This repository has been archived by the owner on Jul 24, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.tf
98 lines (85 loc) · 2.75 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
locals {
create_bucket_policy = length(var.admin_arns) > 0 ? true : false
backend_content = {
region = var.region
bucket = module.s3_bucket.s3_bucket_id
terraform_state_file = "tfstate/${var.region}/${var.bucket_prefix}-bucket.tfstate"
dynamodb_table = aws_dynamodb_table.dynamodb_terraform_state_lock.id
}
}
data "aws_partition" "current" {}
resource "aws_kms_key" "objects" {
enable_key_rotation = true
description = "KMS key is used to encrypt bucket objects"
deletion_window_in_days = 7
tags = var.tags
}
resource "aws_kms_key" "dynamo" {
enable_key_rotation = true
description = "KMS key is used to encrypt dynamodb table"
deletion_window_in_days = 7
tags = var.tags
}
resource "aws_dynamodb_table" "dynamodb_terraform_state_lock" {
# name = "${var.dynamodb_table_name}-${formatdate("YYYYMMDDhhmmss", timestamp())}"
name = module.s3_bucket.s3_bucket_id
hash_key = "LockID"
billing_mode = "PAY_PER_REQUEST"
point_in_time_recovery {
enabled = true
}
attribute {
name = "LockID"
type = "S"
}
server_side_encryption {
enabled = true
kms_key_arn = aws_kms_key.dynamo.arn
}
tags = var.tags
}
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "v3.13.0"
bucket_prefix = var.bucket_prefix
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
force_destroy = var.force_destroy
tags = var.tags
server_side_encryption_configuration = {
rule = {
apply_server_side_encryption_by_default = {
kms_master_key_id = aws_kms_key.objects.arn
sse_algorithm = "aws:kms"
}
}
}
}
resource "aws_s3_bucket_versioning" "versioning" {
count = var.versioning_enabled ? 1 : 0
bucket = module.s3_bucket.s3_bucket_id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_logging" "logging" {
bucket = module.s3_bucket.s3_bucket_id
target_bucket = module.s3_bucket.s3_bucket_id
target_prefix = "log/"
}
resource "aws_s3_bucket_policy" "backend_bucket" {
count = local.create_bucket_policy ? 1 : 0
bucket = module.s3_bucket.s3_bucket_id
policy = templatefile("${path.module}/templates/backend_bucket_bucket_policy.json.tpl", {
admin_arns = jsonencode(var.admin_arns)
s3_bucket_arn = module.s3_bucket.s3_bucket_arn
})
}
resource "local_file" "terraform_backend_config" {
count = var.create_backend_file ? 1 : 0
content = templatefile("${path.module}/templates/backend.tf.tmpl", local.backend_content)
filename = "backend.tf"
file_permission = "0644"
}