From af6c5564f0b6beb59ebdd54325f537caf7ce7eb7 Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Tue, 19 Sep 2023 10:42:36 +0300 Subject: [PATCH] upd: updated policy 043 --- policies/ecc-aws-043-s3_bucket_lifecycle.yml | 8 +++ .../red2/provider.tf | 20 +++++++ .../red2/s3.tf | 53 +++++++++++++++++++ .../red2/terraform.tfvars | 2 + .../red2/variables.tf | 9 ++++ 5 files changed, 92 insertions(+) create mode 100644 terraform/ecc-aws-043-s3_bucket_lifecycle/red2/provider.tf create mode 100644 terraform/ecc-aws-043-s3_bucket_lifecycle/red2/s3.tf create mode 100644 terraform/ecc-aws-043-s3_bucket_lifecycle/red2/terraform.tfvars create mode 100644 terraform/ecc-aws-043-s3_bucket_lifecycle/red2/variables.tf diff --git a/policies/ecc-aws-043-s3_bucket_lifecycle.yml b/policies/ecc-aws-043-s3_bucket_lifecycle.yml index ca3fb7fa0..18df2d4a3 100644 --- a/policies/ecc-aws-043-s3_bucket_lifecycle.yml +++ b/policies/ecc-aws-043-s3_bucket_lifecycle.yml @@ -12,6 +12,14 @@ policies: S3 Bucket life cycle is not configured resource: s3 filters: + - or: - type: value key: Lifecycle value: null + - and: + - type: value + key: Lifecycle + value: present + - type: value + key: length(Lifecycle.Rules[?Status == 'Enabled']) == `0` + value: true \ No newline at end of file diff --git a/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/provider.tf b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/provider.tf new file mode 100644 index 000000000..8c7105bd1 --- /dev/null +++ b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-043-s3_bucket_lifecycle" + ComplianceStatus = "Red2" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/s3.tf b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/s3.tf new file mode 100644 index 000000000..ee958ee0f --- /dev/null +++ b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/s3.tf @@ -0,0 +1,53 @@ +resource "aws_s3_bucket" "this" { + bucket = "043-bucket-${random_integer.this.result}-red2" + force_destroy = "true" +} + +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + +resource "aws_s3_bucket_ownership_controls" "this" { + bucket = aws_s3_bucket.this.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "this" { + depends_on = [aws_s3_bucket_ownership_controls.this] + + bucket = aws_s3_bucket.this.id + acl = "private" +} + +resource "aws_s3_bucket_lifecycle_configuration" "this" { + bucket = aws_s3_bucket.this.bucket + + rule { + id = "log" + + expiration { + days = 90 + } + + filter { + and { + prefix = "log/" + + tags = { + CustodianRule = "ecc-aws-043-s3_bucket_lifecycle" + ComplianceStatus = "Red2" + } + } + } + + status = "Disabled" + + transition { + days = 60 + storage_class = "GLACIER" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/terraform.tfvars b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/variables.tf b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-043-s3_bucket_lifecycle/red2/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file