diff --git a/main.tf b/main.tf index 89a8929..9aa6a89 100644 --- a/main.tf +++ b/main.tf @@ -56,7 +56,7 @@ module "logging_replication" { source = "./modules/logging_replication" providers = { - aws.useast1 = aws.useast1 + aws.bucket_replication_destination_region = aws.bucket_replication_destination_region } count = var.logging_enable_bucket_replication ? 1 : 0 @@ -74,7 +74,7 @@ module "backup_replication" { source = "./modules/backup_replication" providers = { - aws.useast1 = aws.useast1 + aws.bucket_replication_destination_region = aws.bucket_replication_destination_region } count = var.backup_enable_bucket_replication ? 1 : 0 @@ -211,7 +211,7 @@ module "graphdb" { # Variables for Backup Bucket IAM Policy graphdb_backup_bucket_name = var.deploy_backup ? module.backup[0].bucket_name : "" - graphdb_backup_replication_bucket_name = var.deploy_backup && var.backup_enable_bucket_replication ? module.backup_replication[0].graphdb_backup_bucket_name : "" + graphdb_backup_replication_bucket_name = var.deploy_backup && var.backup_enable_bucket_replication ? module.backup_replication[0].graphdb_backup_replication_bucket_name : "" # Variables for Logging Bucket IAM Policy diff --git a/modules/backup_replication/main.tf b/modules/backup_replication/main.tf index 61fe12d..7286922 100644 --- a/modules/backup_replication/main.tf +++ b/modules/backup_replication/main.tf @@ -1,8 +1,6 @@ data "aws_caller_identity" "current" {} data "aws_elb_service_account" "elb_account_id" {} -data "aws_region" "current" {} - locals { account_id = data.aws_caller_identity.current.account_id } @@ -10,8 +8,18 @@ locals { # Backup Replication S3 Bucket resource "aws_s3_bucket" "graphdb_backup_replication_bucket" { - provider = aws.useast1 - bucket = "${var.resource_name_prefix}-backups-replication-bucket" + provider = aws.bucket_replication_destination_region + bucket = "${var.resource_name_prefix}-backups-replication-bucket-${local.account_id}" +} + +# Explicitly disable public access +resource "aws_s3_bucket_public_access_block" "graphdb_backup_replication_bucket_public_access_block" { + bucket = aws_s3_bucket.graphdb_backup_replication_bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true } # Backup Replication S3 Bucket ACL Configuration @@ -74,7 +82,6 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_backup_bucket_replic destination { bucket = aws_s3_bucket.graphdb_backup_replication_bucket.arn - storage_class = "STANDARD" } } } @@ -86,7 +93,7 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_backup_replication_b depends_on = [aws_s3_bucket_versioning.graphdb_backup_replication_versioning] - provider = aws.useast1 + provider = aws.bucket_replication_destination_region bucket = aws_s3_bucket.graphdb_backup_replication_bucket.id role = var.s3_iam_role_arn @@ -96,7 +103,6 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_backup_replication_b destination { bucket = var.graphdb_backup_bucket_arn - storage_class = "STANDARD" } } } diff --git a/modules/backup_replication/outputs.tf b/modules/backup_replication/outputs.tf index 69a69a1..b1fc5cc 100644 --- a/modules/backup_replication/outputs.tf +++ b/modules/backup_replication/outputs.tf @@ -1,4 +1,4 @@ -output "graphdb_backup_bucket_name" { +output "graphdb_backup_replication_bucket_name" { description = "Output the bucket name" value = aws_s3_bucket.graphdb_backup_replication_bucket.bucket } diff --git a/modules/backup_replication/variables.tf b/modules/backup_replication/variables.tf index 4e6b19f..c736b37 100644 --- a/modules/backup_replication/variables.tf +++ b/modules/backup_replication/variables.tf @@ -1,11 +1,6 @@ variable "resource_name_prefix" { description = "Resource name prefix used for tagging and naming AWS resources" type = string - - validation { - condition = can(regex("^[a-zA-Z0-9-]+$", var.resource_name_prefix)) && !can(regex("^-", var.resource_name_prefix)) - error_message = "Resource name prefix cannot start with a hyphen and can only