-
Notifications
You must be signed in to change notification settings - Fork 67
/
main.tf
104 lines (85 loc) · 2.1 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
resource "aws_s3_bucket" "bucket" {
bucket = lower("${var.name}-rke2")
force_destroy = true
tags = merge({}, var.tags)
}
resource "aws_s3_bucket_ownership_controls" "bucket_ownership_controls" {
bucket = aws_s3_bucket.bucket.id
rule {
object_ownership = "BucketOwnerPreferred"
}
depends_on = [
aws_s3_bucket.bucket
]
}
resource "aws_s3_bucket_acl" "acl" {
count = var.create_acl ? 1 : 0
bucket = aws_s3_bucket.bucket.id
acl = "private"
depends_on = [
aws_s3_bucket_ownership_controls.bucket_ownership_controls
]
}
resource "aws_s3_bucket_server_side_encryption_configuration" "ssec" {
bucket = aws_s3_bucket.bucket.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
resource "aws_s3_object" "token" {
bucket = aws_s3_bucket.bucket.id
key = "token"
content_type = "text/plain"
content = var.token
server_side_encryption = "aws:kms"
}
data "aws_iam_policy_document" "getter" {
statement {
effect = "Allow"
actions = ["s3:GetObject"]
resources = [
"${aws_s3_bucket.bucket.arn}/${aws_s3_object.token.id}",
]
}
}
data "aws_iam_policy_document" "setter" {
statement {
effect = "Allow"
actions = ["s3:PutObject"]
resources = [
"${aws_s3_bucket.bucket.arn}/rke2.yaml",
]
}
}
data "aws_iam_policy_document" "deny_insecure_transport" {
count = var.attach_deny_insecure_transport_policy ? 1 : 0
statement {
sid = "denyInsecureTransport"
effect = "Deny"
actions = [
"s3:*",
]
resources = [
aws_s3_bucket.bucket.arn,
"${aws_s3_bucket.bucket.arn}/*",
]
principals {
type = "*"
identifiers = ["*"]
}
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = [
"false"
]
}
}
}
resource "aws_s3_bucket_policy" "this" {
count = var.attach_deny_insecure_transport_policy ? 1 : 0
bucket = aws_s3_bucket.bucket.id
policy = data.aws_iam_policy_document.deny_insecure_transport[0].json
}