diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf index 841eba4a4..c3c7eb5f8 100644 --- a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/green/s3.tf @@ -1,9 +1,14 @@ resource "aws_s3_bucket" "this" { - bucket = "080-bucket-green" + bucket = "080-bucket-${random_integer.this.result}-green" force_destroy = true +} +resource "random_integer" "this" { + min = 1 + max = 10000000 } + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json @@ -19,7 +24,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:*"] - resources = ["arn:aws:s3:::080-bucket-green/*"] + resources = ["${aws_s3_bucket.this.arn}/*"] condition { test = "Bool" variable = "aws:SecureTransport" diff --git a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf index 60320e8eb..5c9e1e27b 100644 --- a/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf +++ b/terraform/ecc-aws-080-bucket_policy_allows_https_requests/red/s3.tf @@ -1,4 +1,9 @@ resource "aws_s3_bucket" "this" { - bucket = "080-bucket-red" + bucket = "080-bucket-${random_integer.this.result}-red" force_destroy = true +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } \ No newline at end of file diff --git a/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf b/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf index 6dcb11bdf..4a7056060 100644 --- a/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf +++ b/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/green/certificate.tf @@ -1,8 +1,22 @@ -###### The step to be done before run infrastructure is to run command below -# sudo openssl req -x509 -nodes -days 40 -newkey rsa:2048 -keyout private.key -out certificate.crt +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} resource "aws_iam_server_certificate" "this" { name = "086_certificate_green" - certificate_body = file("certificate.crt") - private_key = file("private.key") -} + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} \ No newline at end of file diff --git a/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf b/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf index e0d1e381b..fdde11eea 100644 --- a/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf +++ b/terraform/ecc-aws-086_iam_ssl_or_tls_certificates_expire_in_one_month/red/certificate.tf @@ -1,8 +1,23 @@ -###### The step to be done before run infrastructure is to run command below -# sudo openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 20 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} + resource "aws_iam_server_certificate" "this" { name = "086_certificate_red" - certificate_body = file("certificate.crt") - private_key = file("private.key") -} + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} \ No newline at end of file diff --git a/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf b/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf index 7948899e5..e3f38d2d9 100644 --- a/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf +++ b/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/green/certificate.tf @@ -1,8 +1,23 @@ -###### The step to be done before run infrastructure is to run command below -# sudo openssl req -x509 -nodes -days 8 -newkey rsa:2048 -keyout private.key -out certificate.crt +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 8 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} resource "aws_iam_server_certificate" "this" { name = "087_certificate_green" - certificate_body = file("certificate.crt") - private_key = file("private.key") -} + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content + +} \ No newline at end of file diff --git a/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf b/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf index 7b67b1b5f..2bd3281d3 100644 --- a/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf +++ b/terraform/ecc-aws-087_iam_ssl_or_tls_certificates_expire_in_one_week/red/certificate.tf @@ -1,8 +1,22 @@ -###### The step to be done before run infrastructure is to run command below -# sudo openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 4 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} -resource "aws_iam_server_certificate" "this" { - name = "087_certificate_red" - certificate_body = file("second-certificate.crt") - private_key = file("second-private.key") +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] } + +resource "aws_iam_server_certificate" "this" { + name = "086_certificate_red" + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} \ No newline at end of file diff --git a/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/green/cloudfront.tf b/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/green/cloudfront.tf index 36c27317e..b88bbc3cf 100644 --- a/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/green/cloudfront.tf +++ b/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/green/cloudfront.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-090-green" + bucket = "090-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "tls_private_key" "this" { diff --git a/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/red/cloudfront.tf b/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/red/cloudfront.tf index fb333e4f5..479dc3cf3 100644 --- a/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/red/cloudfront.tf +++ b/terraform/ecc-aws-090-use_secure_ciphers_in_cloudfront_distribution/red/cloudfront.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-090-red" + bucket = "090-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "tls_private_key" "this" { diff --git a/terraform/ecc-aws-101-clb_access_logging_disabled/green/s3.tf b/terraform/ecc-aws-101-clb_access_logging_disabled/green/s3.tf index 49aca68fb..55658fce4 100644 --- a/terraform/ecc-aws-101-clb_access_logging_disabled/green/s3.tf +++ b/terraform/ecc-aws-101-clb_access_logging_disabled/green/s3.tf @@ -1,28 +1,48 @@ resource "aws_s3_bucket" "this" { - bucket = "101-bucket-green" + bucket = "101-bucket-${random_integer.this.result}-green" force_destroy = true } -resource "aws_s3_bucket_acl" "this" { +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { bucket = aws_s3_bucket.this.id - acl = "private" + rule { + object_ownership = "BucketOwnerPreferred" + } } -resource "aws_s3_bucket_policy" "allow_access_from_another_account" { +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id - policy = data.aws_iam_policy_document.this.json + acl = "private" } + +data "aws_elb_service_account" "this" {} + data "aws_iam_policy_document" "this" { statement { + sid = "AWSLogDeliveryWrite" effect = "Allow" + actions = ["s3:PutObject"] + resources = ["${aws_s3_bucket.this.arn}/*"] + principals { - type = "*" - identifiers = ["*"] + type = "AWS" + identifiers = [data.aws_elb_service_account.this.arn] } - - actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::101-bucket-green/*"] } } + +resource "aws_s3_bucket_policy" "this" { + bucket = aws_s3_bucket.this.id + policy = data.aws_iam_policy_document.this.json +} + +data "aws_caller_identity" "current" {} diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf index 48f67314a..db411c9d4 100644 --- a/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/green/s3.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "141-bucket-green" + bucket = "141-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_s3_bucket_ownership_controls" "this" { diff --git a/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf index 48b483f91..1e57478a8 100644 --- a/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf +++ b/terraform/ecc-aws-141-s3_encrypted_using_kms/red/s3.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "141-bucket-red" + bucket = "141-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_s3_bucket_ownership_controls" "this" { diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf index 31ae037de..879ce8f62 100644 --- a/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/green/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "162-bucket-green" + bucket = "162-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_ownership_controls" "this" { bucket = aws_s3_bucket.this.id rule { @@ -45,4 +50,4 @@ resource "aws_s3_bucket_lifecycle_configuration" "this" { storage_class = "GLACIER" } } -} \ No newline at end of file +} diff --git a/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf index edb5135ca..2799f2c4c 100644 --- a/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf +++ b/terraform/ecc-aws-162-s3_bucket_lifecycle/red/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "162-bucket-red" + bucket = "162-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_ownership_controls" "this" { bucket = aws_s3_bucket.this.id rule { diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf index 466fe39eb..3fbd6e5fa 100644 --- a/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/green/s3.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "163-bucket-green" + bucket = "163-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_s3_bucket_ownership_controls" "this" { diff --git a/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf b/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf index 171ef2534..4c94ad285 100644 --- a/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf +++ b/terraform/ecc-aws-163-s3_buckets_without_tags/red/s3.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "163-bucket-red" + bucket = "163-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_s3_bucket_ownership_controls" "this" { diff --git a/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/green/cloudtrail.tf b/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/green/cloudtrail.tf index d86f3d095..dac056b14 100644 --- a/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/green/cloudtrail.tf +++ b/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/green/cloudtrail.tf @@ -7,10 +7,15 @@ resource "aws_cloudtrail" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-176-green" + bucket = "176-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json @@ -26,7 +31,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::bucket-176-green"] + resources = [aws_s3_bucket.this.arn] } statement { @@ -38,7 +43,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-176-green/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/red/cloudtrail.tf b/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/red/cloudtrail.tf index 18fe0e6c5..61a0c0fca 100644 --- a/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/red/cloudtrail.tf +++ b/terraform/ecc-aws-176-cloudtrail_log_validation_enabled/red/cloudtrail.tf @@ -7,10 +7,15 @@ resource "aws_cloudtrail" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-176-red" + bucket = "176-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json @@ -26,7 +31,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::bucket-176-red"] + resources = [aws_s3_bucket.this.arn] } statement { @@ -38,7 +43,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-176-red/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-179-cloudtrail_integrated_with_cloudwatch/green/cloudtrail.tf b/terraform/ecc-aws-179-cloudtrail_integrated_with_cloudwatch/green/cloudtrail.tf index b3498995e..2dc6072f2 100644 --- a/terraform/ecc-aws-179-cloudtrail_integrated_with_cloudwatch/green/cloudtrail.tf +++ b/terraform/ecc-aws-179-cloudtrail_integrated_with_cloudwatch/green/cloudtrail.tf @@ -8,10 +8,15 @@ resource "aws_cloudtrail" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-179-green" + bucket = "179-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json @@ -27,7 +32,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::bucket-179-green"] + resources = [aws_s3_bucket.this.arn] } statement { @@ -39,7 +44,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-179-green/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-179-cloudtrail_integrated_with_cloudwatch/red/cloudtrail.tf b/terraform/ecc-aws-179-cloudtrail_integrated_with_cloudwatch/red/cloudtrail.tf index cd2dbbc27..cce16422b 100644 --- a/terraform/ecc-aws-179-cloudtrail_integrated_with_cloudwatch/red/cloudtrail.tf +++ b/terraform/ecc-aws-179-cloudtrail_integrated_with_cloudwatch/red/cloudtrail.tf @@ -8,7 +8,7 @@ resource "aws_cloudtrail" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-179-red" + bucket = "179-bucket-${random_integer.this.result}-red" force_destroy = true } @@ -27,7 +27,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::bucket-179-red"] + resources = [aws_s3_bucket.this.arn] } statement { @@ -39,7 +39,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-179-red/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-183-config_enabled_all_regions/green/config.tf b/terraform/ecc-aws-183-config_enabled_all_regions/green/config.tf index 2378ae07a..d1079b9f1 100644 --- a/terraform/ecc-aws-183-config_enabled_all_regions/green/config.tf +++ b/terraform/ecc-aws-183-config_enabled_all_regions/green/config.tf @@ -5,11 +5,16 @@ resource "aws_config_configuration_recorder_status" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-183-green" + bucket = "183-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_config_delivery_channel" "this" { name = "183_delivery_channel_green" s3_bucket_name = aws_s3_bucket.this.bucket diff --git a/terraform/ecc-aws-183-config_enabled_all_regions/red/config.tf b/terraform/ecc-aws-183-config_enabled_all_regions/red/config.tf index 9e2f743e8..7c9f819ed 100644 --- a/terraform/ecc-aws-183-config_enabled_all_regions/red/config.tf +++ b/terraform/ecc-aws-183-config_enabled_all_regions/red/config.tf @@ -10,11 +10,16 @@ resource "aws_iam_role_policy_attachment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-183-red" + bucket = "183-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_config_delivery_channel" "this" { name = "183_delivery_channel_red" s3_bucket_name = aws_s3_bucket.this.bucket diff --git a/terraform/ecc-aws-183-config_enabled_all_regions/red1/config.tf b/terraform/ecc-aws-183-config_enabled_all_regions/red1/config.tf index ae17f0c45..d5f2898a8 100644 --- a/terraform/ecc-aws-183-config_enabled_all_regions/red1/config.tf +++ b/terraform/ecc-aws-183-config_enabled_all_regions/red1/config.tf @@ -5,11 +5,16 @@ resource "aws_config_configuration_recorder_status" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-183-red1" + bucket = "183-bucket-${random_integer.this.result}-red1" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_config_delivery_channel" "this" { name = "183_delivery_channel_red1" s3_bucket_name = aws_s3_bucket.this.bucket diff --git a/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/green/encryption.tf b/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/green/encryption.tf index 0d5ca2e37..25c011cdb 100644 --- a/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/green/encryption.tf +++ b/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/green/encryption.tf @@ -8,7 +8,7 @@ resource "aws_kms_key" "this" { } resource "aws_kms_alias" "this" { - name = "alias/k-184" + name = "alias/k-184-green" target_key_id = "${aws_kms_key.this.key_id}" } @@ -24,15 +24,30 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-184-green" + bucket = "184-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.bucket.json diff --git a/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/green/iam.tf b/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/green/iam.tf index ef9278e2b..db0c836d2 100644 --- a/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/green/iam.tf +++ b/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/green/iam.tf @@ -52,7 +52,7 @@ data "aws_iam_policy_document" "bucket" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::bucket-184-green"] + resources = [aws_s3_bucket.this.arn] } statement { @@ -64,7 +64,7 @@ data "aws_iam_policy_document" "bucket" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-184-green/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/red/encryption.tf b/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/red/encryption.tf index 39fc38973..52c7adaaa 100644 --- a/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/red/encryption.tf +++ b/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/red/encryption.tf @@ -8,7 +8,7 @@ resource "aws_kms_key" "this" { } resource "aws_kms_alias" "this" { - name = "alias/k-184" + name = "alias/k-184-red" target_key_id = "${aws_kms_key.this.key_id}" } @@ -24,15 +24,30 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-184-red" + bucket = "184-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.bucket.json diff --git a/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/red/iam.tf b/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/red/iam.tf index 044688bb9..458290cef 100644 --- a/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/red/iam.tf +++ b/terraform/ecc-aws-184-cloudtrail_logs_encrypted_using_KMS_CMKs/red/iam.tf @@ -52,7 +52,7 @@ data "aws_iam_policy_document" "bucket" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::bucket-184-red"] + resources = ["${aws_s3_bucket.this.arn}/*"] } statement { @@ -64,7 +64,7 @@ data "aws_iam_policy_document" "bucket" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-184-red/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/green/trail.tf b/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/green/trail.tf index 57a51d3e2..86c902275 100644 --- a/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/green/trail.tf +++ b/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/green/trail.tf @@ -14,33 +14,43 @@ resource "aws_cloudtrail" "this" { } resource "aws_s3_bucket" "this" { - bucket = "c7n-206-bucket-green" + bucket = "206-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json } data "aws_iam_policy_document" "this" { + statement { effect = "Allow" + principals { type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::c7n-206-bucket-green"] + + actions = ["s3:GetBucketAcl"] + resources = [aws_s3_bucket.this.arn] } statement { effect = "Allow" + principals { type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::c7n-206-bucket-green/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + + actions = ["s3:PutObject"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/red/trail.tf b/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/red/trail.tf index b3f335c21..df906a2fb 100644 --- a/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/red/trail.tf +++ b/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/red/trail.tf @@ -12,34 +12,43 @@ resource "aws_cloudtrail" "this" { } resource "aws_s3_bucket" "this" { - bucket = "c7n-206-bucket-red" + bucket = "206-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json } data "aws_iam_policy_document" "this" { + statement { effect = "Allow" + principals { type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::c7n-206-bucket-red"] + + actions = ["s3:GetBucketAcl"] + resources = [aws_s3_bucket.this.arn] } statement { effect = "Allow" + principals { type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::c7n-206-bucket-red/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + actions = ["s3:PutObject"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/red1/trail.tf b/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/red1/trail.tf index 0648583e7..b5278ae56 100644 --- a/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/red1/trail.tf +++ b/terraform/ecc-aws-206-IAM_policy_changes_alarm_exists/red1/trail.tf @@ -12,34 +12,43 @@ resource "aws_cloudtrail" "this" { } resource "aws_s3_bucket" "this" { - bucket = "c7n-206-bucket-red1" + bucket = "206-bucket-${random_integer.this.result}-red1" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json } data "aws_iam_policy_document" "this" { + statement { effect = "Allow" + principals { type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::c7n-206-bucket-red1"] + + actions = ["s3:GetBucketAcl"] + resources = [aws_s3_bucket.this.arn] } statement { effect = "Allow" + principals { type = "Service" identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::c7n-206-bucket-red1/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + actions = ["s3:PutObject"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-210-cloud_front_waf_integration/green/cloudfront.tf b/terraform/ecc-aws-210-cloud_front_waf_integration/green/cloudfront.tf index 0f9ad53d4..02238c035 100644 --- a/terraform/ecc-aws-210-cloud_front_waf_integration/green/cloudfront.tf +++ b/terraform/ecc-aws-210-cloud_front_waf_integration/green/cloudfront.tf @@ -1,11 +1,16 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-210-green" + bucket = "210-bucket-${random_integer.this.result}-green" } locals { s3_origin_id = "myGreenS3" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_cloudfront_distribution" "this" { origin { domain_name = aws_s3_bucket.this.bucket_regional_domain_name diff --git a/terraform/ecc-aws-210-cloud_front_waf_integration/red/cloudfront.tf b/terraform/ecc-aws-210-cloud_front_waf_integration/red/cloudfront.tf index 070a20476..f6482a597 100644 --- a/terraform/ecc-aws-210-cloud_front_waf_integration/red/cloudfront.tf +++ b/terraform/ecc-aws-210-cloud_front_waf_integration/red/cloudfront.tf @@ -6,6 +6,11 @@ locals { s3_origin_id = "myRedS3" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_cloudfront_distribution" "this" { origin { domain_name = aws_s3_bucket.this.bucket_regional_domain_name diff --git a/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/green/s3.tf b/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/green/s3.tf index ec5f6939f..dd0da7773 100644 --- a/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/green/s3.tf +++ b/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/green/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "bucket1" { - bucket = "bucket1-216-green" + bucket = "216-bucket1-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_versioning" "bucket1" { bucket = aws_s3_bucket.bucket1.id versioning_configuration { @@ -27,7 +32,7 @@ resource "aws_s3_bucket_replication_configuration" "bucket1" { } resource "aws_s3_bucket" "bucket2" { - bucket = "bucket2-216-green" + bucket = "216-bucket2-${random_integer.this.result}-green" force_destroy = true } diff --git a/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/red/s3.tf b/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/red/s3.tf index 43e9f5201..0bb86d6cd 100644 --- a/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/red/s3.tf +++ b/terraform/ecc-aws-216-s3_bucket_cross_region_replication_enabled/red/s3.tf @@ -1,5 +1,9 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-216-red" + bucket = "216-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} \ No newline at end of file diff --git a/terraform/ecc-aws-218-codebuild_environment_variables_contain_text_credentials/green/codebuild.tf b/terraform/ecc-aws-218-codebuild_environment_variables_contain_text_credentials/green/codebuild.tf index ad93269a3..cae24b161 100644 --- a/terraform/ecc-aws-218-codebuild_environment_variables_contain_text_credentials/green/codebuild.tf +++ b/terraform/ecc-aws-218-codebuild_environment_variables_contain_text_credentials/green/codebuild.tf @@ -1,12 +1,17 @@ resource "aws_s3_bucket" "input_bucket" { - bucket = "bucket-codebuild-input-bucket-216-green" + bucket = "bucket-${random_integer.this.result}-codebuild-input-bucket-216-green" force_destroy = true } resource "aws_s3_bucket" "output_bucket" { - bucket = "bucket-codebuild-output-bucket-216-green" + bucket = "bucket-${random_integer.this.result}-codebuild-output-bucket-216-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_object" "object" { bucket = aws_s3_bucket.input_bucket.id key = "MessageUtil.zip" diff --git a/terraform/ecc-aws-218-codebuild_environment_variables_contain_text_credentials/red/codebuild.tf b/terraform/ecc-aws-218-codebuild_environment_variables_contain_text_credentials/red/codebuild.tf index af0ee4094..e847d12dd 100644 --- a/terraform/ecc-aws-218-codebuild_environment_variables_contain_text_credentials/red/codebuild.tf +++ b/terraform/ecc-aws-218-codebuild_environment_variables_contain_text_credentials/red/codebuild.tf @@ -1,12 +1,17 @@ resource "aws_s3_bucket" "input_bucket" { - bucket = "bucket-codebuild-input-bucket-216-red" + bucket = "bucket-${random_integer.this.result}-codebuild-input-bucket-216-red" force_destroy = true } resource "aws_s3_bucket" "output_bucket" { - bucket = "bucket-codebuild-output-bucket-216-red" + bucket = "bucket-${random_integer.this.result}-codebuild-output-bucket-216-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_object" "object" { bucket = aws_s3_bucket.input_bucket.id key = "MessageUtil.zip" diff --git a/terraform/ecc-aws-237-cloudfront_web_distributions_use_custom_ssl_certificates/red/cloudfront.tf b/terraform/ecc-aws-237-cloudfront_web_distributions_use_custom_ssl_certificates/red/cloudfront.tf index d2be4d407..b35571166 100644 --- a/terraform/ecc-aws-237-cloudfront_web_distributions_use_custom_ssl_certificates/red/cloudfront.tf +++ b/terraform/ecc-aws-237-cloudfront_web_distributions_use_custom_ssl_certificates/red/cloudfront.