contain letters, numbers, and hyphens." - } } variable "mfa_delete" { diff --git a/modules/backup_replication/versions.tf b/modules/backup_replication/versions.tf index 98360d2..38634f0 100644 --- a/modules/backup_replication/versions.tf +++ b/modules/backup_replication/versions.tf @@ -5,7 +5,7 @@ terraform { aws = { source = "hashicorp/aws" version = "~> 5.15" - configuration_aliases = [aws.useast1] + configuration_aliases = [aws.bucket_replication_destination_region] } } } diff --git a/modules/graphdb/iam.tf b/modules/graphdb/iam.tf index 591315f..e970e5f 100644 --- a/modules/graphdb/iam.tf +++ b/modules/graphdb/iam.tf @@ -85,9 +85,9 @@ data "aws_iam_policy_document" "graphdb_instance_volume" { ] resources = [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:instance/*", - "arn:aws:ec2:*:*:network-interface/*" + "arn:aws:ec2:${data.aws_caller_identity.current.account_id}:*:volume/*", + "arn:aws:ec2:${data.aws_caller_identity.current.account_id}:*:instance/*", + "arn:aws:ec2:${data.aws_caller_identity.current.account_id}:*:network-interface/*" ] } } @@ -101,8 +101,8 @@ data "aws_iam_policy_document" "graphdb_instance_volume_tagging" { ] resources = [ - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:snapshot/*" + "arn:aws:ec2:${data.aws_caller_identity.current.account_id}:*:volume/*", + "arn:aws:ec2:${data.aws_caller_identity.current.account_id}:*:snapshot/*" ] condition { @@ -241,5 +241,3 @@ resource "aws_iam_role" "graphdb_s3_replication_role" { name = "${var.resource_name_prefix}-replication-role" assume_role_policy = data.aws_iam_policy_document.graphdb_s3_assume_role.json } - - diff --git a/modules/graphdb/main.tf b/modules/graphdb/main.tf index 0898dc5..f4337bf 100644 --- a/modules/graphdb/main.tf +++ b/modules/graphdb/main.tf @@ -6,6 +6,8 @@ data "aws_ec2_instance_type" "graphdb" { data "aws_default_tags" "current" {} +data "aws_caller_identity" "current" {} + data "aws_ami" "graphdb" { count = var.ami_id != null ? 0 : 1 diff --git a/modules/load_balancer/main.tf b/modules/load_balancer/main.tf index 525d652..54c85e2 100644 --- a/modules/load_balancer/main.tf +++ b/modules/load_balancer/main.tf @@ -66,5 +66,3 @@ resource "aws_lb_listener" "graphdb_tls" { target_group_arn = aws_lb_target_group.graphdb_lb_target_group.arn } } - - diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf index de9e661..b66c301 100644 --- a/modules/load_balancer/variables.tf +++ b/modules/load_balancer/variables.tf @@ -94,4 +94,3 @@ variable "lb_access_logs_bucket_name" { description = "Define name for the bucket where the access logs will be hosted" type = string } - diff --git a/modules/logging/main.tf b/modules/logging/main.tf index 70f174e..a5b005c 100644 --- a/modules/logging/main.tf +++ b/modules/logging/main.tf @@ -13,6 +13,16 @@ resource "aws_s3_bucket" "graphdb_logging_bucket" { bucket = "${var.resource_name_prefix}-logging-${local.account_id}" } +# Explicitly disable public access +resource "aws_s3_bucket_public_access_block" "graphdb_logging_bucket_public_access_block" { + bucket = aws_s3_bucket.graphdb_logging_bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + # Logging S3 Bucket ACL Configuration resource "aws_s3_bucket_acl" "graphdb_logging_acl" { @@ -60,10 +70,10 @@ resource "aws_s3_bucket_ownership_controls" "graphdb_logging_ownership_controls" resource "aws_s3_bucket_policy" "graphdb_elb_s3_bucket_policy" { bucket = aws_s3_bucket.graphdb_logging_bucket.id - policy = data.aws_iam_policy_document.allow_lb.json + policy = data.aws_iam_policy_document.graphdb_allow_log_delivery.json } -data "aws_iam_policy_document" "allow_lb" { +data "aws_iam_policy_document" "graphdb_allow_log_delivery" { statement { effect = "Allow" resources = [ @@ -172,10 +182,3 @@ resource "aws_s3_bucket_lifecycle_configuration" "logs_lifecycle_configuration" } } } - - - - - - - diff --git a/modules/logging/variables.tf b/modules/logging/variables.tf index 176330d..8ebd088 100644 --- a/modules/logging/variables.tf +++ b/modules/logging/variables.tf @@ -63,5 +63,3 @@ variable "vpc_flow_logs_expiration_days" { description = "Define the days after which the VPC flow logs should be deleted" type = number } - - diff --git a/modules/logging_replication/main.tf b/modules/logging_replication/main.tf index 416305b..55c750d 100644 --- a/modules/logging_replication/main.tf +++ b/modules/logging_replication/main.tf @@ -1,8 +1,6 @@ data "aws_caller_identity" "current" {} data "aws_elb_service_account" "elb_account_id" {} -data "aws_region" "current" {} - locals { account_id = data.aws_caller_identity.current.account_id } @@ -10,8 +8,8 @@ locals { # Logging Replication S3 Bucket resource "aws_s3_bucket" "graphdb_logging_replication_bucket" { - provider = aws.useast1 - bucket = "${var.resource_name_prefix}-logs-replicated-bucket" + provider = aws.bucket_replication_destination_region + bucket = "${var.resource_name_prefix}-logs-replicated-bucket-${local.account_id}" } # Logging Replication S3 Bucket ACL Configuration @@ -74,7 +72,6 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_logging_bucket_repli destination { bucket = aws_s3_bucket.graphdb_logging_replication_bucket.arn - storage_class = "STANDARD" } } } @@ -86,7 +83,7 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_logging_replication_ depends_on = [aws_s3_bucket_versioning.graphdb_logging_replication_versioning] - provider = aws.useast1 + provider = aws.bucket_replication_destination_region bucket = aws_s3_bucket.graphdb_logging_replication_bucket.id role = var.s3_iam_role_arn @@ -96,7 +93,6 @@ resource "aws_s3_bucket_replication_configuration" "graphdb_logging_replication_ destination { bucket = var.graphdb_logging_bucket_arn - storage_class = "STANDARD" } } } diff --git a/modules/logging_replication/variables.tf b/modules/logging_replication/variables.tf index 0525e41..62f8f5c 100644 --- a/modules/logging_replication/variables.tf +++ b/modules/logging_replication/variables.tf @@ -38,5 +38,3 @@ variable "graphdb_logging_bucket_arn" { type = string } - - diff --git a/modules/logging_replication/versions.tf b/modules/logging_replication/versions.tf index 98360d2..38634f0 100644 --- a/modules/logging_replication/versions.tf +++ b/modules/logging_replication/versions.tf @@ -5,7 +5,7 @@ terraform { aws = { source = "hashicorp/aws" version = "~> 5.15" - configuration_aliases = [aws.useast1] + configuration_aliases = [aws.bucket_replication_destination_region] } } } diff --git a/provider.tf b/provider.tf index b7bd855..c856071 100644 --- a/provider.tf +++ b/provider.tf @@ -24,3 +24,17 @@ provider "aws" { ) } } + +provider "aws" { + region = var.bucket_replication_destination_region + alias = "bucket_replication_destination_region" + default_tags { + tags = merge( + { + Release_Name = var.resource_name_prefix + Name = "${var.resource_name_prefix}" + }, + var.common_tags + ) + } +} diff --git a/variables.tf b/variables.tf index 0376306..0f9a460 100644 --- a/variables.tf +++ b/variables.tf @@ -190,8 +190,6 @@ variable "vpc_flow_logs_lifecycle_rule_status" { default = "Disabled" } - - variable "vpc_flow_logs_expiration_days" { description = "Define the days after which the VPC flow logs should be deleted" type = number @@ -369,7 +367,7 @@ variable "deploy_logging_module" { } variable "logging_enable_bucket_replication" { - description = "Enable or disable s3 bucket replication" + description = "Enable or disable S3 bucket replication" type = bool default = false } @@ -422,7 +420,6 @@ variable "s3_enable_replication_rule" { default = "Disabled" } - variable "lb_access_logs_lifecycle_rule_status" { description = "Define status of the S3 lifecycle rule. Possible options are enabled or disabled." type = string @@ -440,3 +437,8 @@ variable "lb_access_logs_expiration_days" { type = number default = 14 } + +variable "bucket_replication_destination_region" { + description = "Define in which Region should the bucket be replicated" + type = string +}