[GDB-10065] Fix comments

Ontotext-AD · May 7, 2024 · 1c32fc3 · 1c32fc3
1 parent f65469b
commit 1c32fc3
Show file tree

Hide file tree

Showing 16 changed files with 61 additions and 52 deletions.
diff --git a/main.tf b/main.tf
@@ -56,7 +56,7 @@ module "logging_replication" {
   source = "./modules/logging_replication"
 
   providers = {
-    aws.useast1 = aws.useast1
+    aws.bucket_replication_destination_region = aws.bucket_replication_destination_region
   }
 
   count = var.logging_enable_bucket_replication ? 1 : 0
@@ -74,7 +74,7 @@ module "backup_replication" {
   source = "./modules/backup_replication"
 
   providers = {
-    aws.useast1 = aws.useast1
+    aws.bucket_replication_destination_region = aws.bucket_replication_destination_region
   }
 
   count = var.backup_enable_bucket_replication ? 1 : 0
@@ -211,7 +211,7 @@ module "graphdb" {
   # Variables for Backup Bucket IAM Policy
 
   graphdb_backup_bucket_name             = var.deploy_backup ? module.backup[0].bucket_name : ""
-  graphdb_backup_replication_bucket_name = var.deploy_backup && var.backup_enable_bucket_replication ? module.backup_replication[0].graphdb_backup_bucket_name : ""
+  graphdb_backup_replication_bucket_name = var.deploy_backup && var.backup_enable_bucket_replication ? module.backup_replication[0].graphdb_backup_replication_bucket_name : ""
 
   # Variables for Logging Bucket IAM Policy
 

diff --git a/modules/backup_replication/main.tf b/modules/backup_replication/main.tf
@@ -1,17 +1,25 @@
 data "aws_caller_identity" "current" {}
 data "aws_elb_service_account" "elb_account_id" {}
 
-data "aws_region" "current" {}
-
 locals {
   account_id = data.aws_caller_identity.current.account_id
 }
 
 # Backup Replication S3 Bucket
 
 resource "aws_s3_bucket" "graphdb_backup_replication_bucket" {
-  provider = aws.useast1
-  bucket   = "${var.resource_name_prefix}-backups-replication-bucket"
+  provider = aws.bucket_replication_destination_region
+  bucket   = "${var.resource_name_prefix}-backups-replication-bucket-${local.account_id}"
+}
+
+# Explicitly disable public access
+resource "aws_s3_bucket_public_access_block" "graphdb_backup_replication_bucket_public_access_block" {
+  bucket = aws_s3_bucket.graphdb_backup_replication_bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
 }
 
 # Backup Replication S3 Bucket ACL Configuration
@@ -74,7 +82,6 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_backup_bucket_replic
 
     destination {
       bucket        = aws_s3_bucket.graphdb_backup_replication_bucket.arn
-      storage_class = "STANDARD"
     }
   }
 }
@@ -86,7 +93,7 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_backup_replication_b
 
   depends_on = [aws_s3_bucket_versioning.graphdb_backup_replication_versioning]
 
-  provider = aws.useast1
+  provider = aws.bucket_replication_destination_region
 
   bucket = aws_s3_bucket.graphdb_backup_replication_bucket.id
   role   = var.s3_iam_role_arn
@@ -96,7 +103,6 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_backup_replication_b
 
     destination {
       bucket        = var.graphdb_backup_bucket_arn
-      storage_class = "STANDARD"
     }
   }
 }
diff --git a/modules/backup_replication/outputs.tf b/modules/backup_replication/outputs.tf
@@ -1,4 +1,4 @@
-output "graphdb_backup_bucket_name" {
+output "graphdb_backup_replication_bucket_name" {
   description = "Output the bucket name"
   value       = aws_s3_bucket.graphdb_backup_replication_bucket.bucket
 }
diff --git a/modules/backup_replication/variables.tf b/modules/backup_replication/variables.tf
@@ -1,11 +1,6 @@
 variable "resource_name_prefix" {
   description = "Resource name prefix used for tagging and naming AWS resources"
   type        = string
-
-  validation {
-    condition     = can(regex("^[a-zA-Z0-9-]+$", var.resource_name_prefix)) && !can(regex("^-", var.resource_name_prefix))
-    error_message = "Resource name prefix cannot start with a hyphen and can only contain letters, numbers, and hyphens."
-  }
 }
 