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-237-red" + bucket = "237-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + locals { s3_origin_id = "myRedS3" } diff --git a/terraform/ecc-aws-238-cloudfront_web_distributions_with_geo_restriction_enabled/green/cloudfront.tf b/terraform/ecc-aws-238-cloudfront_web_distributions_with_geo_restriction_enabled/green/cloudfront.tf index 40be227db..bf95338cb 100644 --- a/terraform/ecc-aws-238-cloudfront_web_distributions_with_geo_restriction_enabled/green/cloudfront.tf +++ b/terraform/ecc-aws-238-cloudfront_web_distributions_with_geo_restriction_enabled/green/cloudfront.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-238-green" + bucket = "238-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + locals { s3_origin_id = "myRedS3" } diff --git a/terraform/ecc-aws-238-cloudfront_web_distributions_with_geo_restriction_enabled/red/cloudfront.tf b/terraform/ecc-aws-238-cloudfront_web_distributions_with_geo_restriction_enabled/red/cloudfront.tf index 16fdbb193..1cead0003 100644 --- a/terraform/ecc-aws-238-cloudfront_web_distributions_with_geo_restriction_enabled/red/cloudfront.tf +++ b/terraform/ecc-aws-238-cloudfront_web_distributions_with_geo_restriction_enabled/red/cloudfront.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-238-red" + bucket = "238-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + locals { s3_origin_id = "myRedS3" } diff --git a/terraform/ecc-aws-242-cloudfront_distribution_access_logging/green/cloudfront.tf b/terraform/ecc-aws-242-cloudfront_distribution_access_logging/green/cloudfront.tf index a60f79a1b..2c3f23216 100644 --- a/terraform/ecc-aws-242-cloudfront_distribution_access_logging/green/cloudfront.tf +++ b/terraform/ecc-aws-242-cloudfront_distribution_access_logging/green/cloudfront.tf @@ -1,8 +1,27 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-242-green" + bucket = "242-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json @@ -23,9 +42,7 @@ data "aws_iam_policy_document" "this" { "s3:PutBucketACL", ] - resources = [ - "arn:aws:s3:::bucket-242-green", - ] + resources = [aws_s3_bucket.this.arn] principals { type = "AWS" @@ -81,6 +98,9 @@ resource "aws_cloudfront_distribution" "this" { viewer_certificate { cloudfront_default_certificate = true } + depends_on = [ + aws_s3_bucket_acl.this + ] } resource "aws_cloudfront_origin_access_identity" "this" { diff --git a/terraform/ecc-aws-242-cloudfront_distribution_access_logging/red/cloudfront.tf b/terraform/ecc-aws-242-cloudfront_distribution_access_logging/red/cloudfront.tf index 9d595520a..c4310f731 100644 --- a/terraform/ecc-aws-242-cloudfront_distribution_access_logging/red/cloudfront.tf +++ b/terraform/ecc-aws-242-cloudfront_distribution_access_logging/red/cloudfront.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-242-red" + bucket = "242-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + locals { s3_origin_id = "myRedS3" } diff --git a/terraform/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled/red/s3.tf b/terraform/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled/red/s3.tf index 60974c681..a63959d96 100644 --- a/terraform/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled/red/s3.tf +++ b/terraform/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled/red/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-246-red" + bucket = "246-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_versioning" "this" { bucket = aws_s3_bucket.this.id versioning_configuration { @@ -11,21 +16,46 @@ resource "aws_s3_bucket_versioning" "this" { } } +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} + +resource "aws_s3_bucket_public_access_block" "this" { + bucket = aws_s3_bucket.this.id + + block_public_acls = false + block_public_policy = false + ignore_public_acls = false + restrict_public_buckets = false +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json + + depends_on = [aws_s3_bucket_public_access_block.this ] } data "aws_iam_policy_document" "this" { + statement { + effect = "Allow" + + principals { + type = "AWS" + identifiers = ["*"] + } - statement { - effect = "Allow" - - principals { - type = "AWS" - identifiers = ["*"] - } - actions = ["*"] - resources = ["arn:aws:s3:::bucket-246-red/*"] - } -} \ No newline at end of file + actions = ["*"] + resources = ["${aws_s3_bucket.this.arn}/*"] + } +} diff --git a/terraform/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled/red1/s3.tf b/terraform/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled/red1/s3.tf index 70bddfb8b..b18524c27 100644 --- a/terraform/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled/red1/s3.tf +++ b/terraform/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled/red1/s3.tf @@ -1,9 +1,23 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-246-red1" + bucket = "246-bucket-${random_integer.this.result}-red1" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } \ No newline at end of file diff --git a/terraform/ecc-aws-249-expired_certificates_are_removed_from_acm/green/cloudfront.tf b/terraform/ecc-aws-249-expired_certificates_are_removed_from_acm/green/cloudfront.tf index 7d2406e9c..f85c968c0 100644 --- a/terraform/ecc-aws-249-expired_certificates_are_removed_from_acm/green/cloudfront.tf +++ b/terraform/ecc-aws-249-expired_certificates_are_removed_from_acm/green/cloudfront.tf @@ -1,17 +1,37 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-249-green" + bucket = "249-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json } +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} + locals { s3_origin_id = "mygreenS3" } + data "aws_caller_identity" "this" { provider = aws } @@ -23,9 +43,7 @@ data "aws_iam_policy_document" "this" { "s3:PutBucketACL", ] - resources = [ - "arn:aws:s3:::bucket-249-green", - ] + resources = [aws_s3_bucket.this.arn] principals { type = "AWS" @@ -81,6 +99,9 @@ resource "aws_cloudfront_distribution" "this" { viewer_certificate { cloudfront_default_certificate = true } + depends_on = [ + aws_s3_bucket_acl.this + ] } resource "aws_cloudfront_origin_access_identity" "this" { diff --git a/terraform/ecc-aws-263-enable_elb_access_logs/green/alb.tf b/terraform/ecc-aws-263-enable_elb_access_logs/green/alb.tf index de5053a6b..aa2dded1a 100644 --- a/terraform/ecc-aws-263-enable_elb_access_logs/green/alb.tf +++ b/terraform/ecc-aws-263-enable_elb_access_logs/green/alb.tf @@ -8,14 +8,31 @@ resource "aws_lb" "this" { bucket = aws_s3_bucket.this.bucket enabled = true } + depends_on = [ + aws_s3_bucket_acl.this + ] } resource "aws_s3_bucket" "this" { - bucket = "bucket-263-green" + bucket = "263-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } @@ -24,16 +41,19 @@ resource "aws_s3_bucket_policy" "this" { policy = data.aws_iam_policy_document.this.json } +data "aws_elb_service_account" "this" {} + data "aws_iam_policy_document" "this" { statement { effect = "Allow" principals { type = "AWS" - identifiers = ["*"] + identifiers = [data.aws_elb_service_account.this.arn] } + actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-263-green/AWSLogs/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/*"] } } diff --git a/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/green/nlb.tf b/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/green/nlb.tf index b777da4b2..f8c71812a 100644 --- a/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/green/nlb.tf +++ b/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/green/nlb.tf @@ -5,10 +5,6 @@ resource "aws_lb" "this" { subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] } -###### The step to be done before run infrastructure is to run command below -# openssl req -x509 -nodes -days 32 -newkey rsa:2048 -keyout private.key -out certificate.crt - - resource "aws_lb_target_group" "this" { name = "lb-target-group-264-green" port = 443 @@ -31,8 +27,25 @@ resource "aws_lb_listener" "this" { resource "aws_iam_server_certificate" "this" { name = "264_certificate_green" - certificate_body = file("certificate.crt") - private_key = file("private.key") + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} + +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 50 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] } resource "aws_vpc" "this" { diff --git a/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/red/nlb.tf b/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/red/nlb.tf index 7685a3329..5be13b66c 100644 --- a/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/red/nlb.tf +++ b/terraform/ecc-aws-264-update_security_policy_of_network_load_balancer/red/nlb.tf @@ -1,6 +1,3 @@ -###### The step to be done before run infrastructure is to run command below -# openssl req -x509 -nodes -days 32 -newkey rsa:2048 -keyout private.key -out certificate.crt - resource "aws_lb" "this" { name = "nlb-264-red" internal = false @@ -31,10 +28,28 @@ resource "aws_lb_listener" "this" { resource "aws_iam_server_certificate" "this" { name = "264_certificate_red" - certificate_body = file("certificate.crt") - private_key = file("private.key") + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content } +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 32 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} + + resource "aws_vpc" "this" { cidr_block = "10.0.0.0/16" instance_tenancy = "default" diff --git a/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/green/iam.tf b/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/green/iam.tf index 9903a38c2..a8366307d 100644 --- a/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/green/iam.tf +++ b/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/green/iam.tf @@ -1,7 +1,22 @@ -###### The step to be done before run infrastructure is to run command below -# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} + resource "aws_iam_server_certificate" "this" { name = "279_server_certificate_green" - certificate_body = file("certificate.crt") - private_key = file("private.key") -} + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} \ No newline at end of file diff --git a/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/red/iam.tf b/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/red/iam.tf index 4c08689be..ae67732c0 100644 --- a/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/red/iam.tf +++ b/terraform/ecc-aws-279-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed/red/iam.tf @@ -1,7 +1,22 @@ -###### The step to be done before run infrastructure is to run command below -# openssl req -x509 -nodes -days 1 -newkey rsa:2048 -keyout second-private.key -out second-certificate.crt - ### we can't create expired certificate +resource "null_resource" "this" { + provisioner "local-exec" { + command = "echo -e '\\n\\n\\n\\n\\n\\n\\n\\n' | openssl req -x509 -nodes -days 1 -newkey rsa:2048 -keyout private.key -out certificate.crt" + interpreter = ["/bin/bash", "-c"] + } +} + +data "local_file" "certificate" { + filename = "certificate.crt" + depends_on = [null_resource.this] +} + +data "local_file" "private_key" { + filename = "private.key" + depends_on = [null_resource.this] +} + resource "aws_iam_server_certificate" "this" { name = "279_server_certificate_red" - certificate_body = file("certificate.crt") - private_key = file("private.key") -} + certificate_body = data.local_file.certificate.content + private_key = data.local_file.private_key.content +} \ No newline at end of file diff --git a/terraform/ecc-aws-280-s3_buckets_configured_with_block_public_access/green/s3.tf b/terraform/ecc-aws-280-s3_buckets_configured_with_block_public_access/green/s3.tf index b5df594cb..99e3e747f 100644 --- a/terraform/ecc-aws-280-s3_buckets_configured_with_block_public_access/green/s3.tf +++ b/terraform/ecc-aws-280-s3_buckets_configured_with_block_public_access/green/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-280-green" + bucket = "280-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-280-s3_buckets_configured_with_block_public_access/red/s3.tf b/terraform/ecc-aws-280-s3_buckets_configured_with_block_public_access/red/s3.tf index 9e790620a..416f7a467 100644 --- a/terraform/ecc-aws-280-s3_buckets_configured_with_block_public_access/red/s3.tf +++ b/terraform/ecc-aws-280-s3_buckets_configured_with_block_public_access/red/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-280-red" + bucket = "280-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-290-logging_for_s3_enabled/green/s3.tf b/terraform/ecc-aws-290-logging_for_s3_enabled/green/s3.tf index b78707b6d..2732e6f94 100644 --- a/terraform/ecc-aws-290-logging_for_s3_enabled/green/s3.tf +++ b/terraform/ecc-aws-290-logging_for_s3_enabled/green/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "log_bucket" { - bucket = "log-bucket-290-green" + bucket = "290-log-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_ownership_controls" "log_bucket" { bucket = aws_s3_bucket.log_bucket.id rule { @@ -18,7 +23,7 @@ resource "aws_s3_bucket_acl" "log_bucket" { } resource "aws_s3_bucket" "bucket" { - bucket = "bucket-290-green" + bucket = "290-bucket-${random_integer.this.result}-green" force_destroy = "true" } diff --git a/terraform/ecc-aws-290-logging_for_s3_enabled/red/s3.tf b/terraform/ecc-aws-290-logging_for_s3_enabled/red/s3.tf index 3f4dcf926..95895eed7 100644 --- a/terraform/ecc-aws-290-logging_for_s3_enabled/red/s3.tf +++ b/terraform/ecc-aws-290-logging_for_s3_enabled/red/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-290-red" + bucket = "290-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_ownership_controls" "this" { bucket = aws_s3_bucket.this.id rule { diff --git a/terraform/ecc-aws-306-redshift_clusters_audit_logging_enabled/green/redshift.tf b/terraform/ecc-aws-306-redshift_clusters_audit_logging_enabled/green/redshift.tf index 5b3d890ac..6c86ca88c 100644 --- a/terraform/ecc-aws-306-redshift_clusters_audit_logging_enabled/green/redshift.tf +++ b/terraform/ecc-aws-306-redshift_clusters_audit_logging_enabled/green/redshift.tf @@ -13,6 +13,14 @@ resource "aws_redshift_cluster" "this" { enable = true bucket_name = aws_s3_bucket.this.id } + depends_on = [ + aws_s3_bucket_acl.this + ] +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_redshift_parameter_group" "this" { @@ -25,11 +33,20 @@ resource "aws_redshift_parameter_group" "this" { } } resource "aws_s3_bucket" "this" { - bucket = "bucket-306-green" + bucket = "306-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } @@ -51,7 +68,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-306-green/*"] + resources = ["${aws_s3_bucket.this.arn}/*"] } statement { sid = "Get bucket policy needed for audit logging " @@ -63,7 +80,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::bucket-306-green"] + resources = [aws_s3_bucket.this.arn] } } diff --git a/terraform/ecc-aws-324-cloudfront_default_root_object_configured/green/cloudfront.tf b/terraform/ecc-aws-324-cloudfront_default_root_object_configured/green/cloudfront.tf index 99eaedf6a..e67c22850 100644 --- a/terraform/ecc-aws-324-cloudfront_default_root_object_configured/green/cloudfront.tf +++ b/terraform/ecc-aws-324-cloudfront_default_root_object_configured/green/cloudfront.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-324-green" + bucket = "324-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + locals { s3_origin_id = "myGreenS3" } diff --git a/terraform/ecc-aws-324-cloudfront_default_root_object_configured/red/cloudfront.tf b/terraform/ecc-aws-324-cloudfront_default_root_object_configured/red/cloudfront.tf index a9dbe327b..51d5f723e 100644 --- a/terraform/ecc-aws-324-cloudfront_default_root_object_configured/red/cloudfront.tf +++ b/terraform/ecc-aws-324-cloudfront_default_root_object_configured/red/cloudfront.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-324-red" + bucket = "324-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + locals { s3_origin_id = "myRedS3" } diff --git a/terraform/ecc-aws-326-cloudfront_origin_failover_configured/green/cloudfront.tf b/terraform/ecc-aws-326-cloudfront_origin_failover_configured/green/cloudfront.tf index a81283146..caf0113bf 100644 --- a/terraform/ecc-aws-326-cloudfront_origin_failover_configured/green/cloudfront.tf +++ b/terraform/ecc-aws-326-cloudfront_origin_failover_configured/green/cloudfront.tf @@ -1,23 +1,46 @@ resource "aws_s3_bucket" "primary" { - bucket = "primary-bucket-326-green" + bucket = "326-primary-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "primary" { + bucket = aws_s3_bucket.primary.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "primary" { + depends_on = [aws_s3_bucket_ownership_controls.primary] + bucket = aws_s3_bucket.primary.id acl = "private" } -resource "aws_s3_bucket" "failover" { - bucket = "failover-bucket-326-green" - force_destroy = true +resource "aws_s3_bucket_ownership_controls" "failover" { + bucket = aws_s3_bucket.failover.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "failover" { + depends_on = [aws_s3_bucket_ownership_controls.failover] + bucket = aws_s3_bucket.failover.id acl = "private" } +resource "aws_s3_bucket" "failover" { + bucket = "326-failover-bucket-${random_integer.this.result}-green" + force_destroy = true +} + resource "aws_cloudfront_origin_access_identity" "this" { comment = "origin_access_indentity_326_green" } @@ -87,4 +110,7 @@ resource "aws_cloudfront_distribution" "this" { viewer_certificate { cloudfront_default_certificate = true } + depends_on = [ + aws_s3_bucket_acl.this + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-326-cloudfront_origin_failover_configured/red/cloudfront.tf b/terraform/ecc-aws-326-cloudfront_origin_failover_configured/red/cloudfront.tf index d7fdb2fa8..3208e3d5d 100644 --- a/terraform/ecc-aws-326-cloudfront_origin_failover_configured/red/cloudfront.tf +++ b/terraform/ecc-aws-326-cloudfront_origin_failover_configured/red/cloudfront.tf @@ -1,5 +1,5 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-326-red" + bucket = "326-bucket-${random_integer.this.result}-red" force_destroy = "true" } @@ -11,6 +11,20 @@ data "aws_caller_identity" "this" { provider = aws } +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id @@ -24,9 +38,7 @@ data "aws_iam_policy_document" "this" { "s3:PutBucketACL", ] - resources = [ - "arn:aws:s3:::bucket-326-red", - ] + resources = [aws_s3_bucket.this.arn] principals { type = "AWS" @@ -82,6 +94,10 @@ resource "aws_cloudfront_distribution" "this" { viewer_certificate { cloudfront_default_certificate = true } + + depends_on = [ + aws_s3_bucket_acl.this + ] } resource "aws_cloudfront_origin_access_identity" "this" { diff --git a/terraform/ecc-aws-339-alb_drop_invalid_http_header/green/alb.tf b/terraform/ecc-aws-339-alb_drop_invalid_http_header/green/alb.tf index f0b6830a5..d750323fb 100644 --- a/terraform/ecc-aws-339-alb_drop_invalid_http_header/green/alb.tf +++ b/terraform/ecc-aws-339-alb_drop_invalid_http_header/green/alb.tf @@ -1,33 +1,49 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-339-green" + bucket = "339-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json } -data "aws_iam_policy_document" "this" { +data "aws_elb_service_account" "this" {} +data "aws_iam_policy_document" "this" { statement { effect = "Allow" principals { type = "AWS" - identifiers = ["*"] + identifiers = [data.aws_elb_service_account.this.arn] } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-339-green/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/*"] } } + resource "aws_alb" "this" { name = "alb-339-green" load_balancer_type = "application" @@ -39,4 +55,8 @@ resource "aws_alb" "this" { bucket = aws_s3_bucket.this.id enabled = true } + + depends_on = [ + aws_s3_bucket_acl.this + ] } diff --git a/terraform/ecc-aws-339-alb_drop_invalid_http_header/red/alb.tf b/terraform/ecc-aws-339-alb_drop_invalid_http_header/red/alb.tf index d18074a49..e334a999d 100644 --- a/terraform/ecc-aws-339-alb_drop_invalid_http_header/red/alb.tf +++ b/terraform/ecc-aws-339-alb_drop_invalid_http_header/red/alb.tf @@ -1,30 +1,44 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-339-red" + bucket = "339-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json } -data "aws_iam_policy_document" "this" { +data "aws_elb_service_account" "this" {} +data "aws_iam_policy_document" "this" { statement { effect = "Allow" principals { type = "AWS" - identifiers = ["*"] + identifiers = [data.aws_elb_service_account.this.arn] } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-339-red/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/*"] } } @@ -38,4 +52,8 @@ resource "aws_alb" "this" { bucket = aws_s3_bucket.this.id enabled = true } + + depends_on = [ + aws_s3_bucket_acl.this + ] } diff --git a/terraform/ecc-aws-408-emr_logging_to_s3_enabled/green/emr.tf b/terraform/ecc-aws-408-emr_logging_to_s3_enabled/green/emr.tf index c37dee080..2b552cae4 100644 --- a/terraform/ecc-aws-408-emr_logging_to_s3_enabled/green/emr.tf +++ b/terraform/ecc-aws-408-emr_logging_to_s3_enabled/green/emr.tf @@ -28,15 +28,29 @@ resource "aws_emr_cluster" "this" { service_role = aws_iam_role.emr_service_role.arn - depends_on = [aws_subnet.this, aws_iam_role.emr_service_role, aws_iam_role.emr_ec2_instance_profile, aws_iam_instance_profile.this] + depends_on = [aws_subnet.this, aws_iam_role.emr_service_role, aws_iam_role.emr_ec2_instance_profile, aws_iam_instance_profile.this, aws_s3_bucket_acl.this] } resource "aws_s3_bucket" "this" { - bucket = "bucket-408-green" + bucket = "408-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } \ No newline at end of file diff --git a/terraform/ecc-aws-438-autoscaling_group_has_valid_configuration/red/asg.tf b/terraform/ecc-aws-438-autoscaling_group_has_valid_configuration/red/asg.tf index a10d19d9c..6ef54ec14 100644 --- a/terraform/ecc-aws-438-autoscaling_group_has_valid_configuration/red/asg.tf +++ b/terraform/ecc-aws-438-autoscaling_group_has_valid_configuration/red/asg.tf @@ -1,20 +1,27 @@ -# In order to create red infrastructure manual steps are required. -# 1. Before running 'terraform apply' create key pair using a 'ssh-keygen -f ~/key_pair -m PEM' command. -# 2. Run 'terraform apply'. -# 3. Go to https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#KeyPairs and delete '438_key_pair_red' key pair. -# 4. Run custodian policy. +resource "null_resource" "this" { + provisioner "local-exec" { + command = "aws ec2 delete-key-pair --key-name ${aws_key_pair.this.key_name}" + interpreter = ["/bin/bash", "-c"] + } + + depends_on = [aws_autoscaling_group.this] +} +resource "tls_private_key" "rsa" { +algorithm = "RSA" +rsa_bits = 4096 +} resource "aws_key_pair" "this" { key_name = "438_key_pair_red" - public_key = file("${path.module}/key_pair.pub") + public_key = tls_private_key.rsa.public_key_openssh } resource "aws_launch_template" "this" { name_prefix = "438_launch_template_red" image_id = data.aws_ami.this.id instance_type = "t2.micro" - key_name = "438_key_pair_red" + key_name = "438_key_pair_red" } data "aws_ami" "this" { @@ -40,8 +47,8 @@ resource "aws_autoscaling_group" "this" { } tag { - key = "CustodianRule" - value = "ecc-aws-438-autoscaling_group_has_valid_configuration" + key = "CsutodianRule" + value = "epam-aws-438-autoscaling_group_has_valid_configuration" propagate_at_launch = true } diff --git a/terraform/ecc-aws-448-cloudfront_distribution_fieldlevel_encryption/green/cloudfront.tf b/terraform/ecc-aws-448-cloudfront_distribution_fieldlevel_encryption/green/cloudfront.tf index 7ac1953cf..a958ea4ce 100644 --- a/terraform/ecc-aws-448-cloudfront_distribution_fieldlevel_encryption/green/cloudfront.tf +++ b/terraform/ecc-aws-448-cloudfront_distribution_fieldlevel_encryption/green/cloudfront.tf @@ -1,9 +1,23 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-448-green" + bucket = "448-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-448-cloudfront_distribution_fieldlevel_encryption/red/cloudfront.tf b/terraform/ecc-aws-448-cloudfront_distribution_fieldlevel_encryption/red/cloudfront.tf index 6d89b031e..3fcf32fce 100644 --- a/terraform/ecc-aws-448-cloudfront_distribution_fieldlevel_encryption/red/cloudfront.tf +++ b/terraform/ecc-aws-448-cloudfront_distribution_fieldlevel_encryption/red/cloudfront.tf @@ -1,9 +1,23 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-448-red" + bucket = "448-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-452-cloudtrail_logs_management_events/green/cloudtrail.tf b/terraform/ecc-aws-452-cloudtrail_logs_management_events/green/cloudtrail.tf index a3908c250..8a5e7c82a 100644 --- a/terraform/ecc-aws-452-cloudtrail_logs_management_events/green/cloudtrail.tf +++ b/terraform/ecc-aws-452-cloudtrail_logs_management_events/green/cloudtrail.tf @@ -32,7 +32,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::c7n-452-bucket-green"] + resources = [aws_s3_bucket.this.arn] } statement { effect = "Allow" @@ -43,7 +43,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::c7n-452-bucket-green/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" @@ -54,8 +54,12 @@ data "aws_iam_policy_document" "this" { } } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} resource "aws_s3_bucket" "this" { - bucket = "c7n-452-bucket-green" + bucket = "452-bucket-${random_integer.this.result}-green" force_destroy = true } diff --git a/terraform/ecc-aws-452-cloudtrail_logs_management_events/red/cloudtrail.tf