11
2- resource "aws_s3_bucket" "backup_reports" {
2+ resource "aws_s3_bucket" "backup_reports" { # NOSONAR (S6258) - Logging not required for this bucket
33 bucket_prefix = " ${ local . prefix } -backup-reports"
44}
55
6- resource "aws_s3_bucket_public_access_block" "backup_reports" {
7- bucket = aws_s3_bucket. backup_reports . id
8-
9- block_public_acls = true
10- block_public_policy = true
11- ignore_public_acls = true
12- restrict_public_buckets = true
13- }
14-
15- resource "aws_s3_bucket_server_side_encryption_configuration" "backup_reports" {
16- bucket = aws_s3_bucket. backup_reports . bucket
17-
18- rule {
19- apply_server_side_encryption_by_default {
20- sse_algorithm = " AES256"
21- }
22- }
23- }
24-
25- resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
6+ resource "aws_s3_bucket_policy" "backup_reports_https_only" {
267 bucket = aws_s3_bucket. backup_reports . id
278
289 policy = jsonencode ({
2910 Version = " 2012-10-17"
30- Id = " backup_reports_bucket_policy "
11+ Id = " backup_reports_https_only_policy "
3112 Statement = [
3213 {
33- Sid = " HTTPSOnly"
34- Effect = " Deny"
35- Principal = " *"
36- Action = " s3:*"
14+ Sid = " HTTPSOnly"
15+ Effect = " Deny"
16+ Principal = {
17+ " AWS" : " *"
18+ }
19+ Action = " s3:*"
3720 Resource = [
3821 aws_s3_bucket.backup_reports.arn,
3922 " ${ aws_s3_bucket . backup_reports . arn } /*" ,
@@ -43,7 +26,18 @@ resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
4326 " aws:SecureTransport" = " false"
4427 }
4528 }
46- },
29+ }
30+ ]
31+ })
32+ }
33+
34+ resource "aws_s3_bucket_policy" "backup_reports_write_access" {
35+ bucket = aws_s3_bucket. backup_reports . id
36+
37+ policy = jsonencode ({
38+ Version = " 2012-10-17"
39+ Id = " backup_reports_write_access_policy"
40+ Statement = [
4741 {
4842 Sid = " AllowBackupReportsWrite"
4943 Effect = " Allow"
@@ -64,6 +58,24 @@ resource "aws_s3_bucket_policy" "backup_reports_bucket_policy" {
6458 })
6559}
6660
61+ resource "aws_s3_bucket_public_access_block" "backup_reports" {
62+ bucket = aws_s3_bucket. backup_reports . id
63+
64+ block_public_acls = true
65+ block_public_policy = true
66+ ignore_public_acls = true
67+ restrict_public_buckets = true
68+ }
69+
70+ resource "aws_s3_bucket_server_side_encryption_configuration" "backup_reports" {
71+ bucket = aws_s3_bucket. backup_reports . bucket
72+
73+ rule {
74+ apply_server_side_encryption_by_default {
75+ sse_algorithm = " AES256"
76+ }
77+ }
78+ }
6779
6880resource "aws_s3_bucket_ownership_controls" "backup_reports" {
6981 bucket = aws_s3_bucket. backup_reports . id
0 commit comments