tf-fix: fixed a number of terraform files for policies (see the list …

…in the commit message) 080, 086, 087, 090, 101, 141, 162, 163, 176, 179, 183, 184, 206, 210, 216, 218, 237, 238, 242, 246, 249, 263, 264, 279, 280, 290, 306, 324, 326, 339, 408, 438, 448, 452, 459, 496, 510, 525, 527, 531, 547, 568, 575, 578, 580, 600, 620, 652, 653, 654, 655, 656, 672, 689, 690, 712, 717, 718, 719, 720, 724, 787, 809, 897, 899, 900, 901, 958, 961, 962, 963, 964, 968
epam · Jul 24, 2023 · 4ed65bc · 4ed65bc
1 parent b86f15e
commit 4ed65bc
Show file tree

Hide file tree

Showing 148 changed files with 1,660 additions and 314 deletions.
diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf
@@ -1,9 +1,14 @@
 resource "aws_s3_bucket" "this" {
-  bucket        = "080-bucket-green"
+  bucket        = "080-bucket-${random_integer.this.result}-green"
   force_destroy = true
+}
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
+
 resource "aws_s3_bucket_policy" "this" {
   bucket = aws_s3_bucket.this.id
   policy = data.aws_iam_policy_document.this.json
@@ -19,7 +24,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions   = ["s3:*"]
-    resources = ["arn:aws:s3:::080-bucket-green/*"]
+    resources = ["${aws_s3_bucket.this.arn}/*"]
     condition {
       test     = "Bool"
       variable = "aws:SecureTransport"

diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf
@@ -1,4 +1,9 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "080-bucket-red"
+  bucket = "080-bucket-${random_integer.this.result}-red"
   force_destroy = true
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
diff --git a/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf b/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf
@@ -1,8 +1,22 @@
-###### The step to be done before run infrastructure is to run command below
-# sudo openssl req -x509 -nodes -days 40 -newkey rsa:2048 -keyout private.key -out certificate.crt 
+resource "null_resource" "this" {
+  provisioner "local-exec" {
+    command     = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout private.key -out certificate.crt"
+    interpreter = ["/bin/bash", "-c"]
+  }
+}
+
+data "local_file" "certificate" {
+  filename = "certificate.crt"
+  depends_on = [null_resource.this]
+}
+
+data "local_file" "private_key" {
+  filename = "private.key"
+  depends_on = [null_resource.this]
+}
 
 resource "aws_iam_server_certificate" "this" {
   name             = "086_certificate_green"
-  certificate_body = file("certificate.crt")
-  private_key      = file("private.key")
-}
+  certificate_body = data.local_file.certificate.content
+  private_key      = data.local_file.private_key.content
+}
diff --git a/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf b/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf
@@ -1,8 +1,23 @@
-###### The step to be done before run infrastructure is to run command below
-# sudo openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt 
+resource "null_resource" "this" {
+  provisioner "local-exec" {
+    command     = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout private.key -out certificate.crt"
+    interpreter = ["/bin/bash", "-c"]
+  }
+}
+
+data "local_file" "certificate" {
+  filename = "certificate.crt"
+  depends_on = [null_resource.this]
+}
+
+data "local_file" "private_key" {
+  filename = "private.key"
+  depends_on = [null_resource.this]
+}
+
 
 resource "aws_iam_server_certificate" "this" {
   name             = "086_certificate_red"
-  certificate_body = file("certificate.crt")
-  private_key      = file("private.key")
-}
+  certificate_body = data.local_file.certificate.content
+  private_key      = data.local_file.private_key.content
+}
diff --git a/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf b/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf
@@ -1,8 +1,23 @@
-###### The step to be done before run infrastructure is to run command below
-# sudo openssl req -x509 -nodes -days 8 -newkey rsa:2048 -keyout private.key -out certificate.crt 
+resource "null_resource" "this" {
+  provisioner "local-exec" {
+    command     = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 8 -newkey rsa:2048 -keyout private.key -out certificate.crt"
+    interpreter = ["/bin/bash", "-c"]
+  }
+}
+
+data "local_file" "certificate" {
+  filename = "certificate.crt"
+  depends_on = [null_resource.this]
+}
+
+data "local_file" "private_key" {
+  filename = "private.key"
+  depends_on = [null_resource.this]
+}
 
 resource "aws_iam_server_certificate" "this" {
   name             = "087_certificate_green"
-  certificate_body = file("certificate.crt")
-  private_key      = file("private.key")
-}
+  certificate_body = data.local_file.certificate.content
+  private_key      = data.local_file.private_key.content
+
+}
diff --git a/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf b/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf
@@ -1,8 +1,22 @@
-###### The step to be done before run infrastructure is to run command below
-# sudo openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt 
+resource "null_resource" "this" {
+  provisioner "local-exec" {
+    command     = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout private.key -out certificate.crt"
+    interpreter = ["/bin/bash", "-c"]
+  }
+}
 