b/terraform/ecc-aws-452-cloudtrail_logs_management_events/red/cloudtrail.tf index 29b150ccb..4ec3c3c3d 100644 --- a/terraform/ecc-aws-452-cloudtrail_logs_management_events/red/cloudtrail.tf +++ b/terraform/ecc-aws-452-cloudtrail_logs_management_events/red/cloudtrail.tf @@ -36,7 +36,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::c7n-452-bucket-red"] + resources = [aws_s3_bucket.this.arn] } statement { effect = "Allow" @@ -47,7 +47,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::c7n-452-bucket-red/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" @@ -58,8 +58,12 @@ data "aws_iam_policy_document" "this" { } } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} resource "aws_s3_bucket" "this" { - bucket = "c7n-452-bucket-red" + bucket = "452-bucket-${random_integer.this.result}-red" force_destroy = true } diff --git a/terraform/ecc-aws-459-config_delivery_failed/green/config.tf b/terraform/ecc-aws-459-config_delivery_failed/green/config.tf index d4fde2ebd..b1d76e37a 100644 --- a/terraform/ecc-aws-459-config_delivery_failed/green/config.tf +++ b/terraform/ecc-aws-459-config_delivery_failed/green/config.tf @@ -5,9 +5,13 @@ resource "aws_config_configuration_recorder_status" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-459-green" + bucket = "459-bucket-${random_integer.this.result}-green" force_destroy = true +} +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_config_delivery_channel" "this" { diff --git a/terraform/ecc-aws-459-config_delivery_failed/red/config.tf b/terraform/ecc-aws-459-config_delivery_failed/red/config.tf index 87abe9f84..edbef40a4 100644 --- a/terraform/ecc-aws-459-config_delivery_failed/red/config.tf +++ b/terraform/ecc-aws-459-config_delivery_failed/red/config.tf @@ -7,9 +7,13 @@ resource "aws_config_configuration_recorder_status" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-459-red" + bucket = "459-bucket-${random_integer.this.result}-red" force_destroy = true +} +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_config_delivery_channel" "this" { diff --git a/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/green/s3.tf b/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/green/s3.tf index 7029ce193..0a685292e 100644 --- a/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/green/s3.tf +++ b/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/green/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "496-s3-bucket-green" + bucket = "496-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/green1/s3.tf b/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/green1/s3.tf index 7a5c0edb3..3d43c7040 100644 --- a/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/green1/s3.tf +++ b/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/green1/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "496-s3-bucket-green1" + bucket = "496-bucket-${random_integer.this.result}-green1" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/red/s3.tf b/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/red/s3.tf index d5e3a563d..c2bdedb3c 100644 --- a/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/red/s3.tf +++ b/terraform/ecc-aws-496-kinesis_firehose_delivery_streams_encrypted_using_SSE/red/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "496-s3-bucket-red" + bucket = "496-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-510-route53_hosted_zone_records_health_check_configured/green/s3.tf b/terraform/ecc-aws-510-route53_hosted_zone_records_health_check_configured/green/s3.tf index e6bfc762e..72a7a4581 100644 --- a/terraform/ecc-aws-510-route53_hosted_zone_records_health_check_configured/green/s3.tf +++ b/terraform/ecc-aws-510-route53_hosted_zone_records_health_check_configured/green/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "www.510-domain-green.click" + bucket = "www.510-domain-${random_integer.this.result}-green.click" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id @@ -54,4 +59,6 @@ data "aws_iam_policy_document" "this" { resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json + + depends_on = [aws_s3_bucket_public_access_block.this ] } \ No newline at end of file diff --git a/terraform/ecc-aws-525-ecs_exec_logging_encryption_enabled/green/s3.tf b/terraform/ecc-aws-525-ecs_exec_logging_encryption_enabled/green/s3.tf index b1e12aa6a..fe4279740 100644 --- a/terraform/ecc-aws-525-ecs_exec_logging_encryption_enabled/green/s3.tf +++ b/terraform/ecc-aws-525-ecs_exec_logging_encryption_enabled/green/s3.tf @@ -5,11 +5,25 @@ resource "aws_cloudwatch_log_group" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-525-green" + bucket = "525-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-525-ecs_exec_logging_encryption_enabled/red/s3.tf b/terraform/ecc-aws-525-ecs_exec_logging_encryption_enabled/red/s3.tf index 466fa1d4f..a65121fff 100644 --- a/terraform/ecc-aws-525-ecs_exec_logging_encryption_enabled/red/s3.tf +++ b/terraform/ecc-aws-525-ecs_exec_logging_encryption_enabled/red/s3.tf @@ -5,15 +5,30 @@ resource "aws_cloudwatch_log_group" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-525-red" + bucket = "525-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + resource "aws_s3_bucket_server_side_encryption_configuration" "this" { bucket = aws_s3_bucket.this.bucket diff --git a/terraform/ecc-aws-527-mwaa_encrypted_with_kms_cmk/green/mwaa.tf b/terraform/ecc-aws-527-mwaa_encrypted_with_kms_cmk/green/mwaa.tf index 485863b02..5778090f7 100644 --- a/terraform/ecc-aws-527-mwaa_encrypted_with_kms_cmk/green/mwaa.tf +++ b/terraform/ecc-aws-527-mwaa_encrypted_with_kms_cmk/green/mwaa.tf @@ -19,10 +19,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "527-bucket-green" + bucket = "527-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-527-mwaa_encrypted_with_kms_cmk/red/mwaa.tf b/terraform/ecc-aws-527-mwaa_encrypted_with_kms_cmk/red/mwaa.tf index 991f0a436..a99f7ccf0 100644 --- a/terraform/ecc-aws-527-mwaa_encrypted_with_kms_cmk/red/mwaa.tf +++ b/terraform/ecc-aws-527-mwaa_encrypted_with_kms_cmk/red/mwaa.tf @@ -18,10 +18,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "527-bucket-red" + bucket = "527-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-531-autoscaling_launch_config_public_ip_disabled/green/asg.tf b/terraform/ecc-aws-531-autoscaling_launch_config_public_ip_disabled/green/asg.tf index cebd20b0d..5884d28b7 100644 --- a/terraform/ecc-aws-531-autoscaling_launch_config_public_ip_disabled/green/asg.tf +++ b/terraform/ecc-aws-531-autoscaling_launch_config_public_ip_disabled/green/asg.tf @@ -1,7 +1,30 @@ # There is a bug where 'associate_public_ip_address' has a 3 states when terraform can only provide 2 states. +data "aws_ami" "this" { + most_recent = true -# Use following command to create green infrastructure. -aws autoscaling create-launch-configuration --launch-configuration-name 531_launch_template_green --image-id ami-06eecef118bbf9259 --instance-type t2.micro --no-associate-public-ip-address + filter { + name = "name" + values = ["amzn2-ami-*-hvm-*-arm64-gp2"] + } -# Use following command to delete infrastructure. -aws autoscaling delete-launch-configuration --launch-configuration-name 531_launch_template_green \ No newline at end of file + filter { + name = "architecture" + values = ["arm64"] + } + + owners = ["amazon"] +} + +resource "null_resource" "this" { + + provisioner "local-exec" { + command = "aws autoscaling create-launch-configuration --launch-configuration-name 531_launch_template_green --image-id ${data.aws_ami.this.id} --instance-type t2.micro --no-associate-public-ip-address" + interpreter = ["/bin/bash", "-c"] + } + + provisioner "local-exec" { + when = destroy + command = "aws autoscaling delete-launch-configuration --launch-configuration-name 531_launch_template_green" + interpreter = ["/bin/bash", "-c"] + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-547-cloudtrail_logs_data_events/green/cloudtrail.tf b/terraform/ecc-aws-547-cloudtrail_logs_data_events/green/cloudtrail.tf index 29f9a4db7..4dedaa172 100644 --- a/terraform/ecc-aws-547-cloudtrail_logs_data_events/green/cloudtrail.tf +++ b/terraform/ecc-aws-547-cloudtrail_logs_data_events/green/cloudtrail.tf @@ -35,7 +35,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::c7n-547-bucket-green"] + resources = [aws_s3_bucket.this.arn] } statement { effect = "Allow" @@ -46,7 +46,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::c7n-547-bucket-green/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" @@ -57,8 +57,12 @@ data "aws_iam_policy_document" "this" { } } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} resource "aws_s3_bucket" "this" { - bucket = "c7n-547-bucket-green" + bucket = "547-bucket-${random_integer.this.result}-green" force_destroy = true } \ No newline at end of file diff --git a/terraform/ecc-aws-547-cloudtrail_logs_data_events/red/cloudtrail.tf b/terraform/ecc-aws-547-cloudtrail_logs_data_events/red/cloudtrail.tf index 6f52903c2..3b91275fe 100644 --- a/terraform/ecc-aws-547-cloudtrail_logs_data_events/red/cloudtrail.tf +++ b/terraform/ecc-aws-547-cloudtrail_logs_data_events/red/cloudtrail.tf @@ -31,7 +31,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::c7n-547-bucket-red"] + resources = [aws_s3_bucket.this.arn] } statement { effect = "Allow" @@ -42,7 +42,7 @@ data "aws_iam_policy_document" "this" { } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::c7n-547-bucket-red/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" @@ -53,8 +53,12 @@ data "aws_iam_policy_document" "this" { } } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} resource "aws_s3_bucket" "this" { - bucket = "c7n-547-bucket-red" + bucket = "547-bucket-${random_integer.this.result}-red" force_destroy = true } \ No newline at end of file diff --git a/terraform/ecc-aws-568-app_flow_without_tag_information/green/s3.tf b/terraform/ecc-aws-568-app_flow_without_tag_information/green/s3.tf index a8ebe9e30..cddf235c0 100644 --- a/terraform/ecc-aws-568-app_flow_without_tag_information/green/s3.tf +++ b/terraform/ecc-aws-568-app_flow_without_tag_information/green/s3.tf @@ -1,9 +1,23 @@ resource "aws_s3_bucket" "this" { - bucket = "568-bucket-green" + bucket = "568-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } @@ -41,8 +55,8 @@ resource "aws_s3_bucket_policy" "this" { "s3:PutObjectAcl" ], "Resource": [ - "arn:aws:s3:::568-bucket-green", - "arn:aws:s3:::568-bucket-green/*" + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" ] } ], diff --git a/terraform/ecc-aws-568-app_flow_without_tag_information/red/s3.tf b/terraform/ecc-aws-568-app_flow_without_tag_information/red/s3.tf index 6df29510a..eac0d1eee 100644 --- a/terraform/ecc-aws-568-app_flow_without_tag_information/red/s3.tf +++ b/terraform/ecc-aws-568-app_flow_without_tag_information/red/s3.tf @@ -1,13 +1,26 @@ resource "aws_s3_bucket" "this" { - bucket = "568-bucket-red" + bucket = "568-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } - resource "aws_s3_object" "this" { bucket = aws_s3_bucket.this.id key = "source/568-bucket-file.csv" @@ -41,8 +54,8 @@ resource "aws_s3_bucket_policy" "this" { "s3:PutObjectAcl" ], "Resource": [ - "arn:aws:s3:::568-bucket-red", - "arn:aws:s3:::568-bucket-red/*" + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" ] } ], diff --git a/terraform/ecc-aws-575-cloudfront_distributions_without_tag_information/green/cloudfront.tf b/terraform/ecc-aws-575-cloudfront_distributions_without_tag_information/green/cloudfront.tf index 0a1ba5c3c..acb013f4e 100644 --- a/terraform/ecc-aws-575-cloudfront_distributions_without_tag_information/green/cloudfront.tf +++ b/terraform/ecc-aws-575-cloudfront_distributions_without_tag_information/green/cloudfront.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-575-green" + bucket = "575-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + locals { s3_origin_id = "myGreenS3" } diff --git a/terraform/ecc-aws-575-cloudfront_distributions_without_tag_information/red/cloudfront.tf b/terraform/ecc-aws-575-cloudfront_distributions_without_tag_information/red/cloudfront.tf index da1eb3d69..1c2ad13bd 100644 --- a/terraform/ecc-aws-575-cloudfront_distributions_without_tag_information/red/cloudfront.tf +++ b/terraform/ecc-aws-575-cloudfront_distributions_without_tag_information/red/cloudfront.