Created
February 2, 2023 18:43
-
-
Save matt-slalom/389c7c0490a437ca53a916c3cd21be60 to your computer and use it in GitHub Desktop.
Deidentified Plan
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"format_version": "1.1", | |
"prior_state": { | |
"format_version": "1.0", | |
"values": { | |
"root_module": { | |
"resources": [ | |
{ | |
"values": { | |
"id": "99999999999", | |
"arn": "arn:aws:sts::99999999999:assumed-role/AWS-InnovationLabs-RDT-West-Admins/email@address.com", | |
"account_id": "99999999999", | |
"user_id": "XXXXXXXXXXXXXXXXXXXX:email@address.com" | |
}, | |
"address": "data.aws_caller_identity.current", | |
"type": "aws_caller_identity", | |
"sensitive_values": {}, | |
"name": "current", | |
"mode": "data", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws" | |
}, | |
{ | |
"values": { | |
"override_json": null, | |
"source_policy_documents": null, | |
"version": "2012-10-17", | |
"override_policy_documents": null, | |
"id": "2991017537", | |
"source_json": null, | |
"statement": [ | |
{ | |
"not_resources": [], | |
"effect": "Allow", | |
"sid": "Enable IAM Permissions", | |
"condition": [], | |
"not_principals": [], | |
"principals": [ | |
{ | |
"type": "AWS", | |
"identifiers": [ | |
"arn:aws:iam::99999999999:role/AWS-InnovationLabs-RDT-West-Admins" | |
] | |
} | |
], | |
"resources": [ | |
"*" | |
], | |
"actions": [ | |
"kms:*" | |
], | |
"not_actions": [] | |
}, | |
{ | |
"not_resources": [], | |
"effect": "Allow", | |
"sid": "Allow CloudTrail to use the key", | |
"condition": [], | |
"not_principals": [], | |
"principals": [ | |
{ | |
"type": "Service", | |
"identifiers": [ | |
"cloudtrail.amazonaws.com", | |
"s3.amazonaws.com" | |
] | |
} | |
], | |
"resources": [ | |
"*" | |
], | |
"actions": [ | |
"kms:Decrypt", | |
"kms:DescribeKey", | |
"kms:Encrypt", | |
"kms:GenerateDataKey*", | |
"kms:ReEncrypt*" | |
], | |
"not_actions": [] | |
}, | |
{ | |
"not_resources": [], | |
"effect": "Deny", | |
"sid": "DenyNotLocalAccount", | |
"condition": [ | |
{ | |
"values": [ | |
"99999999999" | |
], | |
"variable": "kms:CallerAccount", | |
"test": "StringNotEquals" | |
}, | |
{ | |
"values": [ | |
"cloudtrail.amazonaws.com", | |
"s3.amazonaws.com" | |
], | |
"variable": "kms:ViaService", | |
"test": "StringNotEquals" | |
} | |
], | |
"not_principals": [], | |
"principals": [ | |
{ | |
"type": "AWS", | |
"identifiers": [ | |
"*" | |
] | |
} | |
], | |
"resources": [ | |
"*" | |
], | |
"actions": [ | |
"kms:Decrypt", | |
"kms:DescribeKey", | |
"kms:Encrypt", | |
"kms:GenerateDataKey*", | |
"kms:ReEncrypt*" | |
], | |
"not_actions": [] | |
}, | |
{ | |
"not_resources": [], | |
"effect": "Deny", | |
"sid": "DenyNotPrivateIp", | |
"condition": [ | |
{ | |
"values": [ | |
"false" | |
], | |
"variable": "kms:ViaService", | |
"test": "Bool" | |
}, | |
{ | |
"values": [ | |
"10.0.0.0/8", | |
"172.16.0.0/12", | |
"192.168.0.0/16" | |
], | |
"variable": "aws:SourceIp", | |
"test": "NotIpAddress" | |
} | |
], | |
"not_principals": [], | |
"principals": [ | |
{ | |
"type": "AWS", | |
"identifiers": [ | |
"*" | |
] | |
} | |
], | |
"resources": [ | |
"*" | |
], | |
"actions": [ | |
"kms:Decrypt", | |
"kms:DescribeKey", | |
"kms:Encrypt", | |
"kms:GenerateDataKey*", | |
"kms:ReEncrypt*" | |
], | |
"not_actions": [] | |
} | |
], | |
"policy_id": null, | |
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM Permissions\",\n \"Effect\": \"Allow\",\n \"Action\": \"kms:*\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::99999999999:role/AWS-InnovationLabs-RDT-West-Admins\"\n }\n },\n {\n \"Sid\": \"Allow CloudTrail to use the key\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"*\",\n \"Principal\": {\n \"Service\": [\n \"s3.amazonaws.com\",\n \"cloudtrail.amazonaws.com\"\n ]\n }\n },\n {\n \"Sid\": \"DenyNotLocalAccount\",\n \"Effect\": \"Deny\",\n \"Action\": [\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"StringNotEquals\": {\n \"kms:CallerAccount\": \"99999999999\",\n \"kms:ViaService\": [\n \"cloudtrail.amazonaws.com\",\n \"s3.amazonaws.com\"\n ]\n }\n }\n },\n {\n \"Sid\": \"DenyNotPrivateIp\",\n \"Effect\": \"Deny\",\n \"Action\": [\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": \"*\"\n },\n \"Condition\": {\n \"Bool\": {\n \"kms:ViaService\": \"false\"\n },\n \"NotIpAddress\": {\n \"aws:SourceIp\": [\n \"10.0.0.0/8\",\n \"172.16.0.0/12\",\n \"192.168.0.0/16\"\n ]\n }\n }\n }\n ]\n}" | |
