Skip to content

Commit

Permalink
Release: 1.10.3
Browse files Browse the repository at this point in the history
  • Loading branch information
AWS committed Apr 26, 2023
1 parent 63f0c3f commit 05992d6
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 3 deletions.
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.10.2
1.10.3
14 changes: 12 additions & 2 deletions modules/aft-feature-options/s3.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,16 @@ resource "aws_s3_bucket" "aft_access_logs" {
bucket = "${var.log_archive_access_logs_bucket_name}-${var.log_archive_account_id}-${data.aws_region.current.name}"
}

resource "aws_s3_bucket_policy" "aft_access_logs" {
provider = aws.log_archive
bucket = aws_s3_bucket.aft_access_logs.id
policy = templatefile("${path.module}/s3/bucket-policies/aft_access_logs.tpl", {
aws_s3_bucket_aft_access_logs_arn = aws_s3_bucket.aft_access_logs.arn
aws_s3_bucket_aft_logging_bucket_arn = aws_s3_bucket.aft_logging_bucket.arn
log_archive_account_id = var.log_archive_account_id
})
}

resource "aws_s3_bucket_versioning" "aft_access_logs_versioning" {
provider = aws.log_archive
bucket = aws_s3_bucket.aft_access_logs.id
Expand All @@ -83,14 +93,14 @@ resource "aws_s3_bucket_versioning" "aft_access_logs_versioning" {
}
}

#tfsec:ignore:aws-s3-encryption-customer-key
resource "aws_s3_bucket_server_side_encryption_configuration" "aft_access_logs_encryption" {
provider = aws.log_archive
bucket = aws_s3_bucket.aft_access_logs.id

rule {
apply_server_side_encryption_by_default {
kms_master_key_id = var.aft_kms_key_id
sse_algorithm = "aws:kms"
sse_algorithm = "AES256"
}
}
}
Expand Down
26 changes: 26 additions & 0 deletions modules/aft-feature-options/s3/bucket-policies/aft_access_logs.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow PutObject",
"Effect": "Allow",
"Principal": {
"Service": [
"logging.s3.amazonaws.com"
]
},
"Action": "s3:PutObject",
"Resource": [
"${aws_s3_bucket_aft_access_logs_arn}/*"
],
"Condition": {
"ArnLike": {
"aws:SourceArn": "${aws_s3_bucket_aft_logging_bucket_arn}"
},
"StringEquals": {
"aws:SourceAccount": "${log_archive_account_id}"
}
}
}
]
}

0 comments on commit 05992d6

Please sign in to comment.