Added account settings for ENS encryption and S3 public access. (#18)

codeforamerica · Nov 7, 2022 · 15bf25c · 15bf25c
1 parent f7577ce
commit 15bf25c
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 15 deletions.
diff --git a/environments/development/main.tf b/environments/development/main.tf
@@ -101,12 +101,13 @@ module "data_lake" {
 module "data_warehouse" {
   source = "../../modules/data_warehouse"
 
-  project        = local.project
-  environment    = local.environment
-  vpc_id         = module.networking.vpc_id
-  encryption_key = module.data_lake.encryption_key.arn
-  logging_bucket = module.hosting.logging_bucket.id
-  url_domain     = "nprd.classifyr.org"
+  project          = local.project
+  environment      = local.environment
+  vpc_id           = module.networking.vpc_id
+  encryption_key   = module.data_lake.encryption_key.arn
+  logging_bucket   = module.hosting.logging_bucket.id
+  url_domain       = "nprd.classifyr.org"
+  data_lake_bucket = module.data_lake.bucket.bucket
 }
 
 module "etl" {

diff --git a/environments/production/main.tf b/environments/production/main.tf
@@ -87,12 +87,13 @@ module "data_lake" {
 module "data_warehouse" {
   source = "../../modules/data_warehouse"
 
-  project        = local.project
-  environment    = local.environment
-  vpc_id         = module.networking.vpc_id
-  encryption_key = module.data_lake.encryption_key.arn
-  logging_bucket = module.hosting.logging_bucket.id
-  url_domain     = "classifyr.org"
+  project          = local.project
+  environment      = local.environment
+  vpc_id           = module.networking.vpc_id
+  encryption_key   = module.data_lake.encryption_key.arn
+  logging_bucket   = module.hosting.logging_bucket.id
+  url_domain       = "classifyr.org"
+  data_lake_bucket = module.data_lake.bucket.bucket
 }
 
 module "etl" {

diff --git a/modules/data_warehouse/iam.tf b/modules/data_warehouse/iam.tf
@@ -21,6 +21,6 @@ resource "aws_iam_policy" "warehouse_s3_read" {
   name = "${local.prefix}-warehouse-s3-read"
 
   policy = templatefile("${path.module}/templates/warehouse-s3-read-policy.json.tftpl", {
-#    log_group : aws_cloudwatch_log_group.logs["/aws/cloudtrail"].arn,
+    data_lake_bucket : var.data_lake_bucket,
   })
 }
diff --git a/modules/data_warehouse/templates/warehouse-s3-read-policy.json.tftpl b/modules/data_warehouse/templates/warehouse-s3-read-policy.json.tftpl
@@ -9,8 +9,8 @@
         "s3:*"
       ],
       "Resource": [
-        "arn:aws:s3:::r911-production-lake",
-        "arn:aws:s3:::r911-production-lake/*"
+        "arn:aws:s3:::${data_lake_bucket}",
+        "arn:aws:s3:::${data_lake_bucket}/*"
       ]
     }
   ]

diff --git a/modules/data_warehouse/variables.tf b/modules/data_warehouse/variables.tf
@@ -1,3 +1,8 @@
+variable "data_lake_bucket" {
+  type        = string
+  description = "Name of the bucket to be used as a data lake."
+}
+
 variable "encryption_key" {
   type        = string
   description = "ARN of the KMS key to use for encryption."

diff --git a/modules/security-scanning/main.tf b/modules/security-scanning/main.tf
@@ -47,3 +47,7 @@ resource "aws_cloudtrail" "trail" {
   kms_key_id                 = aws_kms_key.security.arn
   enable_log_file_validation = true
 }
+
+resource "aws_ebs_encryption_by_default" "ebs" {
+  enabled = true
+}
diff --git a/modules/security-scanning/s3.tf b/modules/security-scanning/s3.tf
@@ -1,3 +1,10 @@
+resource "aws_s3_account_public_access_block" "s3" {
+  block_public_acls = true
+  block_public_policy = true
+  ignore_public_acls = true
+  restrict_public_buckets = true
+}
+
 resource "aws_s3_bucket" "config" {
   bucket = "${local.prefix}-config"