}, | |
"address": "data.aws_iam_policy_document.kms_key_policy", | |
"type": "aws_iam_policy_document", | |
"sensitive_values": { | |
"statement": [ | |
{ | |
"not_resources": [], | |
"condition": [], | |
"not_principals": [], | |
"principals": [ | |
{ | |
"identifiers": [ | |
false | |
] | |
} | |
], | |
"resources": [ | |
false | |
], | |
"actions": [ | |
false | |
], | |
"not_actions": [] | |
}, | |
{ | |
"not_resources": [], | |
"condition": [], | |
"not_principals": [], | |
"principals": [ | |
{ | |
"identifiers": [ | |
false, | |
false | |
] | |
} | |
], | |
"resources": [ | |
false | |
], | |
"actions": [ | |
false, | |
false, | |
false, | |
false, | |
false | |
], | |
"not_actions": [] | |
}, | |
{ | |
"not_resources": [], | |
"condition": [ | |
{ | |
"values": [ | |
false | |
] | |
}, | |
{ | |
"values": [ | |
false, | |
false | |
] | |
} | |
], | |
"not_principals": [], | |
"principals": [ | |
{ | |
"identifiers": [ | |
false | |
] | |
} | |
], | |
"resources": [ | |
false | |
], | |
"actions": [ | |
false, | |
false, | |
false, | |
false, | |
false | |
], | |
"not_actions": [] | |
}, | |
{ | |
"not_resources": [], | |
"condition": [ | |
{ | |
"values": [ | |
false | |
] | |
}, | |
{ | |
"values": [ | |
false, | |
false, | |
false | |
] | |
} | |
], | |
"not_principals": [], | |
"principals": [ | |
{ | |
"identifiers": [ | |
false | |
] | |
} | |
], | |
"resources": [ | |
false | |
], | |
"actions": [ | |
false, | |
false, | |
false, | |
false, | |
false | |
], | |
"not_actions": [] | |
} | |
] | |
}, | |
"name": "kms_key_policy", | |
"mode": "data", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws" | |
} | |
], | |
"child_modules": [ | |
{ | |
"address": "module.kms_module", | |
"resources": [ | |
{ | |
"values": { | |
"id": "alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"arn": "arn:aws:kms:us-west-2:99999999999:alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"target_key_id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"name": "alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"name_prefix": "", | |
"target_key_arn": "arn:aws:kms:us-west-2:99999999999:key/bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b" | |
}, | |
"address": "module.kms_module.aws_kms_alias.key_alias[\"saf_s3_demo_std_bucket_cloudtrail_key\"]", | |
"type": "aws_kms_alias", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_key.the_key" | |
], | |
"sensitive_values": {}, | |
"name": "key_alias", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_cloudtrail_key" | |
}, | |
{ | |
"values": { | |
"id": "alias/saf_s3_demo_std_bucket_s3_key", | |
"arn": "arn:aws:kms:us-west-2:99999999999:alias/saf_s3_demo_std_bucket_s3_key", | |
"target_key_id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"name": "alias/saf_s3_demo_std_bucket_s3_key", | |
"name_prefix": "", | |
"target_key_arn": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592" | |
}, | |
"address": "module.kms_module.aws_kms_alias.key_alias[\"saf_s3_demo_std_bucket_s3_key\"]", | |
"type": "aws_kms_alias", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_key.the_key" | |
], | |
"sensitive_values": {}, | |
"name": "key_alias", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_s3_key" | |
}, | |
{ | |
"values": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "Key for CloudTrail encryption", | |
"key_id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"bypass_policy_lockout_safety_check": false, | |
"id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"enable_key_rotation": true, | |
"arn": "arn:aws:kms:us-west-2:99999999999:key/bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"policy": "{\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::99999999999:role/AWS-InnovationLabs-RDT-West-Admins\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM Permissions\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"s3.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Allow CloudTrail to use the key\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"Bool\":{\"kms:ViaService\":\"false\"},\"NotIpAddress\":{\"aws:SourceIp\":[\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotPrivateIp\"}],\"Version\":\"2012-10-17\"}", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"key_usage": "ENCRYPT_DECRYPT", | |
"multi_region": false, | |
"customer_master_key_spec": "SYMMETRIC_DEFAULT", | |
