arkag · December 9, 2022 19:52
diff --git a/state.tf b/state.tf
 data "aws_iam_policy_document" "state" {

  statement {
    sid = "DenyIncorrectEncryptionHeader"

    effect = "Deny"

    principals {
      identifiers = ["*"]
      type        = "AWS"
    }

    actions = [
      "s3:PutObject"
    ]

    resources = [
      "arn:aws:s3:::${local.remote_state_bucket_name}/*",
    ]

    condition {
      test     = "StringNotEquals"
      variable = "s3:x-amz-server-side-encryption"

      values = [
        "aws:kms"
      ]
    }
  }

  statement {
    sid = "DenyUnEncryptedObjectUploads"

    effect = "Deny"

    principals {
      identifiers = ["*"]
      type        = "AWS"
    }

    actions = [
      "s3:PutObject"
    ]

    resources = [
      "arn:aws:s3:::${local.remote_state_bucket_name}/*",
    ]

    condition {
      test     = "Null"
      variable = "s3:x-amz-server-side-encryption"

      values = [
        "true"
      ]
    }
  }

  statement {
    sid = "EnforceTlsRequestsOnly"

    effect = "Deny"

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    actions = ["s3:*"]

    resources = [
      "arn:aws:s3:::${local.remote_state_bucket_name}",
      "arn:aws:s3:::${local.remote_state_bucket_name}/*",
    ]

    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
  }
 }

 resource "aws_kms_key" "state" {
  description             = "for remote state encryption"
  deletion_window_in_days = 10
 }


 resource "aws_dynamodb_table" "state" {
  name           = local.remote_state_bucket_name
  billing_mode   = "PROVISIONED"
  read_capacity  = 5
  write_capacity = 5

  hash_key = "LockID"

  server_side_encryption {
    enabled = true
  }

  attribute {
    name = "LockID"
    type = "S"
  }

  tags = local.common_tags
 }

 resource "aws_s3_bucket_policy" "state" {
  bucket = aws_s3_bucket.state.id
  policy = data.aws_iam_policy_document.state.json
 }

 resource "aws_s3_bucket_acl" "state" {
  bucket = aws_s3_bucket.state.id
  acl = "private"
 }

 resource "aws_s3_bucket_versioning" "state" {
  bucket = aws_s3_bucket.state.id
  versioning_configuration {
    status = "Enabled"
    mfa_delete = "Enabled"
  }
 }

 resource "aws_s3_bucket_server_side_encryption_configuration" "state" {
  bucket = aws_s3_bucket.state.id
  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.state.arn
      sse_algorithm     = "aws:kms"
    }
  }
 }

 resource "aws_s3_bucket_public_access_block" "state" {
  bucket                  = aws_s3_bucket.state.id
  block_public_acls       = true
  ignore_public_acls      = true
  block_public_policy     = true
  restrict_public_buckets = true
 }

 resource "aws_s3_bucket" "state" {
  bucket        = local.remote_state_bucket_name
  tags = local.common_tags
 }
	data "aws_iam_policy_document" "state" {

	statement {
	sid = "DenyIncorrectEncryptionHeader"

	effect = "Deny"

	principals {
	identifiers = ["*"]
	type = "AWS"
	}

	actions = [
	"s3:PutObject"
	]

	resources = [
	"arn:aws:s3:::${local.remote_state_bucket_name}/*",
	]

	condition {
	test = "StringNotEquals"
	variable = "s3:x-amz-server-side-encryption"

	values = [
	"aws:kms"
	]
	}
	}

	statement {
	sid = "DenyUnEncryptedObjectUploads"

	effect = "Deny"

	principals {
	identifiers = ["*"]
	type = "AWS"
	}

	actions = [
	"s3:PutObject"
	]

	resources = [
	"arn:aws:s3:::${local.remote_state_bucket_name}/*",
	]

	condition {
	test = "Null"
	variable = "s3:x-amz-server-side-encryption"

	values = [
	"true"
	]
	}
	}

	statement {
	sid = "EnforceTlsRequestsOnly"

	effect = "Deny"

	principals {
	type = "AWS"
	identifiers = ["*"]
	}

	actions = ["s3:*"]

	resources = [
	"arn:aws:s3:::${local.remote_state_bucket_name}",
	"arn:aws:s3:::${local.remote_state_bucket_name}/*",
	]

	condition {
	test = "Bool"
	variable = "aws:SecureTransport"
	values = ["false"]
	}
	}
	}

	resource "aws_kms_key" "state" {
	description = "for remote state encryption"
	deletion_window_in_days = 10
	}


	resource "aws_dynamodb_table" "state" {
	name = local.remote_state_bucket_name
	billing_mode = "PROVISIONED"
	read_capacity = 5
	write_capacity = 5

	hash_key = "LockID"

	server_side_encryption {
	enabled = true
	}

	attribute {
	name = "LockID"
	type = "S"
	}

	tags = local.common_tags
	}

	resource "aws_s3_bucket_policy" "state" {
	bucket = aws_s3_bucket.state.id
	policy = data.aws_iam_policy_document.state.json
	}

	resource "aws_s3_bucket_acl" "state" {
	bucket = aws_s3_bucket.state.id
	acl = "private"
	}

	resource "aws_s3_bucket_versioning" "state" {
	bucket = aws_s3_bucket.state.id
	versioning_configuration {
	status = "Enabled"
	mfa_delete = "Enabled"
	}
	}

	resource "aws_s3_bucket_server_side_encryption_configuration" "state" {
	bucket = aws_s3_bucket.state.id
	rule {
	apply_server_side_encryption_by_default {
	kms_master_key_id = aws_kms_key.state.arn
	sse_algorithm = "aws:kms"
	}
	}
	}

	resource "aws_s3_bucket_public_access_block" "state" {
	bucket = aws_s3_bucket.state.id
	block_public_acls = true
	ignore_public_acls = true
	block_public_policy = true
	restrict_public_buckets = true
	}

	resource "aws_s3_bucket" "state" {
	bucket = local.remote_state_bucket_name
	tags = local.common_tags
	}