generated from opsd-io/terraform-module-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbackend-bucket.tf
87 lines (77 loc) · 2.13 KB
/
backend-bucket.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
## S3 Bucket for state storage.
resource "aws_s3_bucket" "state" {
bucket = var.bucket_name
tags = merge(var.common_tags, var.bucket_tags)
}
resource "aws_s3_bucket_ownership_controls" "state" {
bucket = aws_s3_bucket.state.id
rule {
object_ownership = "BucketOwnerEnforced" # ACLs disabled.
}
}
resource "aws_s3_bucket_public_access_block" "state" {
bucket = aws_s3_bucket.state.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_versioning" "state" {
bucket = aws_s3_bucket.state.id
versioning_configuration {
status = "Enabled"
}
}
## S3 Bucket encryption.
resource "aws_kms_key" "state" {
count = var.bucket_server_side_encryption ? 1 : 0
description = "Terraform state encryption key - ${var.bucket_name} bucket."
deletion_window_in_days = 14
}
resource "aws_kms_alias" "state" {
count = var.bucket_server_side_encryption ? 1 : 0
name = "alias/${var.bucket_name}"
target_key_id = aws_kms_key.state[0].key_id
}
resource "aws_s3_bucket_server_side_encryption_configuration" "state" {
count = var.bucket_server_side_encryption ? 1 : 0
bucket = aws_s3_bucket.state.bucket
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.state[0].arn
sse_algorithm = "aws:kms"
}
}
}
## Access policy.
data "aws_iam_policy_document" "s3bucket" {
statement {
effect = "Allow"
actions = [
"s3:ListBucket",
]
resources = [aws_s3_bucket.state.arn]
}
statement {
effect = "Allow"
actions = [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
]
resources = ["${aws_s3_bucket.state.arn}/*.tfstate"]
}
dynamic "statement" {
# Only if bucket_server_side_encryption=true we need access to KMS.
for_each = var.bucket_server_side_encryption ? [0] : []
content {
effect = "Allow"
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
]
resources = [aws_kms_key.state[0].arn]
}
}
}