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-575-red" + bucket = "575-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + locals { s3_origin_id = "myRedS3" } diff --git a/terraform/ecc-aws-578-cloudtrail_without_tag_information/green/cloudtrail.tf b/terraform/ecc-aws-578-cloudtrail_without_tag_information/green/cloudtrail.tf index 8c68f3e34..4370592b5 100644 --- a/terraform/ecc-aws-578-cloudtrail_without_tag_information/green/cloudtrail.tf +++ b/terraform/ecc-aws-578-cloudtrail_without_tag_information/green/cloudtrail.tf @@ -7,16 +7,22 @@ resource "aws_cloudtrail" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-578-green" + bucket = "578-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json } data "aws_iam_policy_document" "this" { + statement { effect = "Allow" @@ -25,10 +31,9 @@ data "aws_iam_policy_document" "this" { identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::bucket-578-green"] + actions = ["s3:GetBucketAcl"] + resources = [aws_s3_bucket.this.arn] } - statement { effect = "Allow" @@ -37,8 +42,8 @@ data "aws_iam_policy_document" "this" { identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-578-green/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + actions = ["s3:PutObject"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-578-cloudtrail_without_tag_information/red/cloudtrail.tf b/terraform/ecc-aws-578-cloudtrail_without_tag_information/red/cloudtrail.tf index 971f89241..c7cd2ddf1 100644 --- a/terraform/ecc-aws-578-cloudtrail_without_tag_information/red/cloudtrail.tf +++ b/terraform/ecc-aws-578-cloudtrail_without_tag_information/red/cloudtrail.tf @@ -9,16 +9,22 @@ resource "aws_cloudtrail" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-578-red" + bucket = "578-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json } data "aws_iam_policy_document" "this" { + statement { effect = "Allow" @@ -27,10 +33,9 @@ data "aws_iam_policy_document" "this" { identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:GetBucketAcl"] - resources = ["arn:aws:s3:::bucket-578-red"] + actions = ["s3:GetBucketAcl"] + resources = [aws_s3_bucket.this.arn] } - statement { effect = "Allow" @@ -39,8 +44,8 @@ data "aws_iam_policy_document" "this" { identifiers = ["cloudtrail.amazonaws.com"] } - actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-578-red/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] + actions = ["s3:PutObject"] + resources = ["${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.this.account_id}/*"] condition { test = "StringEquals" variable = "s3:x-amz-acl" diff --git a/terraform/ecc-aws-580-codebuild_without_tag_information/green/codebuild.tf b/terraform/ecc-aws-580-codebuild_without_tag_information/green/codebuild.tf index dce1c8894..22b01e024 100644 --- a/terraform/ecc-aws-580-codebuild_without_tag_information/green/codebuild.tf +++ b/terraform/ecc-aws-580-codebuild_without_tag_information/green/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "580-bucket-green" + bucket = "580-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "580_codebuilt_green" diff --git a/terraform/ecc-aws-580-codebuild_without_tag_information/red/codebuild.tf b/terraform/ecc-aws-580-codebuild_without_tag_information/red/codebuild.tf index 5a02555c4..c969581a0 100644 --- a/terraform/ecc-aws-580-codebuild_without_tag_information/red/codebuild.tf +++ b/terraform/ecc-aws-580-codebuild_without_tag_information/red/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "580-bucket-red" + bucket = "580-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "580_codebuilt_red" diff --git a/terraform/ecc-aws-600-glue_job_without_tag_information/green/iam.tf b/terraform/ecc-aws-600-glue_job_without_tag_information/green/iam.tf index 4474d9a65..451a87c3c 100644 --- a/terraform/ecc-aws-600-glue_job_without_tag_information/green/iam.tf +++ b/terraform/ecc-aws-600-glue_job_without_tag_information/green/iam.tf @@ -39,15 +39,22 @@ resource "aws_iam_role_policy" "this" { EOF } +data "aws_caller_identity" "this" { + provider = aws +} + data "aws_iam_policy_document" "this" { statement { effect = "Allow" principals { - type = "AWS" - identifiers = ["*"] + type = "AWS" + + identifiers = [ + data.aws_caller_identity.this.account_id, + ] } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-600-green/*"] + resources = ["${aws_s3_bucket.this.arn}/*"] } } \ No newline at end of file diff --git a/terraform/ecc-aws-600-glue_job_without_tag_information/green/s3.tf b/terraform/ecc-aws-600-glue_job_without_tag_information/green/s3.tf index 93d050c1f..08b327913 100644 --- a/terraform/ecc-aws-600-glue_job_without_tag_information/green/s3.tf +++ b/terraform/ecc-aws-600-glue_job_without_tag_information/green/s3.tf @@ -7,14 +7,29 @@ resource "aws_s3_object" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-600-green" + bucket = "600-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json diff --git a/terraform/ecc-aws-600-glue_job_without_tag_information/red/iam.tf b/terraform/ecc-aws-600-glue_job_without_tag_information/red/iam.tf index 100ef2d70..744cf5943 100644 --- a/terraform/ecc-aws-600-glue_job_without_tag_information/red/iam.tf +++ b/terraform/ecc-aws-600-glue_job_without_tag_information/red/iam.tf @@ -39,15 +39,22 @@ resource "aws_iam_role_policy" "this" { EOF } +data "aws_caller_identity" "this" { + provider = aws +} + data "aws_iam_policy_document" "this" { statement { effect = "Allow" principals { - type = "AWS" - identifiers = ["*"] + type = "AWS" + + identifiers = [ + data.aws_caller_identity.this.account_id, + ] } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-600-red/*"] + resources = ["${aws_s3_bucket.this.arn}/*"] } } \ No newline at end of file diff --git a/terraform/ecc-aws-600-glue_job_without_tag_information/red/s3.tf b/terraform/ecc-aws-600-glue_job_without_tag_information/red/s3.tf index 08ed4a917..caee5fca5 100644 --- a/terraform/ecc-aws-600-glue_job_without_tag_information/red/s3.tf +++ b/terraform/ecc-aws-600-glue_job_without_tag_information/red/s3.tf @@ -7,14 +7,29 @@ resource "aws_s3_object" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-600-red" + bucket = "600-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json diff --git a/terraform/ecc-aws-620-mwaa_without_tag_information/green/mwaa.tf b/terraform/ecc-aws-620-mwaa_without_tag_information/green/mwaa.tf index 6a8000190..c60039028 100644 --- a/terraform/ecc-aws-620-mwaa_without_tag_information/green/mwaa.tf +++ b/terraform/ecc-aws-620-mwaa_without_tag_information/green/mwaa.tf @@ -18,10 +18,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "620-bucket-green" + bucket = "620-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-620-mwaa_without_tag_information/red/mwaa.tf b/terraform/ecc-aws-620-mwaa_without_tag_information/red/mwaa.tf index 7fc0e3618..d4a1066db 100644 --- a/terraform/ecc-aws-620-mwaa_without_tag_information/red/mwaa.tf +++ b/terraform/ecc-aws-620-mwaa_without_tag_information/red/mwaa.tf @@ -18,10 +18,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "620-bucket-red" + bucket = "620-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-652-mwaa_dag_processing_logs_set_correctly/green/mwaa.tf b/terraform/ecc-aws-652-mwaa_dag_processing_logs_set_correctly/green/mwaa.tf index 4c1d4ce60..b1569b8be 100644 --- a/terraform/ecc-aws-652-mwaa_dag_processing_logs_set_correctly/green/mwaa.tf +++ b/terraform/ecc-aws-652-mwaa_dag_processing_logs_set_correctly/green/mwaa.tf @@ -25,10 +25,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "652-bucket-green" + bucket = "652-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-652-mwaa_dag_processing_logs_set_correctly/red/mwaa.tf b/terraform/ecc-aws-652-mwaa_dag_processing_logs_set_correctly/red/mwaa.tf index 30f9a7910..babba3762 100644 --- a/terraform/ecc-aws-652-mwaa_dag_processing_logs_set_correctly/red/mwaa.tf +++ b/terraform/ecc-aws-652-mwaa_dag_processing_logs_set_correctly/red/mwaa.tf @@ -18,10 +18,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "652-bucket-red" + bucket = "652-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-653-mwaa_scheduler_logs_set_correctly/green/mwaa.tf b/terraform/ecc-aws-653-mwaa_scheduler_logs_set_correctly/green/mwaa.tf index aa8c74b50..97ce0abb5 100644 --- a/terraform/ecc-aws-653-mwaa_scheduler_logs_set_correctly/green/mwaa.tf +++ b/terraform/ecc-aws-653-mwaa_scheduler_logs_set_correctly/green/mwaa.tf @@ -25,10 +25,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "653-bucket-green" + bucket = "653-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-653-mwaa_scheduler_logs_set_correctly/red/mwaa.tf b/terraform/ecc-aws-653-mwaa_scheduler_logs_set_correctly/red/mwaa.tf index 58947d684..616823732 100644 --- a/terraform/ecc-aws-653-mwaa_scheduler_logs_set_correctly/red/mwaa.tf +++ b/terraform/ecc-aws-653-mwaa_scheduler_logs_set_correctly/red/mwaa.tf @@ -18,10 +18,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "653-bucket-red" + bucket = "653-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-654-mwaa_task_logs_set_correctly/green/mwaa.tf b/terraform/ecc-aws-654-mwaa_task_logs_set_correctly/green/mwaa.tf index 86c87e1ae..32848bf70 100644 --- a/terraform/ecc-aws-654-mwaa_task_logs_set_correctly/green/mwaa.tf +++ b/terraform/ecc-aws-654-mwaa_task_logs_set_correctly/green/mwaa.tf @@ -25,10 +25,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "654-bucket-green" + bucket = "654-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-654-mwaa_task_logs_set_correctly/red/mwaa.tf b/terraform/ecc-aws-654-mwaa_task_logs_set_correctly/red/mwaa.tf index 4961a299a..5d143c9d8 100644 --- a/terraform/ecc-aws-654-mwaa_task_logs_set_correctly/red/mwaa.tf +++ b/terraform/ecc-aws-654-mwaa_task_logs_set_correctly/red/mwaa.tf @@ -18,10 +18,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "654-bucket-red" + bucket = "654-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-655-mwaa_webserver_logs_set_correctly/green/mwaa.tf b/terraform/ecc-aws-655-mwaa_webserver_logs_set_correctly/green/mwaa.tf index bcf699513..3374ed856 100644 --- a/terraform/ecc-aws-655-mwaa_webserver_logs_set_correctly/green/mwaa.tf +++ b/terraform/ecc-aws-655-mwaa_webserver_logs_set_correctly/green/mwaa.tf @@ -25,10 +25,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "655-bucket-green" + bucket = "655-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-655-mwaa_webserver_logs_set_correctly/red/mwaa.tf b/terraform/ecc-aws-655-mwaa_webserver_logs_set_correctly/red/mwaa.tf index b33a1787f..681d55d57 100644 --- a/terraform/ecc-aws-655-mwaa_webserver_logs_set_correctly/red/mwaa.tf +++ b/terraform/ecc-aws-655-mwaa_webserver_logs_set_correctly/red/mwaa.tf @@ -18,10 +18,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "655-bucket-red" + bucket = "655-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-656-mwaa_worker_logs_set_correctly/green/mwaa.tf b/terraform/ecc-aws-656-mwaa_worker_logs_set_correctly/green/mwaa.tf index 032be3038..65ef3b8e0 100644 --- a/terraform/ecc-aws-656-mwaa_worker_logs_set_correctly/green/mwaa.tf +++ b/terraform/ecc-aws-656-mwaa_worker_logs_set_correctly/green/mwaa.tf @@ -25,10 +25,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "656-bucket-green" + bucket = "656-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-656-mwaa_worker_logs_set_correctly/red/mwaa.tf b/terraform/ecc-aws-656-mwaa_worker_logs_set_correctly/red/mwaa.tf index f63fc3c1a..499bcdad7 100644 --- a/terraform/ecc-aws-656-mwaa_worker_logs_set_correctly/red/mwaa.tf +++ b/terraform/ecc-aws-656-mwaa_worker_logs_set_correctly/red/mwaa.tf @@ -18,10 +18,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "656-bucket-red" + bucket = "656-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-672-glue_spark_ui_monitoring_enabled/green/s3.tf b/terraform/ecc-aws-672-glue_spark_ui_monitoring_enabled/green/s3.tf index ea63f3c58..f5fd3fe3a 100644 --- a/terraform/ecc-aws-672-glue_spark_ui_monitoring_enabled/green/s3.tf +++ b/terraform/ecc-aws-672-glue_spark_ui_monitoring_enabled/green/s3.tf @@ -7,14 +7,29 @@ resource "aws_s3_object" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-672-green" + bucket = "672-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json diff --git a/terraform/ecc-aws-672-glue_spark_ui_monitoring_enabled/red/s3.tf b/terraform/ecc-aws-672-glue_spark_ui_monitoring_enabled/red/s3.tf index 9aabce06a..be1b5059d 100644 --- a/terraform/ecc-aws-672-glue_spark_ui_monitoring_enabled/red/s3.tf +++ b/terraform/ecc-aws-672-glue_spark_ui_monitoring_enabled/red/s3.tf @@ -7,14 +7,29 @@ resource "aws_s3_object" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-672-red" + bucket = "672-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json diff --git a/terraform/ecc-aws-689-bucket_not_dns_compliant/green/s3.tf b/terraform/ecc-aws-689-bucket_not_dns_compliant/green/s3.tf index a503a2273..47a205850 100644 --- a/terraform/ecc-aws-689-bucket_not_dns_compliant/green/s3.tf +++ b/terraform/ecc-aws-689-bucket_not_dns_compliant/green/s3.