mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
a23ce1b0a2
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
65 lines
1.9 KiB
HCL
65 lines
1.9 KiB
HCL
// Customer keys are not supported in our Fleet Terraforms at the moment. We will evaluate the
|
|
// possibility of providing this capability in the future.
|
|
// No versioning on this bucket is by design.
|
|
// Bucket logging is not supported in our Fleet Terraforms at the moment. It can be enabled by the
|
|
// organizations deploying Fleet, and we will evaluate the possibility of providing this capability
|
|
// in the future.
|
|
|
|
resource "aws_s3_bucket" "main" { #tfsec:ignore:aws-s3-encryption-customer-key:exp:2022-07-01 #tfsec:ignore:aws-s3-enable-versioning #tfsec:ignore:aws-s3-enable-bucket-logging:exp:2022-06-15
|
|
bucket = var.osquery_carve_s3_bucket.name
|
|
}
|
|
|
|
resource "aws_s3_bucket_acl" "main" {
|
|
bucket = aws_s3_bucket.main.bucket
|
|
acl = "private"
|
|
}
|
|
|
|
resource "aws_s3_bucket_lifecycle_configuration" "main" {
|
|
bucket = aws_s3_bucket.main.bucket
|
|
rule {
|
|
status = "Enabled"
|
|
id = "expire"
|
|
expiration {
|
|
days = var.osquery_carve_s3_bucket.expires_days
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_server_side_encryption_configuration" "main" {
|
|
bucket = aws_s3_bucket.main.bucket
|
|
rule {
|
|
apply_server_side_encryption_by_default {
|
|
sse_algorithm = "aws:kms"
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_s3_bucket_public_access_block" "main" {
|
|
bucket = aws_s3_bucket.main.id
|
|
block_public_acls = true
|
|
block_public_policy = true
|
|
ignore_public_acls = true
|
|
restrict_public_buckets = true
|
|
}
|
|
|
|
data "aws_iam_policy_document" "main" {
|
|
statement {
|
|
actions = [
|
|
"s3:GetObject*",
|
|
"s3:PutObject*",
|
|
"s3:ListBucket*",
|
|
"s3:ListMultipartUploadParts*",
|
|
"s3:DeleteObject",
|
|
"s3:CreateMultipartUpload",
|
|
"s3:AbortMultipartUpload",
|
|
"s3:ListMultipartUploadParts",
|
|
"s3:GetBucketLocation"
|
|
]
|
|
resources = [aws_s3_bucket.main.arn, "${aws_s3_bucket.main.arn}/*"]
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_policy" "main" {
|
|
policy = data.aws_iam_policy_document.main.json
|
|
}
|