

## Summary

Fixes #1659

### Time to review: __4 mins__

## Changes proposed

Adds a "General Purpose" s3 bucket to all of our services. The s3 bucket
exposes its location via the `S3_BUCKET_ARN` environment variable. I
assume this is going to be a long lived general purpose s3 bucket for...
random stuff. Whatever you might want an S3 bucket for. It's also
specifically for populating seed data, eg.
#1659

## Context for reviewers

The S3 bucket itself is a near exact copy of the s3 bucket that we use
for access logs.

## Additional information

Note that the s3 bucket arn format is like so:
`arn:aws:s3:::api-dev-general-purpose20240416221336163000000001`. You
probably want to `.split(":")[-1]` it to get just the name.

infra/modules/service/access-logs.tf

@@ -22,7 +22,7 @@ locals {
 resource "aws_s3_bucket" "access_logs" {
   bucket_prefix = "${var.service_name}-access-logs"
   force_destroy = false
-  # checkov:skip=CKV2_AWS_62:Event notification not necessary for this bucket expecially due to likely use of lifecycle rules
+  # checkov:skip=CKV2_AWS_62:Event notification not necessary for this bucket especially due to likely use of lifecycle rules
   # checkov:skip=CKV_AWS_18:Access logging was not considered necessary for this bucket
   # checkov:skip=CKV_AWS_144:Not considered critical to the point of cross region replication
   # checkov:skip=CKV_AWS_300:Known issue where Checkov gets confused by multiple rules

infra/modules/service/main.tf

@@ -16,6 +16,7 @@ locals {
   base_environment_variables = concat([
     { name : "PORT", value : tostring(var.container_port) },
     { name : "AWS_REGION", value : data.aws_region.current.name },
+    { name : "S3_BUCKET_ARN", value : aws_s3_bucket.general_purpose.arn },
   ], local.hostname)
   db_environment_variables = var.db_vars == null ? [] : [
     { name : "DB_HOST", value : var.db_vars.connection_info.host },

infra/modules/service/s3.tf

@@ -0,0 +1,83 @@
+resource "aws_s3_bucket" "general_purpose" {
+  bucket_prefix = "${var.service_name}-general-purpose"
+  force_destroy = false
+  # checkov:skip=CKV2_AWS_62:Event notification not necessary for this bucket especially due to likely use of lifecycle rules
+  # checkov:skip=CKV_AWS_18:Access logging was not considered necessary for this bucket
+  # checkov:skip=CKV_AWS_144:Not considered critical to the point of cross region replication
+  # checkov:skip=CKV_AWS_300:Known issue where Checkov gets confused by multiple rules
+  # checkov:skip=CKV_AWS_21:Bucket versioning is not worth it in this use case
+}
+
+resource "aws_s3_bucket_public_access_block" "general_purpose" {
+  bucket = aws_s3_bucket.general_purpose.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+data "aws_iam_policy_document" "general_purpose_put_access" {
+  statement {
+    effect = "Allow"
+    resources = [
+      aws_s3_bucket.general_purpose.arn,
+      "${aws_s3_bucket.general_purpose.arn}/*"
+    ]
+    actions = ["s3:PutObject"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.app_service.arn]
+    }
+  }
+
+  statement {
+    sid    = "AllowSSLRequestsOnly"
+    effect = "Deny"
+    resources = [
+      aws_s3_bucket.general_purpose.arn,
+      "${aws_s3_bucket.general_purpose.arn}/*"
+    ]
+    actions = ["s3:*"]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = [false]
+    }
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "general_purpose" {
+  bucket = aws_s3_bucket.general_purpose.id
+
+  rule {
+    id     = "AbortIncompleteUpload"
+    status = "Enabled"
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 7
+    }
+  }
+
+  # checkov:skip=CKV_AWS_300:There is a known issue where this check brings up false positives
+}
+
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "general_purpose_encryption" {
+  bucket = aws_s3_bucket.general_purpose.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+    bucket_key_enabled = true
+  }
+}
+
+resource "aws_s3_bucket_policy" "general_purpose" {
+  bucket = aws_s3_bucket.general_purpose.id
+  policy = data.aws_iam_policy_document.general_purpose_put_access.json
+}