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "689-bucket-green" + bucket = "689-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_s3_bucket_ownership_controls" "this" { diff --git a/terraform/ecc-aws-689-bucket_not_dns_compliant/red/s3.tf b/terraform/ecc-aws-689-bucket_not_dns_compliant/red/s3.tf index 85115b9fb..1e5d49370 100644 --- a/terraform/ecc-aws-689-bucket_not_dns_compliant/red/s3.tf +++ b/terraform/ecc-aws-689-bucket_not_dns_compliant/red/s3.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "689.bucket.red" + bucket = "689.bucket.${random_integer.this.result}.red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_s3_bucket_ownership_controls" "this" { diff --git a/terraform/ecc-aws-690-ecs_exec_logging_enabled/green/s3.tf b/terraform/ecc-aws-690-ecs_exec_logging_enabled/green/s3.tf index b015dec44..018e91c8b 100644 --- a/terraform/ecc-aws-690-ecs_exec_logging_enabled/green/s3.tf +++ b/terraform/ecc-aws-690-ecs_exec_logging_enabled/green/s3.tf @@ -1,9 +1,23 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-690-green" + bucket = "690-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" -} +} \ No newline at end of file diff --git a/terraform/ecc-aws-712-cloudfront_sni_enabled/green/cloudfront.tf b/terraform/ecc-aws-712-cloudfront_sni_enabled/green/cloudfront.tf index ef1172217..6a157d198 100644 --- a/terraform/ecc-aws-712-cloudfront_sni_enabled/green/cloudfront.tf +++ b/terraform/ecc-aws-712-cloudfront_sni_enabled/green/cloudfront.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-712-green" + bucket = "712-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "tls_private_key" "this" { diff --git a/terraform/ecc-aws-712-cloudfront_sni_enabled/green1/cloudfront.tf b/terraform/ecc-aws-712-cloudfront_sni_enabled/green1/cloudfront.tf index f3e53b089..f4b867619 100644 --- a/terraform/ecc-aws-712-cloudfront_sni_enabled/green1/cloudfront.tf +++ b/terraform/ecc-aws-712-cloudfront_sni_enabled/green1/cloudfront.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-712-green1" + bucket = "712-bucket-${random_integer.this.result}-green1" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "tls_private_key" "this" { diff --git a/terraform/ecc-aws-712-cloudfront_sni_enabled/red/cloudfront.tf b/terraform/ecc-aws-712-cloudfront_sni_enabled/red/cloudfront.tf index 265385b54..ab4bb691e 100644 --- a/terraform/ecc-aws-712-cloudfront_sni_enabled/red/cloudfront.tf +++ b/terraform/ecc-aws-712-cloudfront_sni_enabled/red/cloudfront.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-712-red" + bucket = "712-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "tls_private_key" "this" { diff --git a/terraform/ecc-aws-717-codebuild_project_artifact_encryption/green/codebuild.tf b/terraform/ecc-aws-717-codebuild_project_artifact_encryption/green/codebuild.tf index bde0f3188..c787573a3 100644 --- a/terraform/ecc-aws-717-codebuild_project_artifact_encryption/green/codebuild.tf +++ b/terraform/ecc-aws-717-codebuild_project_artifact_encryption/green/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "717-bucket-green" + bucket = "717-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "717_codebuilt_green" service_role = aws_iam_role.this.arn diff --git a/terraform/ecc-aws-717-codebuild_project_artifact_encryption/red/codebuild.tf b/terraform/ecc-aws-717-codebuild_project_artifact_encryption/red/codebuild.tf index 74929d860..b7ff37a7c 100644 --- a/terraform/ecc-aws-717-codebuild_project_artifact_encryption/red/codebuild.tf +++ b/terraform/ecc-aws-717-codebuild_project_artifact_encryption/red/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "717-bucket-red" + bucket = "717-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "717_codebuilt_red" service_role = aws_iam_role.this.arn diff --git a/terraform/ecc-aws-718-codebuild_project_environment_privileged_check/green/codebuild.tf b/terraform/ecc-aws-718-codebuild_project_environment_privileged_check/green/codebuild.tf index 568d55a8f..7706dbe4d 100644 --- a/terraform/ecc-aws-718-codebuild_project_environment_privileged_check/green/codebuild.tf +++ b/terraform/ecc-aws-718-codebuild_project_environment_privileged_check/green/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "718-bucket-green" + bucket = "718-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "718_codebuilt_green" diff --git a/terraform/ecc-aws-718-codebuild_project_environment_privileged_check/red/codebuild.tf b/terraform/ecc-aws-718-codebuild_project_environment_privileged_check/red/codebuild.tf index a59eedcda..97c6c187a 100644 --- a/terraform/ecc-aws-718-codebuild_project_environment_privileged_check/red/codebuild.tf +++ b/terraform/ecc-aws-718-codebuild_project_environment_privileged_check/red/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "718-bucket-red" + bucket = "718-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "718_codebuilt_red" diff --git a/terraform/ecc-aws-719-codebuild_project_logging_enabled/green/codebuild.tf b/terraform/ecc-aws-719-codebuild_project_logging_enabled/green/codebuild.tf index ca982c1d9..d546fea6a 100644 --- a/terraform/ecc-aws-719-codebuild_project_logging_enabled/green/codebuild.tf +++ b/terraform/ecc-aws-719-codebuild_project_logging_enabled/green/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "719-bucket-green" + bucket = "719-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "719_codebuilt_green" diff --git a/terraform/ecc-aws-719-codebuild_project_logging_enabled/red/codebuild.tf b/terraform/ecc-aws-719-codebuild_project_logging_enabled/red/codebuild.tf index 8740af16a..3d42e8449 100644 --- a/terraform/ecc-aws-719-codebuild_project_logging_enabled/red/codebuild.tf +++ b/terraform/ecc-aws-719-codebuild_project_logging_enabled/red/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "719-bucket-red" + bucket = "719-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "719_codebuilt_red" diff --git a/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/green/codebuild.tf b/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/green/codebuild.tf index ed3a71d8f..e93d485ce 100644 --- a/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/green/codebuild.tf +++ b/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/green/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "720-bucket-green" + bucket = "720-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "720_codebuilt_green" diff --git a/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/green1/codebuild.tf b/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/green1/codebuild.tf index ebaa70922..59c0aa4df 100644 --- a/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/green1/codebuild.tf +++ b/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/green1/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "720-bucket-green1" + bucket = "720-bucket-${random_integer.this.result}-green1" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "720_codebuilt_green1" diff --git a/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/red/codebuild.tf b/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/red/codebuild.tf index 0531ada65..fb6fe20f1 100644 --- a/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/red/codebuild.tf +++ b/terraform/ecc-aws-720-codebuild_project_s3_logs_encrypted/red/codebuild.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "720-bucket-red" + bucket = "720-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_codebuild_project" "this" { name = "720_codebuilt_red" diff --git a/terraform/ecc-aws-724-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk/green/codepipeline.tf b/terraform/ecc-aws-724-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk/green/codepipeline.tf index 3e2ef295c..83d1e3c21 100644 --- a/terraform/ecc-aws-724-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk/green/codepipeline.tf +++ b/terraform/ecc-aws-724-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk/green/codepipeline.tf @@ -69,6 +69,10 @@ resource "aws_codepipeline" "codepipeline" { } } } + + depends_on = [ + aws_s3_bucket_acl.this + ] } resource "aws_codestarconnections_connection" "this" { @@ -77,10 +81,24 @@ resource "aws_codestarconnections_connection" "this" { } resource "aws_s3_bucket" "this" { - bucket = "724-bucket-green" + bucket = "724-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-724-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk/red/codepipeline.tf b/terraform/ecc-aws-724-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk/red/codepipeline.tf index a258cfb80..3ec2e5383 100644 --- a/terraform/ecc-aws-724-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk/red/codepipeline.tf +++ b/terraform/ecc-aws-724-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk/red/codepipeline.tf @@ -64,6 +64,10 @@ resource "aws_codepipeline" "codepipeline" { } } } + + depends_on = [ + aws_s3_bucket_acl.this + ] } resource "aws_codestarconnections_connection" "this" { @@ -72,10 +76,24 @@ resource "aws_codestarconnections_connection" "this" { } resource "aws_s3_bucket" "this" { - bucket = "724-bucket-red" + bucket = "724-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-787-mwaa_latest_version/green/mwaa.tf b/terraform/ecc-aws-787-mwaa_latest_version/green/mwaa.tf index 287ccbb60..7ad67ef6d 100644 --- a/terraform/ecc-aws-787-mwaa_latest_version/green/mwaa.tf +++ b/terraform/ecc-aws-787-mwaa_latest_version/green/mwaa.tf @@ -18,10 +18,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "787-bucket-green" + bucket = "787-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-787-mwaa_latest_version/red/mwaa.tf b/terraform/ecc-aws-787-mwaa_latest_version/red/mwaa.tf index 54bfbb7b4..d1ba69e70 100644 --- a/terraform/ecc-aws-787-mwaa_latest_version/red/mwaa.tf +++ b/terraform/ecc-aws-787-mwaa_latest_version/red/mwaa.tf @@ -18,10 +18,24 @@ resource "aws_mwaa_environment" "this" { } resource "aws_s3_bucket" "this" { - bucket = "787-bucket-red" + bucket = "787-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/terraform/ecc-aws-809-elb_internet_facing/red/alb.tf b/terraform/ecc-aws-809-elb_internet_facing/red/alb.tf index 6cf8277df..1c062977a 100644 --- a/terraform/ecc-aws-809-elb_internet_facing/red/alb.tf +++ b/terraform/ecc-aws-809-elb_internet_facing/red/alb.tf @@ -5,14 +5,6 @@ resource "aws_lb" "this" { subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] internal = false enable_deletion_protection = false - # subnet_mapping { - # subnet_id = aws_subnet.subnet1.id - # allocation_id = aws_eip.this.id - # } - # subnet_mapping { - # subnet_id = aws_subnet.subnet2.id - # allocation_id = aws_eip.this1.id - # } } resource "aws_vpc" "this" { @@ -46,12 +38,4 @@ resource "aws_security_group" "this" { resource "aws_internet_gateway" "this" { vpc_id = aws_vpc.this.id -} - -# resource "aws_eip" "this" { -# vpc = true -# } - -# resource "aws_eip" "this1" { -# vpc = true -# } \ No newline at end of file +} \ No newline at end of file diff --git a/terraform/ecc-aws-897-security_hub_enabled/green/security-hub.tf b/terraform/ecc-aws-897-security_hub_enabled/green/security-hub.tf index 5bd083775..498cdd2b2 100644 --- a/terraform/ecc-aws-897-security_hub_enabled/green/security-hub.tf +++ b/terraform/ecc-aws-897-security_hub_enabled/green/security-hub.tf @@ -2,7 +2,13 @@ resource "null_resource" "this" { provisioner "local-exec" { command = "aws securityhub enable-security-hub --enable-default-standards" + interpreter = ["/bin/bash", "-c"] + } + provisioner "local-exec" { + when = destroy + command = "aws securityhub disable-security-hub" interpreter = ["/bin/bash", "-c"] } + } \ No newline at end of file diff --git a/terraform/ecc-aws-899-s3_event_notifications_enabled/green/s3.tf b/terraform/ecc-aws-899-s3_event_notifications_enabled/green/s3.tf index 916b876a8..8568671c9 100644 --- a/terraform/ecc-aws-899-s3_event_notifications_enabled/green/s3.tf +++ b/terraform/ecc-aws-899-s3_event_notifications_enabled/green/s3.tf @@ -1,8 +1,22 @@ resource "aws_s3_bucket" "sns" { - bucket = "899-sns-s3-bucket-green" + bucket = "899-sns-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "sns" { + bucket = aws_s3_bucket.sns.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "sns" { + depends_on = [aws_s3_bucket_ownership_controls.sns] + bucket = aws_s3_bucket.sns.id acl = "private" } @@ -18,10 +32,19 @@ resource "aws_s3_bucket_notification" "sns" { } resource "aws_s3_bucket" "sqs" { - bucket = "899-sqs-s3-bucket-green" + bucket = "899-sqs-bucket-${random_integer.this.result}-green" +} + +resource "aws_s3_bucket_ownership_controls" "sqs" { + bucket = aws_s3_bucket.sqs.