"custom_key_store_id": "", | |
"is_enabled": true, | |
"deletion_window_in_days": null | |
}, | |
"address": "module.kms_module.aws_kms_key.the_key[\"saf_s3_demo_std_bucket_cloudtrail_key\"]", | |
"type": "aws_kms_key", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy" | |
], | |
"sensitive_values": { | |
"tags_all": {}, | |
"tags": {} | |
}, | |
"name": "the_key", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_cloudtrail_key" | |
}, | |
{ | |
"values": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "Key for S3 encryption", | |
"key_id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"bypass_policy_lockout_safety_check": false, | |
"id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"enable_key_rotation": true, | |
"arn": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"policy": "{\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::99999999999:role/AWS-InnovationLabs-RDT-West-Admins\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM Permissions\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"s3.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Allow CloudTrail to use the key\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"Bool\":{\"kms:ViaService\":\"false\"},\"NotIpAddress\":{\"aws:SourceIp\":[\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotPrivateIp\"}],\"Version\":\"2012-10-17\"}", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"key_usage": "ENCRYPT_DECRYPT", | |
"multi_region": false, | |
"customer_master_key_spec": "SYMMETRIC_DEFAULT", | |
"custom_key_store_id": "", | |
"is_enabled": true, | |
"deletion_window_in_days": null | |
}, | |
"address": "module.kms_module.aws_kms_key.the_key[\"saf_s3_demo_std_bucket_s3_key\"]", | |
"type": "aws_kms_key", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy" | |
], | |
"sensitive_values": { | |
"tags_all": {}, | |
"tags": {} | |
}, | |
"name": "the_key", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_s3_key" | |
} | |
] | |
}, | |
{ | |
"address": "module.s3_module", | |
"resources": [ | |
{ | |
"values": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"advanced_event_selector": [ | |
{ | |
"field_selector": [ | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"field": "resources.type", | |
"equals": [ | |
"AWS::S3::Object" | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"field": "eventCategory", | |
"equals": [ | |
"Data" | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [ | |
"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/" | |
], | |
"field": "resources.ARN", | |
"equals": [], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
} | |
], | |
"name": "" | |
} | |
], | |
"include_global_service_events": false, | |
"id": "saf-s3-demo-std-bucket-bucket_logging", | |
"enable_log_file_validation": true, | |
"kms_key_id": "arn:aws:kms:us-west-2:99999999999:key/bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"is_multi_region_trail": false, | |
"arn": "arn:aws:cloudtrail:us-west-2:99999999999:trail/saf-s3-demo-std-bucket-bucket_logging", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"name": "saf-s3-demo-std-bucket-bucket_logging", | |
"home_region": "us-west-2", | |
"insight_selector": [], | |
"event_selector": [], | |
"is_organization_trail": false, | |
"enable_logging": true, | |
"sns_topic_name": "", | |
"cloud_watch_logs_role_arn": "", | |
"s3_key_prefix": "object_logs", | |
"cloud_watch_logs_group_arn": "", | |
"s3_bucket_name": "saf-s3-logging-bucket-demo-bucket" | |
}, | |
"address": "module.s3_module.aws_cloudtrail.object_logging[\"0\"]", | |
"type": "aws_cloudtrail", | |
"depends_on": [ | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_alias.key_alias", | |
"module.s3_module.aws_s3_bucket.s3_bucket", | |
"module.s3_module.aws_s3_bucket_policy.other_policies" | |
], | |
"sensitive_values": { | |
"tags_all": {}, | |
"advanced_event_selector": [ | |
{ | |
"field_selector": [ | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"equals": [ | |
false | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"equals": [ | |
false | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [ | |
false | |
], | |
"equals": [], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
} | |
] | |
} | |
], | |
"tags": {}, | |
"insight_selector": [], | |
"event_selector": [] | |
}, | |
"name": "object_logging", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "0" | |
}, | |
{ | |
