diff --git a/.github/workflows/tfstate-apply.yml b/.github/workflows/tfstate-apply.yml index 9e3751b9..65413f76 100644 --- a/.github/workflows/tfstate-apply.yml +++ b/.github/workflows/tfstate-apply.yml @@ -7,6 +7,8 @@ on: paths: - .github/workflows/tfstate-apply.yml - terraform/services/tfstate/** + - terraform/modules/bucket/** + - terraform/modules/table/** workflow_dispatch: # Allow manual trigger jobs: diff --git a/.github/workflows/tfstate-plan.yml b/.github/workflows/tfstate-plan.yml index 923d8e47..b19ba05a 100644 --- a/.github/workflows/tfstate-plan.yml +++ b/.github/workflows/tfstate-plan.yml @@ -5,6 +5,8 @@ on: paths: - .github/workflows/tfstate-plan.yml - terraform/services/tfstate/** + - terraform/modules/bucket/** + - terraform/modules/table/** workflow_dispatch: # Allow manual trigger jobs: diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index af95db63..1e54b1c3 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -1,3 +1,5 @@ +data "aws_caller_identity" "current" {} + module "bucket_key" { source = "../key" name = "${var.name}-bucket" @@ -86,64 +88,12 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" { } } } - -resource "aws_s3_bucket" "access_logs" { - bucket = "${var.name}-access" - force_destroy = true +data "aws_s3_bucket" "bucket_access_logs" { + bucket = "${data.aws_caller_identity.current.account_id}-bucket-access-logs" } - -data "aws_iam_policy_document" "access_logs" { - statement { - sid = "AllowSSLRequestsOnly" - - effect = "Deny" - - principals { - type = "AWS" - identifiers = ["*"] - } - - actions = ["s3:*"] - - resources = [ - aws_s3_bucket.access_logs.arn, - "${aws_s3_bucket.access_logs.arn}/*", - ] - - condition { - test = "Bool" - variable = "aws:SecureTransport" - values = ["false"] - } - } -} - -resource "aws_s3_bucket_policy" "access_logs" { - bucket = aws_s3_bucket.access_logs.id - policy = data.aws_iam_policy_document.access_logs.json -} - -resource "aws_s3_bucket_versioning" "access_logs" { - bucket = aws_s3_bucket.access_logs.id - versioning_configuration { - status = "Enabled" - } -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "access_logs" { - bucket = aws_s3_bucket.access_logs.id - - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = module.bucket_key.id - sse_algorithm = "aws:kms" - } - } -} - resource "aws_s3_bucket_logging" "this" { bucket = aws_s3_bucket.this.id - target_bucket = aws_s3_bucket.access_logs.id - target_prefix = "log/" + target_bucket = data.aws_s3_bucket.bucket_access_logs.id + target_prefix = "${var.name}/" } diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf index f55c3b64..71853d53 100644 --- a/terraform/modules/bucket/variables.tf +++ b/terraform/modules/bucket/variables.tf @@ -5,6 +5,6 @@ variable "name" { variable "cross_account_read_roles" { description = "Roles in other accounts that need read access to this S3 bucket" - type = list + type = list(any) default = [] } diff --git a/terraform/modules/bucket/versions.tf b/terraform/modules/bucket/versions.tf index a123982a..581752ec 100644 --- a/terraform/modules/bucket/versions.tf +++ b/terraform/modules/bucket/versions.tf @@ -1,7 +1,7 @@ terraform { required_providers { aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" } } required_version = "~> 1.5.5"