Updated buckets

epam · Jul 17, 2023 · 3399de6 · 3399de6
1 parent d199134
commit 3399de6
Show file tree

Hide file tree

Showing 209 changed files with 2,175 additions and 551 deletions.
diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf
@@ -1,9 +1,14 @@
 resource "aws_s3_bucket" "this" {
-  bucket        = "080-bucket-green"
+  bucket        = "080-bucket-${random_integer.this.result}-green"
   force_destroy = true
+}
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
+
 resource "aws_s3_bucket_policy" "this" {
   bucket = aws_s3_bucket.this.id
   policy = data.aws_iam_policy_document.this.json
@@ -19,7 +24,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions   = ["s3:*"]
-    resources = ["arn:aws:s3:::080-bucket-green/*"]
+    resources = ["${aws_s3_bucket.this.arn}/*"]
     condition {
       test     = "Bool"
       variable = "aws:SecureTransport"

diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf
@@ -1,4 +1,9 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "080-bucket-red"
+  bucket = "080-bucket-${random_integer.this.result}-red"
   force_destroy = true
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
diff --git a/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/green/cloudfront.tf b/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/green/cloudfront.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "bucket-090-green"
+  bucket = "bucket-090-${random_integer.this.result}-green"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "tls_private_key" "this" {

diff --git a/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/red/cloudfront.tf b/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/red/cloudfront.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "bucket-090-red"
+  bucket = "bucket-090-${random_integer.this.result}-red"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "tls_private_key" "this" {

diff --git a/terraform/ecc-aws-101-clb_access_logging_disabled/green/s3.tf b/terraform/ecc-aws-101-clb_access_logging_disabled/green/s3.tf
@@ -1,28 +1,48 @@
 resource "aws_s3_bucket" "this" {
-  bucket        = "101-bucket-green"
+  bucket        = "101-bucket-${random_integer.this.result}-green"
   force_destroy = true
 }
 
-resource "aws_s3_bucket_acl" "this" {
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
+resource "aws_s3_bucket_ownership_controls" "this" {
   bucket = aws_s3_bucket.this.id
-  acl    = "private"
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
 }
 
-resource "aws_s3_bucket_policy" "allow_access_from_another_account" {
+resource "aws_s3_bucket_acl" "this" {
+  depends_on = [aws_s3_bucket_ownership_controls.this]
+
   bucket = aws_s3_bucket.this.id
-  policy = data.aws_iam_policy_document.this.json
+  acl    = "private"
 }
 
+
+data "aws_elb_service_account" "this" {}
+
 data "aws_iam_policy_document" "this" {
   statement {
+    sid    = "AWSLogDeliveryWrite"
     effect = "Allow"
 
+    actions   = ["s3:PutObject"]
+    resources = ["${aws_s3_bucket.this.arn}/*"]
+
     principals {
-      type        = "*"
-      identifiers = ["*"]
+      type        = "AWS"
+      identifiers = [data.aws_elb_service_account.this.arn]
     }
-
-    actions   = ["s3:PutObject"]
-    resources = ["arn:aws:s3:::101-bucket-green/*"] 
   }
 }
+
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.this.json
+}
+
+data "aws_caller_identity" "current" {}
diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "141-bucket-green"
+  bucket = "141-bucket-${random_integer.this.result}-green"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {

diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "141-bucket-red"
+  bucket = "141-bucket-${random_integer.this.result}-red"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {

diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf
@@ -1,8 +1,13 @@
 resource "aws_s3_bucket" "this" {
-  bucket        = "162-bucket-green"
+  bucket        = "162-bucket-${random_integer.this.result}-green"
   force_destroy = "true"
 }
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
 resource "aws_s3_bucket_ownership_controls" "this" {
   bucket = aws_s3_bucket.this.id
   rule {
@@ -32,7 +37,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "this" {
         prefix = "log/"
 
 		tags = {
-          CustodianRule    = "ecc-aws-162-s3_bucket_lifecycle"
+          CustodianRule    = "epam-aws-162-s3_bucket_lifecycle"
           ComplianceStatus = "Green"
         }
       }
@@ -45,4 +50,4 @@ resource "aws_s3_bucket_lifecycle_configuration" "this" {
       storage_class = "GLACIER"
     }
   }
-}
+}
diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf
@@ -1,8 +1,13 @@
 resource "aws_s3_bucket" "this" {
-  bucket        = "162-bucket-red"
+  bucket        = "162-bucket-${random_integer.this.result}-red"
   force_destroy = "true"
 }
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
 resource "aws_s3_bucket_ownership_controls" "this" {
   bucket = aws_s3_bucket.this.id
   rule {

diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "163-bucket-green"
+  bucket = "163-bucket-${random_integer.this.result}-green"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {

diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "163-bucket-red"
+  bucket = "163-bucket-${random_integer.this.result}-red"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {

diff --git a/terraform/ecc-aws-175-cloudtrail_enabled_in_all_regions/green/cloudtrail.tf b/terraform/ecc-aws-175-cloudtrail_enabled_in_all_regions/green/cloudtrail.tf
@@ -8,10 +8,15 @@ resource "aws_cloudtrail" "this" {
 }
 
 resource "aws_s3_bucket" "this" {
-  bucket        = "bucket-175-green"
+  bucket        = "175-bucket-${random_integer.this.result}-green"
   force_destroy = true
 }
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
 resource "aws_s3_bucket_policy" "this" {
   bucket = aws_s3_bucket.this.id
   policy = data.aws_iam_policy_document.this.json
@@ -27,7 +32,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:GetBucketAcl"]
-    resources = ["arn:aws:s3:::bucket-175-green"]
+    resources = [aws_s3_bucket.this.arn]
   }
 
   statement {
@@ -39,7 +44,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:PutObject"]
-    resources = ["arn:aws:s3:::bucket-175-green/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"

diff --git a/terraform/ecc-aws-175-cloudtrail_enabled_in_all_regions/green1/cloudtrail.tf b/terraform/ecc-aws-175-cloudtrail_enabled_in_all_regions/green1/cloudtrail.tf
@@ -14,8 +14,13 @@ resource "aws_cloudtrail" "this" {
   }
 }
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
 resource "aws_s3_bucket" "this" {
-  bucket        = "bucket-175-green1"
+  bucket        = "175-bucket-${random_integer.this.result}-green1"
   force_destroy = true
 }
 
@@ -34,7 +39,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:GetBucketAcl"]
-    resources = ["arn:aws:s3:::bucket-175-green1"]
+    resources = [aws_s3_bucket.this.arn]
   }
 
   statement {
@@ -46,7 +51,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:PutObject"]
-    resources = ["arn:aws:s3:::bucket-175-green1/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"

diff --git a/terraform/ecc-aws-175-cloudtrail_enabled_in_all_regions/red/cloudtrail.tf b/terraform/ecc-aws-175-cloudtrail_enabled_in_all_regions/red/cloudtrail.tf
@@ -9,7 +9,7 @@ resource "aws_cloudtrail" "this" {
 }
 
 resource "aws_s3_bucket" "this" {
-  bucket        = "bucket-175-red"
+  bucket        = "175-bucket-${random_integer.this.result}-red"
   force_destroy = true
 }
 
@@ -28,7 +28,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:GetBucketAcl"]
-    resources = ["arn:aws:s3:::bucket-175-red"]
+    resources = [aws_s3_bucket.this.arn]
   }
 
   statement {
@@ -40,7 +40,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:PutObject"]
-    resources = ["arn:aws:s3:::bucket-175-red/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"

diff --git a/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/green/cloudtrail.tf b/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/green/cloudtrail.tf
@@ -7,10 +7,15 @@ resource "aws_cloudtrail" "this" {
 }
 
 resource "aws_s3_bucket" "this" {
-  bucket        = "bucket-176-green"
+  bucket        = "176-bucket-${random_integer.this.result}-green"
   force_destroy = true
 }
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
 resource "aws_s3_bucket_policy" "this" {
   bucket = aws_s3_bucket.this.id
   policy = data.aws_iam_policy_document.this.json
@@ -26,7 +31,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:GetBucketAcl"]
-    resources = ["arn:aws:s3:::bucket-176-green"]
+    resources = [aws_s3_bucket.this.arn]
   }
 
   statement {
@@ -38,7 +43,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:PutObject"]
-    resources = ["arn:aws:s3:::bucket-176-green/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"

diff --git a/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/red/cloudtrail.tf b/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/red/cloudtrail.tf
@@ -7,10 +7,15 @@ resource "aws_cloudtrail" "this" {
 }
 
 resource "aws_s3_bucket" "this" {
-  bucket        = "bucket-176-red"
+  bucket        = "176-bucket-${random_integer.this.result}-red"
   force_destroy = true
 }
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
 resource "aws_s3_bucket_policy" "this" {
   bucket = aws_s3_bucket.this.id
   policy = data.aws_iam_policy_document.this.json
@@ -26,7 +31,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:GetBucketAcl"]
-    resources = ["arn:aws:s3:::bucket-176-red"]
+    resources = [aws_s3_bucket.this.arn]
   }
 
   statement {
@@ -38,7 +43,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:PutObject"]
-    resources = ["arn:aws:s3:::bucket-176-red/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"