"values": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "", | |
"permissions_boundary": null, | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"arn": "arn:aws:iam::99999999999:role/saf-s3-demo-std-bucket-bucket", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"force_detach_policies": false, | |
"name": "saf-s3-demo-std-bucket-bucket", | |
"inline_policy": [], | |
"name_prefix": "", | |
"max_session_duration": 3600, | |
"create_date": "2023-01-31T23:48:00Z", | |
"path": "/", | |
"managed_policy_arns": [], | |
"unique_id": "AROAZGGUE3TSSATBCWNIV" | |
}, | |
"address": "module.s3_module.aws_iam_role.bucket_replication_role[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_iam_role", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_alias.key_alias", | |
"module.kms_module.aws_kms_key.the_key", | |
"module.s3_module.aws_s3_bucket.s3_bucket", | |
"module.s3_module.data.aws_iam_policy_document.assume_role_policy" | |
], | |
"sensitive_values": { | |
"tags_all": {}, | |
"tags": {}, | |
"inline_policy": [], | |
"managed_policy_arns": [] | |
}, | |
"name": "bucket_replication_role", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Name": "S3 SAF Demo Bucket", | |
"Owner": "Some Guy" | |
}, | |
"server_side_encryption_configuration": [ | |
{ | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{ | |
"kms_master_key_id": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"sse_algorithm": "aws:kms" | |
} | |
], | |
"bucket_key_enabled": true | |
} | |
] | |
} | |
], | |
"hosted_zone_id": "Z3BJ6K6RIION7M", | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"website": [], | |
"website_domain": null, | |
"arn": "arn:aws:s3:::saf-s3-demo-std-bucket-bucket", | |
"policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"NotPrincipal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":[\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\",\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"],\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"region": "us-west-2", | |
"object_lock_enabled": false, | |
"object_lock_configuration": [], | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Name": "S3 SAF Demo Bucket", | |
"Owner": "Some Guy" | |
}, | |
"logging": [ | |
{ | |
"target_prefix": "s3_logs/", | |
"target_bucket": "saf-s3-logging-bucket-demo-bucket" | |
} | |
], | |
"bucket_prefix": null, | |
"request_payer": "BucketOwner", | |
"cors_rule": [], | |
"bucket_domain_name": "saf-s3-demo-std-bucket-bucket.s3.amazonaws.com", | |
"bucket_regional_domain_name": "saf-s3-demo-std-bucket-bucket.s3.us-west-2.amazonaws.com", | |
"lifecycle_rule": [], | |
"acceleration_status": "", | |
"timeouts": null, | |
"replication_configuration": [], | |
"grant": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"type": "CanonicalUser", | |
"permissions": [ | |
"FULL_CONTROL" | |
], | |
"uri": "" | |
} | |
], | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"versioning": [ | |
{ | |
"mfa_delete": false, | |
"enabled": true | |
} | |
], | |
"acl": null, | |
"force_destroy": true, | |
"website_endpoint": null | |
}, | |
"address": "module.s3_module.aws_s3_bucket.s3_bucket[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_alias.key_alias", | |
"module.kms_module.aws_kms_key.the_key" | |
], | |
"sensitive_values": { | |
"tags_all": {}, | |
"server_side_encryption_configuration": [ | |
{ | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{} | |
] | |
} | |
] | |
} | |
], | |
"website": [], | |
"object_lock_configuration": [], | |
"tags": {}, | |
"logging": [ | |
{} | |
], | |
"cors_rule": [], | |
"lifecycle_rule": [], | |
"replication_configuration": [], | |
"grant": [ | |
{ | |
"permissions": [ | |
false | |
] | |
} | |
], | |
"versioning": [ | |
{} | |
] | |
}, | |
"name": "s3_bucket", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"access_control_policy": [ | |
{ | |
"owner": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"display_name": "aws-innovationlabs-rdt-west" | |
} | |
], | |
"grant": [ | |
{ | |
"permission": "FULL_CONTROL", | |
"grantee": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"type": "CanonicalUser", | |
"email_address": "", | |
"uri": "", | |
"display_name": "aws-innovationlabs-rdt-west" | |
} | |
] | |
} | |
] | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"acl": "" | |
}, | |
