From cb2286b204a2b3ab8b8fbca0a43a638f7b33889d Mon Sep 17 00:00:00 2001 From: Kris Bloe Date: Wed, 21 Feb 2024 10:05:05 +0000 Subject: [PATCH] ehr-ingestion bucket logging --- terraform/modules/suspension-service/data.tf | 6 ++- terraform/modules/suspension-service/s3.tf | 44 +++++++++++++++----- 2 files changed, 39 insertions(+), 11 deletions(-) diff --git a/terraform/modules/suspension-service/data.tf b/terraform/modules/suspension-service/data.tf index 67c7117b..1166a705 100644 --- a/terraform/modules/suspension-service/data.tf +++ b/terraform/modules/suspension-service/data.tf @@ -6,4 +6,8 @@ data "aws_ssm_parameter" "suspensions_sns_topic_arn" { data "aws_ssm_parameter" "suspensions_kms_key_id" { name = "/repo/${var.environment}/output/prm-deductions-nems-event-processor/suspensions-kms-key-id" -} \ No newline at end of file +} + +data "aws_s3_bucket" "access_logs" { + bucket = "${var.environment}-orc-access-logs" +} diff --git a/terraform/modules/suspension-service/s3.tf b/terraform/modules/suspension-service/s3.tf index 3d97902c..984a012b 100644 --- a/terraform/modules/suspension-service/s3.tf +++ b/terraform/modules/suspension-service/s3.tf @@ -4,18 +4,44 @@ locals { resource "aws_s3_bucket" "ingestion_bucket" { bucket = local.ingestion_bucket_name - acl = "private" - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } - } + tags = { Name = local.ingestion_bucket_name Environment = var.environment } + + lifecycle { + ignore_changes = [ + logging, + server_side_encryption_configuration + ] + } +} + +resource "aws_s3_bucket_logging" "ingestion_bucket" { + bucket = aws_s3_bucket.ingestion_bucket.id + + target_bucket = data.aws_s3_bucket.access_logs.id + target_prefix = "${local.ingestion_bucket_name}/" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "ingestion_bucket" { + bucket = aws_s3_bucket.ingestion_bucket.id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_public_access_block" "ingestion_bucket" { + bucket = aws_s3_bucket.ingestion_bucket.bucket + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true } resource "aws_s3_bucket_policy" "ingestion_bucket_policy" { @@ -54,5 +80,3 @@ resource "aws_iam_policy" "ingestion_bucket_get_object_policy" { ] }) } - -