CMSgov · christopher-maboh · Jul 23, 2024 · Jun 14, 2024 · Jun 14, 2024 · Jun 21, 2024
@@ -7,6 +7,8 @@ on:
     paths:
       - .github/workflows/tfstate-apply.yml
       - terraform/services/tfstate/**
+      - terraform/modules/bucket/**
+      - terraform/modules/table/**
   workflow_dispatch: # Allow manual trigger
 
 jobs:

@@ -5,6 +5,8 @@ on:
     paths:
       - .github/workflows/tfstate-plan.yml
       - terraform/services/tfstate/**
+      - terraform/modules/bucket/**
+      - terraform/modules/table/**
   workflow_dispatch: # Allow manual trigger
 
 jobs:

@@ -86,64 +86,12 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
     }
   }
 }
-
-resource "aws_s3_bucket" "access_logs" {
-  bucket        = "${var.name}-access"
-  force_destroy = true
-}
-
-data "aws_iam_policy_document" "access_logs" {
-  statement {
-    sid = "AllowSSLRequestsOnly"
-
-    effect = "Deny"
-
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-
-    actions = ["s3:*"]
-
-    resources = [
-      aws_s3_bucket.access_logs.arn,
-      "${aws_s3_bucket.access_logs.arn}/*",
-    ]
-
-    condition {
-      test     = "Bool"
-      variable = "aws:SecureTransport"
-      values   = ["false"]
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "access_logs" {
-  bucket = aws_s3_bucket.access_logs.id
-  policy = data.aws_iam_policy_document.access_logs.json
-}
-
-resource "aws_s3_bucket_versioning" "access_logs" {
-  bucket = aws_s3_bucket.access_logs.id
-  versioning_configuration {
-    status = "Enabled"
-  }
+data "aws_s3_bucket" "bucket_access_logs" {
+  bucket = "${var.app}-${var.env}-bucket-access-log"
 }
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "access_logs" {
-  bucket = aws_s3_bucket.access_logs.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      kms_master_key_id = module.bucket_key.id
-      sse_algorithm     = "aws:kms"
-    }
-  }
-}
-
 resource "aws_s3_bucket_logging" "this" {
   bucket = aws_s3_bucket.this.id
 
-  target_bucket = aws_s3_bucket.access_logs.id
-  target_prefix = "log/"
+  target_bucket = data.aws_s3_bucket.bucket_access_logs.id
+  target_prefix = "${var.name}/"
 }
@@ -5,6 +5,24 @@ variable "name" {
 
 variable "cross_account_read_roles" {
   description = "Roles in other accounts that need read access to this S3 bucket"
-  type        = list
+  type        = list(any)
   default     = []
 }
+
+variable "app" {
+  description = "The application name (ab2d, bcda, dpc)"
+  type        = string
+  validation {
+    condition     = contains(["ab2d", "bcda", "dpc"], var.app)
+    error_message = "Valid value for app is ab2d, bcda, or dpc."
+  }
+}
+
+variable "env" {
+  description = "The application environment (dev, test, sbx, prod, mgmt)"
+  type        = string
+  validation {
+    condition     = contains(["dev", "test", "sbx", "prod", "mgmt"], var.env)
+    error_message = "Valid value for env is dev, test, sbx, prod, or mgmt."
+  }
+}
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     aws = {
-      source  = "hashicorp/aws"
+      source = "hashicorp/aws"
     }
   }
   required_version = "~> 1.5.5"

diff --git a/terraform/modules/function/main.tf b/terraform/modules/function/main.tf
@@ -145,6 +145,9 @@ module "zip_bucket" {
     "arn:aws:iam::${data.aws_ssm_parameter.prod_account[0].value}:role/delegatedadmin/developer/${var.app}-prod-github-actions",
     "arn:aws:iam::${data.aws_ssm_parameter.sbx_account[0].value}:role/delegatedadmin/developer/${var.app}-sbx-github-actions",
   ] : []
+
+  app = var.app
+  env = var.env
 }
 
 resource "aws_s3_object" "empty_function_zip" {

diff --git a/terraform/services/tfstate/main.tf b/terraform/services/tfstate/main.tf
@@ -5,6 +5,8 @@ locals {
 module "tfstate_bucket" {
   source = "../../modules/bucket"
   name   = local.name
+  app    = var.app
+  env    = var.env
 }
 
 module "tfstate_table" {