"address": "module.s3_module.aws_s3_bucket_acl.s3_acl[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_acl", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_alias.key_alias", | |
"module.kms_module.aws_kms_key.the_key", | |
"module.s3_module.aws_s3_bucket.s3_bucket", | |
"module.s3_module.data.aws_canonical_user_id.current_user" | |
], | |
"sensitive_values": { | |
"access_control_policy": [ | |
{ | |
"owner": [ | |
{} | |
], | |
"grant": [ | |
{ | |
"grantee": [ | |
{} | |
] | |
} | |
] | |
} | |
] | |
}, | |
"name": "s3_acl", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"target_grant": [], | |
"target_prefix": "s3_logs/", | |
"target_bucket": "saf-s3-logging-bucket-demo-bucket", | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"address": "module.s3_module.aws_s3_bucket_logging.s3_logging[\"0\"]", | |
"type": "aws_s3_bucket_logging", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_alias.key_alias", | |
"module.kms_module.aws_kms_key.the_key", | |
"module.s3_module.aws_s3_bucket.s3_bucket" | |
], | |
"sensitive_values": { | |
"target_grant": [] | |
}, | |
"name": "s3_logging", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "0" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":[\"false\"]}},\"Effect\":\"Deny\",\"NotPrincipal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":[\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\",\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"],\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"address": "module.s3_module.aws_s3_bucket_policy.other_policies[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_policy", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_alias.key_alias", | |
"module.kms_module.aws_kms_key.the_key", | |
"module.s3_module.aws_s3_bucket.s3_bucket", | |
"module.s3_module.aws_s3_bucket_public_access_block.s3_bucket_access", | |
"module.s3_module.data.aws_iam_policy_document.default_bucket_policy" | |
], | |
"sensitive_values": {}, | |
"name": "other_policies", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"restrict_public_buckets": true, | |
"block_public_policy": true, | |
"block_public_acls": true, | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"ignore_public_acls": true | |
}, | |
"address": "module.s3_module.aws_s3_bucket_public_access_block.s3_bucket_access[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_public_access_block", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_alias.key_alias", | |
"module.kms_module.aws_kms_key.the_key", | |
"module.s3_module.aws_s3_bucket.s3_bucket" | |
], | |
"sensitive_values": {}, | |
"name": "s3_bucket_access", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{ | |
"kms_master_key_id": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"sse_algorithm": "aws:kms" | |
} | |
], | |
"bucket_key_enabled": true | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"address": "module.s3_module.aws_s3_bucket_server_side_encryption_configuration.s3_sse[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_server_side_encryption_configuration", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_alias.key_alias", | |
"module.kms_module.aws_kms_key.the_key", | |
"module.s3_module.aws_s3_bucket.s3_bucket" | |
], | |
"sensitive_values": { | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{} | |
] | |
} | |
] | |
}, | |
"name": "s3_sse", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"versioning_configuration": [ | |
{ | |
"mfa_delete": "", | |
"status": "Enabled" | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"mfa": null | |
}, | |
"address": "module.s3_module.aws_s3_bucket_versioning.s3_versioning[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_versioning", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_alias.key_alias", | |
"module.kms_module.aws_kms_key.the_key", | |
"module.s3_module.aws_s3_bucket.s3_bucket" | |
], | |
"sensitive_values": { | |
"versioning_configuration": [ | |
{} | |
] | |
}, | |
"name": "s3_versioning", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"versioning_configuration": [ | |
{ | |
"mfa_delete": "", | |
"status": "Enabled" | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"mfa": null | |
}, | |
"address": "module.s3_module.aws_s3_bucket_versioning.source_bucket_versioning[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_versioning", | |
"depends_on": [ | |
"data.aws_caller_identity.current", | |
"data.aws_iam_policy_document.kms_key_policy", | |
