Merge pull request #3 from grupoboticario/fix/s3

fix - block public access in all options.
grupoboticario · Nov 18, 2022 · 520eb14 · 520eb14
2 parents d90e721 + 4fdfe8f
commit 520eb14
Showing 1 changed file with 26 additions and 28 deletions.
diff --git a/main.tf b/main.tf
@@ -5,8 +5,13 @@
 # Module      : S3 BUCKET
 # Description : Terraform module to create default S3 bucket with logging and encryption
 #               type specific features.
+
+locals {
+  bucket_id = var.create_bucket && var.bucket_enabled ? join("", aws_s3_bucket.s3_default.*.id) : (var.website_hosting_bucket ? join("", aws_s3_bucket.s3_website.*.id) : (var.bucket_logging_enabled ? join("", aws_s3_bucket.s3_logging.*.id) : join("", aws_s3_bucket.s3_encryption.*.id)))
+}
+
 resource "aws_s3_bucket" "s3_default" {
-  count = var.create_bucket && var.bucket_enabled == true ? 1 : 0
+  count = var.create_bucket && var.bucket_enabled && var.encryption_enabled != true ? 1 : 0
 
   bucket        = var.name
   force_destroy = var.force_destroy
@@ -23,10 +28,6 @@ resource "aws_s3_bucket" "s3_default" {
     }
   }
 
-  versioning {
-    enabled = var.versioning
-  }
-
   lifecycle_rule {
     id      = "transition-to-infrequent-access-storage"
     enabled = var.lifecycle_infrequent_storage_transition_enabled
@@ -61,18 +62,10 @@ resource "aws_s3_bucket" "s3_default" {
       days = var.lifecycle_days_to_expiration
     }
   }
-
-  server_side_encryption_configuration {
-    rule {
-      bucket_key_enabled = false
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
-    }
-  }
 
   server_side_encryption_configuration {
     rule {
+      bucket_key_enabled = false
       apply_server_side_encryption_by_default {
         sse_algorithm = "AES256"
       }
@@ -102,10 +95,6 @@ resource "aws_s3_bucket" "s3_website" {
   force_destroy = var.force_destroy
   acl           = var.acl
 
-  versioning {
-    enabled = var.versioning
-  }
-
   website {
     index_document = var.website_index
     error_document = var.website_error
@@ -169,10 +158,6 @@ resource "aws_s3_bucket" "s3_logging" {
   force_destroy = var.force_destroy
   acl           = var.acl
 
-  versioning {
-    enabled = var.versioning
-  }
-
   lifecycle_rule {
     id      = "transition-to-infrequent-access-storage"
     enabled = var.lifecycle_infrequent_storage_transition_enabled
@@ -234,10 +219,6 @@ resource "aws_s3_bucket" "s3_encryption" {
   force_destroy = var.force_destroy
   acl           = var.acl
 
-  versioning {
-    enabled = var.versioning
-  }
-
   lifecycle_rule {
     id      = "transition-to-infrequent-access-storage"
     enabled = var.lifecycle_infrequent_storage_transition_enabled
@@ -296,10 +277,27 @@ resource "aws_s3_bucket_policy" "s3_encryption" {
 }
 
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
-  count                   = var.create_bucket && var.bucket_enabled == true ? 1 : 0
-  bucket                  = aws_s3_bucket.s3_default[count.index].id
+  count                   = var.create_bucket ? 1 : 0
+  bucket                  = local.bucket_id
   block_public_acls       = lookup(var.public_access_block, "block_public_acls", "true")
   block_public_policy     = lookup(var.public_access_block, "block_public_policy", "true")
   ignore_public_acls      = lookup(var.public_access_block, "ignore_public_acls", "true")
   restrict_public_buckets = lookup(var.public_access_block, "restrict_public_buckets", "true")
+
+  depends_on = [
+    local.bucket_id
+  ]
 }
+
+resource "aws_s3_bucket_versioning" "versioning_activate" {
+  count  = var.create_bucket && var.versioning ? 1 : 0
+  bucket = local.bucket_id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+
+  depends_on = [
+    local.bucket_id
+  ]
+}