56 lines
1.2 KiB
HCL
56 lines
1.2 KiB
HCL
resource "aws_kms_key" "this" {
|
|
description = "Enryption key for S3 remote terraform state"
|
|
deletion_window_in_days = 30
|
|
}
|
|
|
|
data "aws_iam_policy_document" "force_secure_transport" {
|
|
statement {
|
|
sid = "ForceSecureTransport"
|
|
actions = ["s3:*"]
|
|
effect = "Deny"
|
|
resources = [
|
|
module.states_bucket.s3_bucket_arn,
|
|
"${module.states_bucket.s3_bucket_arn}/*"
|
|
]
|
|
condition {
|
|
test = "Bool"
|
|
variable = "aws:SecureTransport"
|
|
values = ["false"]
|
|
}
|
|
principals {
|
|
type = "*"
|
|
identifiers = ["*"]
|
|
}
|
|
}
|
|
}
|
|
|
|
module "states_bucket" {
|
|
source = "terraform-aws-modules/s3-bucket/aws"
|
|
|
|
bucket = local.bucket_name
|
|
|
|
versioning = {
|
|
enabled = true
|
|
}
|
|
|
|
server_side_encryption_configuration = {
|
|
rule = {
|
|
apply_server_side_encryption_by_default = {
|
|
kms_master_key_id = aws_kms_key.this.arn
|
|
sse_algorithm = "aws:kms"
|
|
}
|
|
}
|
|
}
|
|
|
|
acl = "private"
|
|
block_public_acls = true
|
|
block_public_policy = true
|
|
ignore_public_acls = true
|
|
restrict_public_buckets = true
|
|
|
|
attach_policy = true
|
|
policy = data.aws_iam_policy_document.force_secure_transport.json
|
|
|
|
create_bucket = true
|
|
}
|