Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Issue #1659] Create general purpose s3 bucket #1762

Merged
merged 5 commits into from
Apr 17, 2024
Merged

[Issue #1659] Create general purpose s3 bucket #1762

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7d31cf7
Create general purpose s3 bucket
coilysiren Apr 16, 2024
8c7e619
expecially
coilysiren Apr 17, 2024
7b17324
remove expiration
coilysiren Apr 17, 2024
7d719dc
remove glacier transitions
coilysiren Apr 17, 2024
f534210
Merge branch 'main' into general-purpose-bucket
coilysiren Apr 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion infra/modules/service/access-logs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ locals {
resource "aws_s3_bucket" "access_logs" {
bucket_prefix = "${var.service_name}-access-logs"
force_destroy = false
# checkov:skip=CKV2_AWS_62:Event notification not necessary for this bucket expecially due to likely use of lifecycle rules
# checkov:skip=CKV2_AWS_62:Event notification not necessary for this bucket especially due to likely use of lifecycle rules
# checkov:skip=CKV_AWS_18:Access logging was not considered necessary for this bucket
# checkov:skip=CKV_AWS_144:Not considered critical to the point of cross region replication
# checkov:skip=CKV_AWS_300:Known issue where Checkov gets confused by multiple rules
Expand Down
1 change: 1 addition & 0 deletions infra/modules/service/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ locals {
base_environment_variables = concat([
{ name : "PORT", value : tostring(var.container_port) },
{ name : "AWS_REGION", value : data.aws_region.current.name },
{ name : "S3_BUCKET_ARN", value : aws_s3_bucket.general_purpose.arn },
], local.hostname)
db_environment_variables = var.db_vars == null ? [] : [
{ name : "DB_HOST", value : var.db_vars.connection_info.host },
Expand Down
83 changes: 83 additions & 0 deletions infra/modules/service/s3.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
resource "aws_s3_bucket" "general_purpose" {
bucket_prefix = "${var.service_name}-general-purpose"
force_destroy = false
# checkov:skip=CKV2_AWS_62:Event notification not necessary for this bucket especially due to likely use of lifecycle rules
# checkov:skip=CKV_AWS_18:Access logging was not considered necessary for this bucket
# checkov:skip=CKV_AWS_144:Not considered critical to the point of cross region replication
# checkov:skip=CKV_AWS_300:Known issue where Checkov gets confused by multiple rules
# checkov:skip=CKV_AWS_21:Bucket versioning is not worth it in this use case
}

resource "aws_s3_bucket_public_access_block" "general_purpose" {
bucket = aws_s3_bucket.general_purpose.id

block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}

data "aws_iam_policy_document" "general_purpose_put_access" {
statement {
effect = "Allow"
resources = [
aws_s3_bucket.general_purpose.arn,
"${aws_s3_bucket.general_purpose.arn}/*"
]
actions = ["s3:PutObject"]

principals {
type = "AWS"
identifiers = [aws_iam_role.app_service.arn]
}
}

statement {
sid = "AllowSSLRequestsOnly"
effect = "Deny"
resources = [
aws_s3_bucket.general_purpose.arn,
"${aws_s3_bucket.general_purpose.arn}/*"
]
actions = ["s3:*"]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = [false]
}
principals {
type = "AWS"
identifiers = ["*"]
}
}
}

resource "aws_s3_bucket_lifecycle_configuration" "general_purpose" {
bucket = aws_s3_bucket.general_purpose.id

rule {
id = "AbortIncompleteUpload"
status = "Enabled"
abort_incomplete_multipart_upload {
days_after_initiation = 7
}
}

# checkov:skip=CKV_AWS_300:There is a known issue where this check brings up false positives
}


resource "aws_s3_bucket_server_side_encryption_configuration" "general_purpose_encryption" {
bucket = aws_s3_bucket.general_purpose.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
bucket_key_enabled = true
}
}

resource "aws_s3_bucket_policy" "general_purpose" {
bucket = aws_s3_bucket.general_purpose.id
policy = data.aws_iam_policy_document.general_purpose_put_access.json
}
Loading