diff --git a/terraform/bootstrap/jenkins.tf b/terraform/bootstrap/jenkins.tf new file mode 100644 index 0000000..78f37c3 --- /dev/null +++ b/terraform/bootstrap/jenkins.tf @@ -0,0 +1,44 @@ +/* + We use jenkins to automate deployment with Terraform. Jenkins + is set up in a different AWS account. + + This group of IAM resources allow jenkins to assume a role needed + to deploy resources (and make changes to backend). +*/ + +data "aws_iam_policy_document" "terraform_backend_account_policy" { + statement { + effect = "Allow" + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::191447213457:role/jenkins-role"] + } + + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "terraform_backend_role" { + name = "terraform_backend_admin" + assume_role_policy = data.aws_iam_policy_document.terraform_backend_account_policy.json +} + +data "aws_iam_policy_document" "terraform_backend_role_policy_document" { + statement { + effect = "Allow" + + actions = ["s3:*"] + resources = ["arn:aws:s3:::${module.bootstrap.state_bucket}/*"] + } +} + +resource "aws_iam_policy" "terraform_backend_role_policy" { + name = "terraform-backend-role-policy" + policy = data.aws_iam_policy_document.terraform_backend_role_policy_document.json +} + +resource "aws_iam_role_policy_attachment" "terraform_backend_attachment" { + role = aws_iam_role.terraform_backend_role.name + policy_arn = aws_iam_policy.terraform_backend_role_policy.arn +} diff --git a/terraform/bootstrap/terraform.tfstate b/terraform/bootstrap/terraform.tfstate index c836561..3cf7a6e 100644 --- a/terraform/bootstrap/terraform.tfstate +++ b/terraform/bootstrap/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.2.7", - "serial": 181, + "serial": 188, "lineage": "3466ed5e-b3d1-107e-19aa-0306c957a966", "outputs": { "account_id": { @@ -51,6 +51,177 @@ } ] }, + { + "mode": "data", + "type": "aws_iam_policy_document", + "name": "terraform_backend_account_policy", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "2130418613", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::191447213457:role/jenkins-role\"\n }\n }\n ]\n}", + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "sts:AssumeRole" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [ + { + "identifiers": [ + "arn:aws:iam::191447213457:role/jenkins-role" + ], + "type": "AWS" + } + ], + "resources": [], + "sid": "" + } + ], + "version": "2012-10-17" + }, + "sensitive_attributes": [] + } + ] + }, + { + "mode": "data", + "type": "aws_iam_policy_document", + "name": "terraform_backend_role_policy_document", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "1576895499", + "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\"\n }\n ]\n}", + "override_json": null, + "override_policy_documents": null, + "policy_id": null, + "source_json": null, + "source_policy_documents": null, + "statement": [ + { + "actions": [ + "s3:*" + ], + "condition": [], + "effect": "Allow", + "not_actions": [], + "not_principals": [], + "not_resources": [], + "principals": [], + "resources": [ + "arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*" + ], + "sid": "" + } + ], + "version": "2012-10-17" + }, + "sensitive_attributes": [] + } + ] + }, + { + "mode": "managed", + "type": "aws_iam_policy", + "name": "terraform_backend_role_policy", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:iam::587267277416:policy/terraform-backend-role-policy", + "description": "", + "id": "arn:aws:iam::587267277416:policy/terraform-backend-role-policy", + "name": "terraform-backend-role-policy", + "name_prefix": null, + "path": "/", + "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Effect\":\"Allow\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", + "policy_id": "ANPAYRO63QJUBKUZHCXFH", + "tags": {}, + "tags_all": {} + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_iam_policy_document.terraform_backend_role_policy_document" + ] + } + ] + }, + { + "mode": "managed", + "type": "aws_iam_role", + "name": "terraform_backend_role", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "arn": "arn:aws:iam::587267277416:role/terraform_backend_admin", + "assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::191447213457:role/jenkins-role\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", + "create_date": "2022-09-08T07:40:10Z", + "description": "", + "force_detach_policies": false, + "id": "terraform_backend_admin", + "inline_policy": [], + "managed_policy_arns": [ + "arn:aws:iam::587267277416:policy/terraform-backend-role-policy" + ], + "max_session_duration": 3600, + "name": "terraform_backend_admin", + "name_prefix": "", + "path": "/", + "permissions_boundary": null, + "tags": {}, + "tags_all": {}, + "unique_id": "AROAYRO63QJUJ3QOZGTZF" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "data.aws_iam_policy_document.terraform_backend_account_policy" + ] + } + ] + }, + { + "mode": "managed", + "type": "aws_iam_role_policy_attachment", + "name": "terraform_backend_attachment", + "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", + "instances": [ + { + "schema_version": 0, + "attributes": { + "id": "terraform_backend_admin-20220908083156757100000001", + "policy_arn": "arn:aws:iam::587267277416:policy/terraform-backend-role-policy", + "role": "terraform_backend_admin" + }, + "sensitive_attributes": [], + "private": "bnVsbA==", + "dependencies": [ + "aws_iam_policy.terraform_backend_role_policy", + "aws_iam_role.terraform_backend_role", + "data.aws_iam_policy_document.terraform_backend_account_policy", + "data.aws_iam_policy_document.terraform_backend_role_policy_document" + ] + } + ] + }, { "module": "module.bootstrap", "mode": "managed", @@ -305,15 +476,95 @@ ], "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "moduscreate-devops-demo-tf-state-us-east-1", - "lifecycle_rule": [], - "logging": [], + "lifecycle_rule": [ + { + "abort_incomplete_multipart_upload_days": 14, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 0, + "expired_object_delete_marker": true + } + ], + "id": "abort-incomplete-multipart-upload", + "noncurrent_version_expiration": [ + { + "days": 365 + } + ], + "noncurrent_version_transition": [ + { + "days": 30, + "storage_class": "STANDARD_IA" + } + ], + "prefix": "", + "tags": {}, + "transition": [] + }, + { + "abort_incomplete_multipart_upload_days": 0, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 14, + "expired_object_delete_marker": false + } + ], + "id": "aws-bucket-inventory", + "noncurrent_version_expiration": [], + "noncurrent_version_transition": [], + "prefix": "_AWSBucketInventory/", + "tags": {}, + "transition": [] + }, + { + "abort_incomplete_multipart_upload_days": 0, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 30, + "expired_object_delete_marker": false + } + ], + "id": "aws-bucket-analytics", + "noncurrent_version_expiration": [], + "noncurrent_version_transition": [], + "prefix": "_AWSBucketAnalytics/", + "tags": {}, + "transition": [] + } + ], + "logging": [ + { + "target_bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", + "target_prefix": "s3/moduscreate-devops-demo-tf-state-us-east-1/" + } + ], "object_lock_configuration": [], "object_lock_enabled": false, - "policy": "", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Sid\":\"inventory-and-analytics\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Condition\":{\"StringEquals\":{\"aws:SourceAccount\":\"587267277416\",\"s3:x-amz-acl\":\"bucket-owner-full-control\"},\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"}}}]}", "region": "us-east-1", "replication_configuration": [], "request_payer": "BucketOwner", - "server_side_encryption_configuration": [], + "server_side_encryption_configuration": [ + { + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "", + "sse_algorithm": "AES256" + } + ], + "bucket_key_enabled": false + } + ] + } + ], "tags": { "Automation": "Terraform" }, @@ -323,7 +574,7 @@ "timeouts": null, "versioning": [ { - "enabled": false, + "enabled": true, "mfa_delete": false } ], @@ -657,7 +908,7 @@ "attributes": { "bucket": "moduscreate-devops-demo-tf-state-us-east-1", "id": "moduscreate-devops-demo-tf-state-us-east-1", - "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n },\n {\n \"Sid\": \"inventory-and-analytics\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\n \"Principal\": {\n \"Service\": \"s3.amazonaws.com\"\n },\n \"Condition\": {\n \"ArnLike\": {\n \"aws:SourceArn\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"\n },\n \"StringEquals\": {\n \"aws:SourceAccount\": \"587267277416\",\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n }\n ]\n}" + "policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"enforce-tls-requests-only\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"ArnLike\":{\"aws:SourceArn\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1\"},\"StringEquals\":{\"aws:SourceAccount\":\"587267277416\",\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-us-east-1/*\",\"Sid\":\"inventory-and-analytics\"}],\"Version\":\"2012-10-17\"}" }, "sensitive_attributes": [], "private": "bnVsbA==", @@ -1283,6 +1534,15 @@ "cors_rule": [], "force_destroy": false, "grant": [ + { + "id": "", + "permissions": [ + "READ_ACP", + "WRITE" + ], + "type": "Group", + "uri": "http://acs.amazonaws.com/groups/s3/LogDelivery" + }, { "id": "79b41d0c5b37c5b0cb908b377824a4227dd1e1fa66f3e75eb79853a6e52ab462", "permissions": [ @@ -1294,15 +1554,51 @@ ], "hosted_zone_id": "Z3AQBSTGFYJSTF", "id": "moduscreate-devops-demo-tf-state-log-us-east-1", - "lifecycle_rule": [], + "lifecycle_rule": [ + { + "abort_incomplete_multipart_upload_days": 0, + "enabled": true, + "expiration": [ + { + "date": "", + "days": 90, + "expired_object_delete_marker": false + } + ], + "id": "expire_all_logs", + "noncurrent_version_expiration": [ + { + "days": 30 + } + ], + "noncurrent_version_transition": [], + "prefix": "/*", + "tags": {}, + "transition": [] + } + ], "logging": [], "object_lock_configuration": [], "object_lock_enabled": false, - "policy": "", + "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"cloudtrail-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"cloudtrail-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"cloudwatch-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"cloudwatch-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"config-permissions-check\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"config-bucket-delivery\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"elb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\"},{\"Sid\":\"alb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\"},{\"Sid\":\"nlb-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}}},{\"Sid\":\"nlb-logs-acl-check\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"redshift-logs-put-object\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\"},{\"Sid\":\"redshift-logs-get-bucket-acl\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Action\":\"s3:GetBucketAcl\",\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"},{\"Sid\":\"enforce-tls-requests-only\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}", "region": "us-east-1", "replication_configuration": [], "request_payer": "BucketOwner", - "server_side_encryption_configuration": [], + "server_side_encryption_configuration": [ + { + "rule": [ + { + "apply_server_side_encryption_by_default": [ + { + "kms_master_key_id": "", + "sse_algorithm": "AES256" + } + ], + "bucket_key_enabled": false + } + ] + } + ], "tags": { "Automation": "Terraform", "Name": "moduscreate-devops-demo-tf-state-log-us-east-1" @@ -1464,13 +1760,18 @@ "attributes": { "bucket": "moduscreate-devops-demo-tf-state-log-us-east-1", "id": "moduscreate-devops-demo-tf-state-log-us-east-1", - "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"cloudtrail-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudtrail-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"cloudtrail.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"cloudwatch-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\n \"Principal\": {\n \"Service\": \"logs.us-east-1.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"config-permissions-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"config-bucket-delivery\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\n \"Principal\": {\n \"Service\": \"config.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"elb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"alb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::127311923021:root\"\n }\n },\n {\n \"Sid\": \"nlb-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n },\n \"Condition\": {\n \"StringEquals\": {\n \"s3:x-amz-acl\": \"bucket-owner-full-control\"\n }\n }\n },\n {\n \"Sid\": \"nlb-logs-acl-check\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n }\n },\n {\n \"Sid\": \"redshift-logs-put-object\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:PutObject\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"redshift-logs-get-bucket-acl\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:GetBucketAcl\",\n \"Resource\": \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::193672423079:user/logs\"\n }\n },\n {\n \"Sid\": \"enforce-tls-requests-only\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\n \"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"\n ],\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n ]\n}" + "policy": "{\"Statement\":[{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"cloudtrail-logs-get-bucket-acl\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"cloudtrail.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudtrail/AWSLogs/587267277416/*\",\"Sid\":\"cloudtrail-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"cloudwatch-logs-get-bucket-acl\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"logs.us-east-1.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/cloudwatch/*\",\"Sid\":\"cloudwatch-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"config-permissions-check\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"config.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/config/AWSLogs/587267277416/Config/*\",\"Sid\":\"config-bucket-delivery\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/elb/AWSLogs/587267277416/*\",\"Sid\":\"elb-logs-put-object\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::127311923021:root\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/alb/AWSLogs/587267277416/*\",\"Sid\":\"alb-logs-put-object\"},{\"Action\":\"s3:PutObject\",\"Condition\":{\"StringEquals\":{\"s3:x-amz-acl\":\"bucket-owner-full-control\"}},\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/nlb/AWSLogs/587267277416/*\",\"Sid\":\"nlb-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"nlb-logs-acl-check\"},{\"Action\":\"s3:PutObject\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/redshift/*\",\"Sid\":\"redshift-logs-put-object\"},{\"Action\":\"s3:GetBucketAcl\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::193672423079:user/logs\"},\"Resource\":\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\",\"Sid\":\"redshift-logs-get-bucket-acl\"},{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":[\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1/*\",\"arn:aws:s3:::moduscreate-devops-demo-tf-state-log-us-east-1\"],\"Sid\":\"enforce-tls-requests-only\"}],\"Version\":\"2012-10-17\"}" }, "sensitive_attributes": [], "private": "bnVsbA==", "dependencies": [ "module.bootstrap.module.terraform_state_bucket_logs.aws_s3_bucket.aws_logs", - "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main" + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_caller_identity.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_elb_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_iam_policy_document.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_partition.current", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_redshift_service_account.main", + "module.bootstrap.module.terraform_state_bucket_logs.data.aws_region.current" ] } ] @@ -1522,7 +1823,7 @@ "sse_algorithm": "AES256" } ], - "bucket_key_enabled": null + "bucket_key_enabled": false } ] },