"module.kms_module.aws_kms_alias.key_alias", | |
"module.kms_module.aws_kms_key.the_key", | |
"module.s3_module.aws_s3_bucket.s3_bucket" | |
], | |
"sensitive_values": { | |
"versioning_configuration": [ | |
{} | |
] | |
}, | |
"name": "source_bucket_versioning", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "99999999999", | |
"arn": "arn:aws:sts::99999999999:assumed-role/AWS-InnovationLabs-RDT-West-Admins/email@address.com", | |
"account_id": "99999999999", | |
"user_id": "XXXXXXXXXXXXXXXXXXXX:email@address.com" | |
}, | |
"address": "module.s3_module.data.aws_caller_identity.current", | |
"type": "aws_caller_identity", | |
"sensitive_values": {}, | |
"name": "current", | |
"mode": "data", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws" | |
}, | |
{ | |
"values": { | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"display_name": "aws-innovationlabs-rdt-west" | |
}, | |
"address": "module.s3_module.data.aws_canonical_user_id.current_user", | |
"type": "aws_canonical_user_id", | |
"sensitive_values": {}, | |
"name": "current_user", | |
"mode": "data", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws" | |
}, | |
{ | |
"values": { | |
"override_json": null, | |
"source_policy_documents": null, | |
"version": "2012-10-17", | |
"override_policy_documents": null, | |
"id": "4003806384", | |
"source_json": null, | |
"statement": [ | |
{ | |
"not_resources": [], | |
"effect": "Allow", | |
"sid": "", | |
"condition": [], | |
"not_principals": [], | |
"principals": [ | |
{ | |
"type": "Service", | |
"identifiers": [ | |
"s3.amazonaws.com" | |
] | |
} | |
], | |
"resources": [], | |
"actions": [ | |
"sts:AssumeRole" | |
], | |
"not_actions": [] | |
} | |
], | |
"policy_id": null, | |
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"s3.amazonaws.com\"\n }\n }\n ]\n}" | |
}, | |
"address": "module.s3_module.data.aws_iam_policy_document.assume_role_policy", | |
"type": "aws_iam_policy_document", | |
"sensitive_values": { | |
"statement": [ | |
{ | |
"not_resources": [], | |
"condition": [], | |
"not_principals": [], | |
"principals": [ | |
{ | |
"identifiers": [ | |
false | |
] | |
} | |
], | |
"resources": [], | |
"actions": [ | |
false | |
], | |
"not_actions": [] | |
} | |
] | |
}, | |
"name": "assume_role_policy", | |
"mode": "data", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws" | |
}, | |
{ | |
"values": { | |
"override_json": null, | |
"source_policy_documents": [ | |
"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Deny\",\n \"NotPrincipal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n },\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\",\n \"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"\n ],\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n }\n ]\n}\n" | |
], | |
"version": "2012-10-17", | |
"override_policy_documents": null, | |
"id": "2255316457", | |
"source_json": null, | |
"statement": null, | |
"policy_id": null, | |
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Deny\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\",\n \"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"\n ],\n \"NotPrincipal\": {\n \"Service\": \"delivery.logs.amazonaws.com\"\n },\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": [\n \"false\"\n ]\n }\n }\n }\n ]\n}" | |
}, | |
"address": "module.s3_module.data.aws_iam_policy_document.default_bucket_policy[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_iam_policy_document", | |
"sensitive_values": { | |
"source_policy_documents": [ | |
false | |
] | |
}, | |
"name": "default_bucket_policy", | |
"mode": "data", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"override_json": null, | |
"source_policy_documents": null, | |
"version": "2012-10-17", | |
"override_policy_documents": null, | |
"id": "3819175256", | |
"source_json": null, | |
"statement": [ | |
{ | |
"not_resources": [], | |
"effect": "Allow", | |
"sid": "", | |
"condition": [], | |
"not_principals": [], | |
"principals": [], | |
"resources": [ | |
"arn:aws:s3:::saf-s3-demo-std-bucket-bucket" | |
], | |
"actions": [ | |
"s3:GetReplicationConfiguration", | |
"s3:ListBucket" | |
], | |
"not_actions": [] | |
}, | |
{ | |
"not_resources": [], | |
"effect": "Allow", | |
"sid": "", | |
"condition": [], | |
"not_principals": [], | |
"principals": [], | |
"resources": [ | |
"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*" | |
], | |
