Update for S3 security changes

scalefactory · Apr 24, 2023 · 595f7ff · 595f7ff
1 parent 94cf56e
commit 595f7ff
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 8 deletions.
diff --git a/backend.tf b/backend.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = "~> 1.3.0"
+  required_version = ">= 1.3.0"
 
   required_providers {
     archive = {
@@ -11,7 +11,7 @@ terraform {
       source = "hashicorp/aws"
       # Ensure this is valid for modules added during the session. 
       # i.e. cloudposse/cloudfront-s3-cdn/aws
-      version = "~> 3.64.0"
+      version = "~> 4.18"
     }
 
     github = {

diff --git a/modules/static_website/main.tf b/modules/static_website/main.tf
@@ -1,7 +1,5 @@
 resource "aws_s3_bucket" "website" {
   bucket = "website-${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}"
-  acl    = "public-read"
-
 
   website {
     index_document = "index.html"
@@ -12,6 +10,32 @@ resource "aws_s3_bucket" "website" {
   force_destroy = true
 }
 
+resource "aws_s3_bucket_ownership_controls" "website" {
+  bucket = aws_s3_bucket.website.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "website" {
+  bucket = aws_s3_bucket.website.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_acl" "website" {
+  depends_on = [
+    aws_s3_bucket_ownership_controls.website,
+    aws_s3_bucket_public_access_block.website,
+  ]
+  bucket = aws_s3_bucket.website.id
+  acl    = "public-read"
+}
+
 resource "aws_s3_bucket_object" "index" {
   bucket           = aws_s3_bucket.website.bucket
   acl              = "public-read"

diff --git a/providers.tf b/providers.tf
@@ -16,8 +16,7 @@
 provider "aws" {
   region = "eu-west-1"
 
-  # This profile configuration will be overridden if using aws-vault, so it's
-  # safe to stay here.
+  # This profile configuration will need to be commented out if using aws-vault.
   profile                 = "advanced-tf-training"
 
   default_tags {
@@ -46,6 +45,7 @@ provider "aws" {
 provider "aws" {
   alias                   = "read_only"
   region                  = "eu-west-1"
+  # This profile configuration will need to be commented out if using aws-vault.
   profile                 = "advanced-tf-training"
 
   assume_role {

diff --git a/s3_website.tf b/s3_website.tf
@@ -1,7 +1,5 @@
 resource "aws_s3_bucket" "website" {
   bucket = "website-${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}"
-  acl    = "public-read"
-
 
   website {
     index_document = "index.html"
@@ -12,6 +10,32 @@ resource "aws_s3_bucket" "website" {
   force_destroy = true
 }
 
+resource "aws_s3_bucket_ownership_controls" "website" {
+  bucket = aws_s3_bucket.website.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "website" {
+  bucket = aws_s3_bucket.website.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_acl" "website" {
+  depends_on = [
+    aws_s3_bucket_ownership_controls.website,
+    aws_s3_bucket_public_access_block.website,
+  ]
+  bucket = aws_s3_bucket.website.id
+  acl    = "public-read"
+}
+
 resource "aws_s3_bucket_object" "index" {
   bucket           = aws_s3_bucket.website.bucket
   acl              = "public-read"