 variable "mfa_delete" {

diff --git a/modules/backup_replication/versions.tf b/modules/backup_replication/versions.tf
@@ -5,7 +5,7 @@ terraform {
     aws = {
       source                = "hashicorp/aws"
       version               = "~> 5.15"
-      configuration_aliases = [aws.useast1]
+      configuration_aliases = [aws.bucket_replication_destination_region]
     }
   }
 }
diff --git a/modules/graphdb/iam.tf b/modules/graphdb/iam.tf
@@ -85,9 +85,9 @@ data "aws_iam_policy_document" "graphdb_instance_volume" {
     ]
 
     resources = [
-      "arn:aws:ec2:*:*:volume/*",
-      "arn:aws:ec2:*:*:instance/*",
-      "arn:aws:ec2:*:*:network-interface/*"
+      "arn:aws:ec2:${data.aws_caller_identity.current.account_id}:*:volume/*",
+      "arn:aws:ec2:${data.aws_caller_identity.current.account_id}:*:instance/*",
+      "arn:aws:ec2:${data.aws_caller_identity.current.account_id}:*:network-interface/*"
     ]
   }
 }
@@ -101,8 +101,8 @@ data "aws_iam_policy_document" "graphdb_instance_volume_tagging" {
     ]
 
     resources = [
-      "arn:aws:ec2:*:*:volume/*",
-      "arn:aws:ec2:*:*:snapshot/*"
+      "arn:aws:ec2:${data.aws_caller_identity.current.account_id}:*:volume/*",
+      "arn:aws:ec2:${data.aws_caller_identity.current.account_id}:*:snapshot/*"
     ]
 
     condition {
@@ -241,5 +241,3 @@ resource "aws_iam_role" "graphdb_s3_replication_role" {
   name               = "${var.resource_name_prefix}-replication-role"
   assume_role_policy = data.aws_iam_policy_document.graphdb_s3_assume_role.json
 }
-
-
diff --git a/modules/graphdb/main.tf b/modules/graphdb/main.tf
@@ -6,6 +6,8 @@ data "aws_ec2_instance_type" "graphdb" {
 
 data "aws_default_tags" "current" {}
 
+data "aws_caller_identity" "current" {}
+
 data "aws_ami" "graphdb" {
   count = var.ami_id != null ? 0 : 1
 

diff --git a/modules/load_balancer/main.tf b/modules/load_balancer/main.tf
@@ -66,5 +66,3 @@ resource "aws_lb_listener" "graphdb_tls" {
     target_group_arn = aws_lb_target_group.graphdb_lb_target_group.arn
   }
 }
-
-
diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf
@@ -94,4 +94,3 @@ variable "lb_access_logs_bucket_name" {
   description = "Define name for the bucket where the access logs will be hosted"
   type        = string
 }
-
diff --git a/modules/logging/main.tf b/modules/logging/main.tf
@@ -13,6 +13,16 @@ resource "aws_s3_bucket" "graphdb_logging_bucket" {
   bucket = "${var.resource_name_prefix}-logging-${local.account_id}"
 }
 
+# Explicitly disable public access
+resource "aws_s3_bucket_public_access_block" "graphdb_logging_bucket_public_access_block" {
+  bucket = aws_s3_bucket.graphdb_logging_bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 # Logging S3 Bucket ACL Configuration
 
 resource "aws_s3_bucket_acl" "graphdb_logging_acl" {
@@ -60,10 +70,10 @@ resource "aws_s3_bucket_ownership_controls" "graphdb_logging_ownership_controls"
 
 resource "aws_s3_bucket_policy" "graphdb_elb_s3_bucket_policy" {
   bucket = aws_s3_bucket.graphdb_logging_bucket.id
-  policy = data.aws_iam_policy_document.allow_lb.json
+  policy = data.aws_iam_policy_document.graphdb_allow_log_delivery.json
 }
 
-data "aws_iam_policy_document" "allow_lb" {
+data "aws_iam_policy_document" "graphdb_allow_log_delivery" {
   statement {
     effect = "Allow"
     resources = [
@@ -172,10 +182,3 @@ resource "aws_s3_bucket_lifecycle_configuration" "logs_lifecycle_configuration"
     }
   }
 }
-
-
-
-
-
-
-
diff --git a/modules/logging/variables.tf b/modules/logging/variables.tf
@@ -63,5 +63,3 @@ variable "vpc_flow_logs_expiration_days" {
   description = "Define the days after which the VPC flow logs should be deleted"
   type        = number
 }
-
-
diff --git a/modules/logging_replication/main.tf b/modules/logging_replication/main.tf
@@ -1,17 +1,15 @@
 data "aws_caller_identity" "current" {}
 data "aws_elb_service_account" "elb_account_id" {}
 
