Merge pull request #1 from grupoboticario/ft/add_aws_s3_bucket_public…

…_access_block Ft/add aws s3 bucket public access block
grupoboticario · Nov 16, 2022 · d90e721 · d90e721
2 parents 9abbd45 + a6bfc73
commit d90e721
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/main.tf b/main.tf
@@ -71,6 +71,14 @@ resource "aws_s3_bucket" "s3_default" {
     }
   }
 
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
   tags = var.tags
 
 }
@@ -286,3 +294,12 @@ resource "aws_s3_bucket_policy" "s3_encryption" {
   bucket = aws_s3_bucket.s3_encryption[count.index].id
   policy = var.aws_iam_policy_document
 }
+
+resource "aws_s3_bucket_public_access_block" "public_access_block" {
+  count                   = var.create_bucket && var.bucket_enabled == true ? 1 : 0
+  bucket                  = aws_s3_bucket.s3_default[count.index].id
+  block_public_acls       = lookup(var.public_access_block, "block_public_acls", "true")
+  block_public_policy     = lookup(var.public_access_block, "block_public_policy", "true")
+  ignore_public_acls      = lookup(var.public_access_block, "ignore_public_acls", "true")
+  restrict_public_buckets = lookup(var.public_access_block, "restrict_public_buckets", "true")
+}
diff --git a/variables.tf b/variables.tf
@@ -7,13 +7,13 @@ variable "name" {
 }
 
 variable "label_order" {
-  type        = list
+  type        = list(any)
   default     = []
   description = "Label order, e.g. `name`,`application`."
 }
 
 variable "attributes" {
-  type        = list
+  type        = list(any)
   default     = []
   description = "Additional attributes (e.g. `1`)."
 }
@@ -25,7 +25,7 @@ variable "delimiter" {
 }
 
 variable "tags" {
-  type        = map
+  type        = map(any)
   default     = {}
   description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)."
 }
@@ -46,7 +46,7 @@ variable "versioning" {
 
 variable "acl" {
   type        = string
-  default     = ""
+  default     = "private"
   description = "Canned ACL to apply to the S3 bucket."
 }
 
@@ -193,4 +193,14 @@ variable "cors_rule_inputs" {
   }))
   default     = null
   description = "Specifies the allowed headers, methods, origins and exposed headers when using CORS on this bucket"
-}
+}
+
+variable "public_access_block" {
+  type = map(any)
+  default = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+}