skip: Merge pull request #29 from epam/feature/ecc-aws-043-s3_bucket_…

…lifecycle upd: updated policy 043
epam · Sep 19, 2023 · 096991a · 096991a
2 parents eaa9194 + af6c556
commit 096991a
Show file tree

Hide file tree

Showing 5 changed files with 92 additions and 0 deletions.
diff --git a/policies/ecc-aws-043-s3_bucket_lifecycle.yml b/policies/ecc-aws-043-s3_bucket_lifecycle.yml
@@ -12,6 +12,14 @@ policies:
       S3 Bucket life cycle is not configured
     resource: s3
     filters:
+    - or:
       - type: value
         key: Lifecycle
         value: null
+      - and:
+        - type: value
+          key: Lifecycle
+          value: present
+        - type: value
+          key: length(Lifecycle.Rules[?Status == 'Enabled']) == `0`
+          value: true
diff --git a/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/provider.tf b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/provider.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws"{
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-043-s3_bucket_lifecycle"
+      ComplianceStatus = "Red2"
+    }
+  }
+}
diff --git a/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/s3.tf b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/s3.tf
@@ -0,0 +1,53 @@
+resource "aws_s3_bucket" "this" {
+  bucket        = "043-bucket-${random_integer.this.result}-red2"
+  force_destroy = "true"
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
+
+resource "aws_s3_bucket_ownership_controls" "this" {
+  bucket = aws_s3_bucket.this.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "this" {
+  depends_on = [aws_s3_bucket_ownership_controls.this]
+
+  bucket = aws_s3_bucket.this.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "this" {
+  bucket = aws_s3_bucket.this.bucket
+
+  rule {
+    id = "log"
+
+    expiration {
+      days = 90
+    }
+
+    filter {
+      and {
+        prefix = "log/"
+
+		tags = {
+          CustodianRule    = "ecc-aws-043-s3_bucket_lifecycle"
+          ComplianceStatus = "Red2"
+        }
+      }
+    }
+
+    status = "Disabled"
+
+    transition {
+      days          = 60
+      storage_class = "GLACIER"
+    }
+  }
+}
diff --git a/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/terraform.tfvars b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/terraform.tfvars
@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"
diff --git a/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/variables.tf b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/variables.tf
@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}