"actions": [ | |
"s3:GetObjectVersionAcl", | |
"s3:GetObjectVersionForReplication", | |
"s3:GetObjectVersionTagging" | |
], | |
"not_actions": [] | |
} | |
], | |
"policy_id": null, | |
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:ListBucket\",\n \"s3:GetReplicationConfiguration\"\n ],\n \"Resource\": \"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\"\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObjectVersionTagging\",\n \"s3:GetObjectVersionForReplication\",\n \"s3:GetObjectVersionAcl\"\n ],\n \"Resource\": \"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"\n }\n ]\n}" | |
}, | |
"address": "module.s3_module.data.aws_iam_policy_document.replication_policy[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_iam_policy_document", | |
"sensitive_values": { | |
"statement": [ | |
{ | |
"not_resources": [], | |
"condition": [], | |
"not_principals": [], | |
"principals": [], | |
"resources": [ | |
false | |
], | |
"actions": [ | |
false, | |
false | |
], | |
"not_actions": [] | |
}, | |
{ | |
"not_resources": [], | |
"condition": [], | |
"not_principals": [], | |
"principals": [], | |
"resources": [ | |
false | |
], | |
"actions": [ | |
false, | |
false, | |
false | |
], | |
"not_actions": [] | |
} | |
] | |
}, | |
"name": "replication_policy", | |
"mode": "data", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"description": "US West (Oregon)", | |
"endpoint": "ec2.us-west-2.amazonaws.com", | |
"id": "us-west-2", | |
"name": "us-west-2" | |
}, | |
"address": "module.s3_module.data.aws_region.current", | |
"type": "aws_region", | |
"sensitive_values": {}, | |
"name": "current", | |
"mode": "data", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws" | |
}, | |
{ | |
"values": { | |
"description": "US East (Ohio)", | |
"endpoint": "ec2.us-east-2.amazonaws.com", | |
"id": "us-east-2", | |
"name": "us-east-2" | |
}, | |
"address": "module.s3_module.data.aws_region.secondary_region", | |
"type": "aws_region", | |
"sensitive_values": {}, | |
"name": "secondary_region", | |
"mode": "data", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws" | |
} | |
] | |
} | |
] | |
} | |
}, | |
"terraform_version": "1.3.7" | |
}, | |
"relevant_attributes": [ | |
{ | |
"resource": "module.s3_module.aws_s3_bucket.s3_bucket", | |
"attribute": [] | |
}, | |
{ | |
"resource": "module.s3_module.aws_s3_bucket_policy.other_policies", | |
"attribute": [] | |
}, | |
{ | |
"resource": "module.s3_module.data.aws_iam_policy_document.default_bucket_policy", | |
"attribute": [] | |
}, | |
{ | |
"resource": "data.aws_iam_policy_document.kms_key_policy", | |
"attribute": [ | |
"json" | |
] | |
}, | |
{ | |
"resource": "module.kms_module.aws_kms_key.the_key", | |
"attribute": [] | |
}, | |
{ | |
"resource": "module.kms_module.aws_kms_alias.key_alias", | |
"attribute": [] | |
} | |
], | |
"resource_changes": [ | |
{ | |
"address": "module.kms_module.aws_kms_alias.key_alias[\"saf_s3_demo_std_bucket_cloudtrail_key\"]", | |
"type": "aws_kms_alias", | |
"name": "key_alias", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": {}, | |
"before_sensitive": {}, | |
"before": { | |
"id": "alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"arn": "arn:aws:kms:us-west-2:99999999999:alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"target_key_id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"name": "alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"name_prefix": "", | |
"target_key_arn": "arn:aws:kms:us-west-2:99999999999:key/bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b" | |
}, | |
"after": { | |
"id": "alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"arn": "arn:aws:kms:us-west-2:99999999999:alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"target_key_id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"name": "alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"name_prefix": "", | |
"target_key_arn": "arn:aws:kms:us-west-2:99999999999:key/bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b" | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_cloudtrail_key", | |
"module_address": "module.kms_module" | |
}, | |
{ | |
"address": "module.kms_module.aws_kms_alias.key_alias[\"saf_s3_demo_std_bucket_s3_key\"]", | |
"type": "aws_kms_alias", | |
"name": "key_alias", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": {}, | |
"before_sensitive": {}, | |
"before": { | |
