Skip to content

Commit

Permalink
🔧 Add Deny Policy for Quarantine S3 bucket (#5533)
Browse files Browse the repository at this point in the history
* Add Deny Policy for Quarantine S3 bucket

* 🔧 Remove cyclic error

* 🔧 Edit permissions

* Refinement

* Typo

* Linting
  • Loading branch information
Gary-H9 authored Apr 2, 2024
1 parent 1bd1952 commit 5ae903a
Showing 1 changed file with 28 additions and 4 deletions.
32 changes: 28 additions & 4 deletions terraform/environments/analytical-platform-ingestion/s3.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ module "landing_bucket" {
version = "4.1.0"

bucket = "mojap-ingestion-${local.environment}-landing"
# TODO: Is this needed below?

force_destroy = true

server_side_encryption_configuration = {
Expand All @@ -18,16 +18,40 @@ module "landing_bucket" {
}
}

data "aws_iam_policy_document" "quarantine_bucket_policy" {
statement {
sid = "DenyAccess"
effect = "Deny"
principals {
type = "*"
identifiers = ["*"]
}
actions = [
"s3:GetObject",
"s3:PutObjectTagging"
]
resources = ["arn:aws:s3:::mojap-ingestion-${local.environment}-quarantine/*"]
condition {
test = "StringEquals"
variable = "s3:ExistingObjectTag/scan-result"
values = ["infected"]
}
}
}

module "quarantine_bucket" {
#checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions

source = "terraform-aws-modules/s3-bucket/aws"
version = "4.1.0"

bucket = "mojap-ingestion-${local.environment}-quarantine"
# TODO: Is this needed below?

force_destroy = true

attach_policy = true
policy = data.aws_iam_policy_document.quarantine_bucket_policy.json

server_side_encryption_configuration = {
rule = {
apply_server_side_encryption_by_default = {
Expand All @@ -45,7 +69,7 @@ module "definitions_bucket" {
version = "4.1.0"

bucket = "mojap-ingestion-${local.environment}-definitions"
# TODO: Is this needed below?

force_destroy = true

server_side_encryption_configuration = {
Expand All @@ -65,7 +89,7 @@ module "processed_bucket" {
version = "4.1.0"

bucket = "mojap-ingestion-${local.environment}-processed"
# TODO: Is this needed below?

force_destroy = true

server_side_encryption_configuration = {
Expand Down

0 comments on commit 5ae903a

Please sign in to comment.