-resource "aws_iam_server_certificate" "this" {
-  name             = "087_certificate_red"
-  certificate_body = file("second-certificate.crt")
-  private_key      = file("second-private.key")
+data "local_file" "certificate" {
+  filename = "certificate.crt"
+  depends_on = [null_resource.this]
+}
+
+data "local_file" "private_key" {
+  filename = "private.key"
+  depends_on = [null_resource.this]
 }
+
+resource "aws_iam_server_certificate" "this" {
+  name             = "086_certificate_red"
+  certificate_body = data.local_file.certificate.content
+  private_key      = data.local_file.private_key.content
+}
diff --git a/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/green/cloudfront.tf b/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/green/cloudfront.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "bucket-090-green"
+  bucket = "090-bucket-${random_integer.this.result}-green"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "tls_private_key" "this" {

diff --git a/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/red/cloudfront.tf b/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/red/cloudfront.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "bucket-090-red"
+  bucket = "090-bucket-${random_integer.this.result}-red"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "tls_private_key" "this" {

diff --git a/terraform/ecc-aws-101-clb_access_logging_disabled/green/s3.tf b/terraform/ecc-aws-101-clb_access_logging_disabled/green/s3.tf
@@ -1,28 +1,48 @@
 resource "aws_s3_bucket" "this" {
-  bucket        = "101-bucket-green"
+  bucket        = "101-bucket-${random_integer.this.result}-green"
   force_destroy = true
 }
 
-resource "aws_s3_bucket_acl" "this" {
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
+resource "aws_s3_bucket_ownership_controls" "this" {
   bucket = aws_s3_bucket.this.id
-  acl    = "private"
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
 }
 
-resource "aws_s3_bucket_policy" "allow_access_from_another_account" {
+resource "aws_s3_bucket_acl" "this" {
+  depends_on = [aws_s3_bucket_ownership_controls.this]
+
   bucket = aws_s3_bucket.this.id
-  policy = data.aws_iam_policy_document.this.json
+  acl    = "private"
 }
 
+
+data "aws_elb_service_account" "this" {}
+
 data "aws_iam_policy_document" "this" {
   statement {
+    sid    = "AWSLogDeliveryWrite"
     effect = "Allow"
 
+    actions   = ["s3:PutObject"]
+    resources = ["${aws_s3_bucket.this.arn}/*"]
+
     principals {
-      type        = "*"
-      identifiers = ["*"]
+      type        = "AWS"
+      identifiers = [data.aws_elb_service_account.this.arn]
     }
-
-    actions   = ["s3:PutObject"]
-    resources = ["arn:aws:s3:::101-bucket-green/*"] 
   }
 }
+
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.this.json
+}
+
+data "aws_caller_identity" "current" {}
diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "141-bucket-green"
+  bucket = "141-bucket-${random_integer.this.result}-green"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {

diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "141-bucket-red"
+  bucket = "141-bucket-${random_integer.this.result}-red"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {

diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf
@@ -1,8 +1,13 @@
 resource "aws_s3_bucket" "this" {
-  bucket        = "162-bucket-green"
+  bucket        = "162-bucket-${random_integer.this.result}-green"
   force_destroy = "true"
 }
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
 resource "aws_s3_bucket_ownership_controls" "this" {
   bucket = aws_s3_bucket.this.id
   rule {
@@ -45,4 +50,4 @@ resource "aws_s3_bucket_lifecycle_configuration" "this" {
       storage_class = "GLACIER"
     }
   }
-}
+}
diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf
@@ -1,8 +1,13 @@
 resource "aws_s3_bucket" "this" {
-  bucket        = "162-bucket-red"
+  bucket        = "162-bucket-${random_integer.this.result}-red"
   force_destroy = "true"
 }
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
 resource "aws_s3_bucket_ownership_controls" "this" {
   bucket = aws_s3_bucket.this.id
   rule {

diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "163-bucket-green"
+  bucket = "163-bucket-${random_integer.this.result}-green"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {

diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf
@@ -1,5 +1,10 @@
 resource "aws_s3_bucket" "this" {
-  bucket = "163-bucket-red"
+  bucket = "163-bucket-${random_integer.this.result}-red"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {

diff --git a/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/green/cloudtrail.tf b/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/green/cloudtrail.tf
@@ -7,10 +7,15 @@ resource "aws_cloudtrail" "this" {
 }
 
 resource "aws_s3_bucket" "this" {
-  bucket        = "bucket-176-green"
+  bucket        = "176-bucket-${random_integer.this.result}-green"
   force_destroy = true
 }
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
 resource "aws_s3_bucket_policy" "this" {
   bucket = aws_s3_bucket.this.id
   policy = data.aws_iam_policy_document.this.json
@@ -26,7 +31,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:GetBucketAcl"]
-    resources = ["arn:aws:s3:::bucket-176-green"]
+    resources = [aws_s3_bucket.this.arn]
   }
 
   statement {
@@ -38,7 +43,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:PutObject"]
-    resources = ["arn:aws:s3:::bucket-176-green/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"

diff --git a/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/red/cloudtrail.tf b/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/red/cloudtrail.tf
@@ -7,10 +7,15 @@ resource "aws_cloudtrail" "this" {
 }
 
 resource "aws_s3_bucket" "this" {
-  bucket        = "bucket-176-red"
+  bucket        = "176-bucket-${random_integer.this.result}-red"
   force_destroy = true
 }
 
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
 resource "aws_s3_bucket_policy" "this" {
   bucket = aws_s3_bucket.this.id
   policy = data.aws_iam_policy_document.this.json
@@ -26,7 +31,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:GetBucketAcl"]
-    resources = ["arn:aws:s3:::bucket-176-red"]
+    resources = [aws_s3_bucket.this.arn]
   }
 
   statement {
@@ -38,7 +43,7 @@ data "aws_iam_policy_document" "this" {
     }
 
     actions = ["s3:PutObject"]
-    resources = ["arn:aws:s3:::bucket-176-red/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
+    resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"]
     condition {
       test     = "StringEquals"
       variable = "s3:x-amz-acl"