-data "aws_region" "current" {}
-
 locals {
   account_id = data.aws_caller_identity.current.account_id
 }
 
 # Logging Replication S3 Bucket
 
 resource "aws_s3_bucket" "graphdb_logging_replication_bucket" {
-  provider = aws.useast1
-  bucket   = "${var.resource_name_prefix}-logs-replicated-bucket"
+  provider = aws.bucket_replication_destination_region
+  bucket   = "${var.resource_name_prefix}-logs-replicated-bucket-${local.account_id}"
 }
 
 # Logging Replication S3 Bucket ACL Configuration
@@ -74,7 +72,6 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_logging_bucket_repli
 
     destination {
       bucket        = aws_s3_bucket.graphdb_logging_replication_bucket.arn
-      storage_class = "STANDARD"
     }
   }
 }
@@ -86,7 +83,7 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_logging_replication_
 
   depends_on = [aws_s3_bucket_versioning.graphdb_logging_replication_versioning]
 
-  provider = aws.useast1
+  provider = aws.bucket_replication_destination_region
 
   bucket = aws_s3_bucket.graphdb_logging_replication_bucket.id
   role   = var.s3_iam_role_arn
@@ -96,7 +93,6 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_logging_replication_
 
     destination {
       bucket        = var.graphdb_logging_bucket_arn
-      storage_class = "STANDARD"
     }
   }
 }
diff --git a/modules/logging_replication/variables.tf b/modules/logging_replication/variables.tf
@@ -38,5 +38,3 @@ variable "graphdb_logging_bucket_arn" {
   type        = string
 }
 
-
-
diff --git a/modules/logging_replication/versions.tf b/modules/logging_replication/versions.tf
@@ -5,7 +5,7 @@ terraform {
     aws = {
       source                = "hashicorp/aws"
       version               = "~> 5.15"
-      configuration_aliases = [aws.useast1]
+      configuration_aliases = [aws.bucket_replication_destination_region]
     }
   }
 }
diff --git a/provider.tf b/provider.tf
@@ -24,3 +24,17 @@ provider "aws" {
     )
   }
 }
+
+provider "aws" {
+  region = var.bucket_replication_destination_region
+  alias = "bucket_replication_destination_region"
+  default_tags {
+    tags = merge(
+      {
+        Release_Name = var.resource_name_prefix
+        Name         = "${var.resource_name_prefix}"
+      },
+      var.common_tags
+    )
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -190,8 +190,6 @@ variable "vpc_flow_logs_lifecycle_rule_status" {
   default     = "Disabled"
 }
 
-
-
 variable "vpc_flow_logs_expiration_days" {
   description = "Define the days after which the VPC flow logs should be deleted"
   type        = number
@@ -369,7 +367,7 @@ variable "deploy_logging_module" {
 }
 
 variable "logging_enable_bucket_replication" {
-  description = "Enable or disable s3 bucket replication"
+  description = "Enable or disable S3 bucket replication"
   type        = bool
   default     = false
 }
@@ -422,7 +420,6 @@ variable "s3_enable_replication_rule" {
   default     = "Disabled"
 }
 
-
 variable "lb_access_logs_lifecycle_rule_status" {
   description = "Define status of the S3 lifecycle rule. Possible options are enabled or disabled."
   type        = string
@@ -440,3 +437,8 @@ variable "lb_access_logs_expiration_days" {
   type        = number
   default     = 14
 }
+
+variable "bucket_replication_destination_region" {
+  description = "Define in which Region should the bucket be replicated"
+  type = string
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -66,5 +66,3 @@ resource "aws_lb_listener" "graphdb_tls" {
		target_group_arn = aws_lb_target_group.graphdb_lb_target_group.arn
		}
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -94,4 +94,3 @@ variable "lb_access_logs_bucket_name" {
		description = "Define name for the bucket where the access logs will be hosted"
		type = string
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -63,5 +63,3 @@ variable "vpc_flow_logs_expiration_days" {
		description = "Define the days after which the VPC flow logs should be deleted"
		type = number
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -38,5 +38,3 @@ variable "graphdb_logging_bucket_arn" {
		type = string
		}