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "sqs" { + depends_on = [aws_s3_bucket_ownership_controls.sqs] + bucket = aws_s3_bucket.sqs.id acl = "private" } @@ -36,10 +59,19 @@ resource "aws_s3_bucket_notification" "sqs" { } resource "aws_s3_bucket" "lambda" { - bucket = "899-lambda-s3-bucket-green" + bucket = "899-lambda-bucket-${random_integer.this.result}-green" +} + +resource "aws_s3_bucket_ownership_controls" "lambda" { + bucket = aws_s3_bucket.lambda.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "lambda" { + depends_on = [aws_s3_bucket_ownership_controls.lambda] + bucket = aws_s3_bucket.lambda.id acl = "private" } diff --git a/terraform/ecc-aws-899-s3_event_notifications_enabled/red/s3.tf b/terraform/ecc-aws-899-s3_event_notifications_enabled/red/s3.tf index 0c71b2e51..06450eadc 100644 --- a/terraform/ecc-aws-899-s3_event_notifications_enabled/red/s3.tf +++ b/terraform/ecc-aws-899-s3_event_notifications_enabled/red/s3.tf @@ -1,8 +1,22 @@ resource "aws_s3_bucket" "this" { - bucket = "899-s3-bucket-red" + bucket = "899-bucket-${random_integer.this.result}-red" +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } } resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} \ No newline at end of file diff --git a/terraform/ecc-aws-900-s3_bucket_acl_prohibited/green/s3.tf b/terraform/ecc-aws-900-s3_bucket_acl_prohibited/green/s3.tf index 99611bfc8..6a8fc2752 100644 --- a/terraform/ecc-aws-900-s3_bucket_acl_prohibited/green/s3.tf +++ b/terraform/ecc-aws-900-s3_bucket_acl_prohibited/green/s3.tf @@ -1,6 +1,12 @@ resource "aws_s3_bucket" "this" { - bucket = "900-s3-bucket-green" + bucket = "900-bucket-${random_integer.this.result}-green" } + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-900-s3_bucket_acl_prohibited/red/s3.tf b/terraform/ecc-aws-900-s3_bucket_acl_prohibited/red/s3.tf index 0aa881e71..9ef24fdb8 100644 --- a/terraform/ecc-aws-900-s3_bucket_acl_prohibited/red/s3.tf +++ b/terraform/ecc-aws-900-s3_bucket_acl_prohibited/red/s3.tf @@ -1,7 +1,12 @@ data "aws_canonical_user_id" "current" {} resource "aws_s3_bucket" "this" { - bucket = "900-s3-bucket-red" + bucket = "900-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_s3_bucket_ownership_controls" "this" { diff --git a/terraform/ecc-aws-901-s3_version_lifecycle_policy_check/green/s3.tf b/terraform/ecc-aws-901-s3_version_lifecycle_policy_check/green/s3.tf index 52dbadb5c..a223c5def 100644 --- a/terraform/ecc-aws-901-s3_version_lifecycle_policy_check/green/s3.tf +++ b/terraform/ecc-aws-901-s3_version_lifecycle_policy_check/green/s3.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "901-bucket-green" + bucket = "901-bucket-${random_integer.this.result}-green" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_s3_bucket_public_access_block" "this" { diff --git a/terraform/ecc-aws-901-s3_version_lifecycle_policy_check/red/s3.tf b/terraform/ecc-aws-901-s3_version_lifecycle_policy_check/red/s3.tf index 8a8b30430..268759f79 100644 --- a/terraform/ecc-aws-901-s3_version_lifecycle_policy_check/red/s3.tf +++ b/terraform/ecc-aws-901-s3_version_lifecycle_policy_check/red/s3.tf @@ -1,5 +1,10 @@ resource "aws_s3_bucket" "this" { - bucket = "901-bucket-red" + bucket = "901-bucket-${random_integer.this.result}-red" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 } resource "aws_s3_bucket_public_access_block" "this" { diff --git a/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/green/s3.tf b/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/green/s3.tf index 00947ffb7..cbb1ef1bb 100644 --- a/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/green/s3.tf +++ b/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/green/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-958-green" + bucket = "958-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/green1/s3.tf b/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/green1/s3.tf index f9f7de74f..1fe7906d9 100644 --- a/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/green1/s3.tf +++ b/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/green1/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-958-green1" + bucket = "958-bucket-${random_integer.this.result}-green1" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/red/s3.tf b/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/red/s3.tf index 406923130..b2ede5e28 100644 --- a/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/red/s3.tf +++ b/terraform/ecc-aws-958-cloudfront_s3_origin_non_existent_bucket/red/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-958-red" + bucket = "958-bucket-${random_integer.this.result}-red" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-961-cloudfront_origin_access_control_enabled/green/s3.tf b/terraform/ecc-aws-961-cloudfront_origin_access_control_enabled/green/s3.tf index 00947ffb7..9e66b68bf 100644 --- a/terraform/ecc-aws-961-cloudfront_origin_access_control_enabled/green/s3.tf +++ b/terraform/ecc-aws-961-cloudfront_origin_access_control_enabled/green/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-958-green" + bucket = "961-bucket-${random_integer.this.result}-green" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-961-cloudfront_origin_access_control_enabled/green1/s3.tf b/terraform/ecc-aws-961-cloudfront_origin_access_control_enabled/green1/s3.tf index cd95b381d..9018ce9be 100644 --- a/terraform/ecc-aws-961-cloudfront_origin_access_control_enabled/green1/s3.tf +++ b/terraform/ecc-aws-961-cloudfront_origin_access_control_enabled/green1/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-961-green1" + bucket = "961-bucket-${random_integer.this.result}-green1" force_destroy = "true" } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-962-glue_job_latest_version/green/iam.tf b/terraform/ecc-aws-962-glue_job_latest_version/green/iam.tf index 4f9845c51..b689ac2d7 100644 --- a/terraform/ecc-aws-962-glue_job_latest_version/green/iam.tf +++ b/terraform/ecc-aws-962-glue_job_latest_version/green/iam.tf @@ -39,15 +39,17 @@ resource "aws_iam_role_policy" "this" { EOF } +data "aws_caller_identity" "this" {} + data "aws_iam_policy_document" "this" { statement { effect = "Allow" principals { type = "AWS" - identifiers = ["*"] + identifiers = [data.aws_caller_identity.this.account_id] } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-962-green/*"] + resources = ["${aws_s3_bucket.this.arn}/*"] } } \ No newline at end of file diff --git a/terraform/ecc-aws-962-glue_job_latest_version/green/s3.tf b/terraform/ecc-aws-962-glue_job_latest_version/green/s3.tf index 2eafa0e65..545ca22a1 100644 --- a/terraform/ecc-aws-962-glue_job_latest_version/green/s3.tf +++ b/terraform/ecc-aws-962-glue_job_latest_version/green/s3.tf @@ -7,14 +7,29 @@ resource "aws_s3_object" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-962-green" + bucket = "962-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json diff --git a/terraform/ecc-aws-962-glue_job_latest_version/red/iam.tf b/terraform/ecc-aws-962-glue_job_latest_version/red/iam.tf index 0b4b84c27..41ce2d522 100644 --- a/terraform/ecc-aws-962-glue_job_latest_version/red/iam.tf +++ b/terraform/ecc-aws-962-glue_job_latest_version/red/iam.tf @@ -39,15 +39,17 @@ resource "aws_iam_role_policy" "this" { EOF } +data "aws_caller_identity" "this" {} + data "aws_iam_policy_document" "this" { statement { effect = "Allow" principals { type = "AWS" - identifiers = ["*"] + identifiers = [data.aws_caller_identity.this.account_id] } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-962-red/*"] + resources = ["${aws_s3_bucket.this.arn}/*"] } } \ No newline at end of file diff --git a/terraform/ecc-aws-962-glue_job_latest_version/red/s3.tf b/terraform/ecc-aws-962-glue_job_latest_version/red/s3.tf index 15d903497..4ea1a19c6 100644 --- a/terraform/ecc-aws-962-glue_job_latest_version/red/s3.tf +++ b/terraform/ecc-aws-962-glue_job_latest_version/red/s3.tf @@ -7,14 +7,29 @@ resource "aws_s3_object" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-962-red" + bucket = "962-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json diff --git a/terraform/ecc-aws-963-glue_job_logging_enabled/green/iam.tf b/terraform/ecc-aws-963-glue_job_logging_enabled/green/iam.tf index d72b341bf..7dd0bc9d1 100644 --- a/terraform/ecc-aws-963-glue_job_logging_enabled/green/iam.tf +++ b/terraform/ecc-aws-963-glue_job_logging_enabled/green/iam.tf @@ -39,15 +39,17 @@ resource "aws_iam_role_policy" "this" { EOF } +data "aws_caller_identity" "this" {} + data "aws_iam_policy_document" "this" { statement { effect = "Allow" principals { type = "AWS" - identifiers = ["*"] + identifiers = [data.aws_caller_identity.this.account_id] } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-963-green/*"] + resources = ["${aws_s3_bucket.this.arn}/*"] } } \ No newline at end of file diff --git a/terraform/ecc-aws-963-glue_job_logging_enabled/green/s3.tf b/terraform/ecc-aws-963-glue_job_logging_enabled/green/s3.tf index 652cc5bc4..5fc2bdb90 100644 --- a/terraform/ecc-aws-963-glue_job_logging_enabled/green/s3.tf +++ b/terraform/ecc-aws-963-glue_job_logging_enabled/green/s3.tf @@ -7,14 +7,29 @@ resource "aws_s3_object" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-963-green" + bucket = "963-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json diff --git a/terraform/ecc-aws-963-glue_job_logging_enabled/red/iam.tf b/terraform/ecc-aws-963-glue_job_logging_enabled/red/iam.tf index dcbe16c0c..febb89bf3 100644 --- a/terraform/ecc-aws-963-glue_job_logging_enabled/red/iam.tf +++ b/terraform/ecc-aws-963-glue_job_logging_enabled/red/iam.tf @@ -39,15 +39,17 @@ resource "aws_iam_role_policy" "this" { EOF } +data "aws_caller_identity" "this" {} + data "aws_iam_policy_document" "this" { statement { effect = "Allow" principals { type = "AWS" - identifiers = ["*"] + identifiers = [data.aws_caller_identity.this.account_id] } actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::bucket-963-red/*"] + resources = ["${aws_s3_bucket.this.arn}/*"] } } \ No newline at end of file diff --git a/terraform/ecc-aws-963-glue_job_logging_enabled/red/s3.tf b/terraform/ecc-aws-963-glue_job_logging_enabled/red/s3.tf index 6fd6ddba0..a9a7733f6 100644 --- a/terraform/ecc-aws-963-glue_job_logging_enabled/red/s3.tf +++ b/terraform/ecc-aws-963-glue_job_logging_enabled/red/s3.tf @@ -7,14 +7,29 @@ resource "aws_s3_object" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-963-red" + bucket = "963-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + bucket = aws_s3_bucket.this.id acl = "private" } + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json diff --git a/terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/s3.tf b/terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/s3.tf index 151d79f62..144f233f3 100644 --- a/terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/s3.tf +++ b/terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/s3.tf @@ -7,10 +7,15 @@ resource "aws_s3_object" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-964-green" + bucket = "964-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/s3.tf b/terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/s3.tf index 15fc6c911..29247f9c8 100644 --- a/terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/s3.tf +++ b/terraform/ecc-aws-964-glue_job_autoscaling_enabled/red/s3.tf @@ -7,10 +7,15 @@ resource "aws_s3_object" "this" { } resource "aws_s3_bucket" "this" { - bucket = "bucket-964-red" + bucket = "964-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_public_access_block" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-968-cloudtrail_delivery_failing/green/s3.tf b/terraform/ecc-aws-968-cloudtrail_delivery_failing/green/s3.tf index b2f407079..232eb7104 100644 --- a/terraform/ecc-aws-968-cloudtrail_delivery_failing/green/s3.tf +++ b/terraform/ecc-aws-968-cloudtrail_delivery_failing/green/s3.tf @@ -1,8 +1,12 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-968-green" + bucket = "968-bucket-${random_integer.this.result}-green" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-968-cloudtrail_delivery_failing/red/s3.tf b/terraform/ecc-aws-968-cloudtrail_delivery_failing/red/s3.tf index 501117212..9f8207faa 100644 --- a/terraform/ecc-aws-968-cloudtrail_delivery_failing/red/s3.tf +++ b/terraform/ecc-aws-968-cloudtrail_delivery_failing/red/s3.tf @@ -1,8 +1,13 @@ resource "aws_s3_bucket" "this" { - bucket = "bucket-968-red" + bucket = "968-bucket-${random_integer.this.result}-red" force_destroy = true } +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id policy = data.aws_iam_policy_document.this.json