"id": "alias/saf_s3_demo_std_bucket_s3_key", | |
"arn": "arn:aws:kms:us-west-2:99999999999:alias/saf_s3_demo_std_bucket_s3_key", | |
"target_key_id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"name": "alias/saf_s3_demo_std_bucket_s3_key", | |
"name_prefix": "", | |
"target_key_arn": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592" | |
}, | |
"after": { | |
"id": "alias/saf_s3_demo_std_bucket_s3_key", | |
"arn": "arn:aws:kms:us-west-2:99999999999:alias/saf_s3_demo_std_bucket_s3_key", | |
"target_key_id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"name": "alias/saf_s3_demo_std_bucket_s3_key", | |
"name_prefix": "", | |
"target_key_arn": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592" | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_s3_key", | |
"module_address": "module.kms_module" | |
}, | |
{ | |
"address": "module.kms_module.aws_kms_key.the_key[\"saf_s3_demo_std_bucket_cloudtrail_key\"]", | |
"type": "aws_kms_key", | |
"name": "the_key", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": { | |
"tags_all": {}, | |
"tags": {} | |
}, | |
"before_sensitive": { | |
"tags_all": {}, | |
"tags": {} | |
}, | |
"before": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "Key for CloudTrail encryption", | |
"key_id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"bypass_policy_lockout_safety_check": false, | |
"id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"enable_key_rotation": true, | |
"arn": "arn:aws:kms:us-west-2:99999999999:key/bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"policy": "{\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::99999999999:role/AWS-InnovationLabs-RDT-West-Admins\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM Permissions\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"s3.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Allow CloudTrail to use the key\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"Bool\":{\"kms:ViaService\":\"false\"},\"NotIpAddress\":{\"aws:SourceIp\":[\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotPrivateIp\"}],\"Version\":\"2012-10-17\"}", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"key_usage": "ENCRYPT_DECRYPT", | |
"multi_region": false, | |
"customer_master_key_spec": "SYMMETRIC_DEFAULT", | |
"custom_key_store_id": "", | |
"is_enabled": true, | |
"deletion_window_in_days": null | |
}, | |
"after": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "Key for CloudTrail encryption", | |
"key_id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"bypass_policy_lockout_safety_check": false, | |
"id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"enable_key_rotation": true, | |
"arn": "arn:aws:kms:us-west-2:99999999999:key/bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"policy": "{\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::99999999999:role/AWS-InnovationLabs-RDT-West-Admins\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM Permissions\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"s3.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Allow CloudTrail to use the key\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"StringNotEquals\":{\"kms:CallerAccount\":\"99999999999\",\"kms:ViaService\":[\"cloudtrail.amazonaws.com\",\"s3.amazonaws.com\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotLocalAccount\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"Bool\":{\"kms:ViaService\":\"false\"},\"NotIpAddress\":{\"aws:SourceIp\":[\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotPrivateIp\"}],\"Version\":\"2012-10-17\"}", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"key_usage": "ENCRYPT_DECRYPT", | |
"multi_region": false, | |
"customer_master_key_spec": "SYMMETRIC_DEFAULT", | |
"custom_key_store_id": "", | |
"is_enabled": true, | |
"deletion_window_in_days": null | |
}, | |
"actions": [ | |
"update" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_cloudtrail_key", | |
"module_address": "module.kms_module" | |
}, | |
{ | |
"address": "module.kms_module.aws_kms_key.the_key[\"saf_s3_demo_std_bucket_s3_key\"]", | |
"type": "aws_kms_key", | |
"name": "the_key", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": { | |
"tags_all": {}, | |
"tags": {} | |
}, | |
"before_sensitive": { | |
"tags_all": {}, | |
"tags": {} | |
}, | |
"before": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "Key for S3 encryption", | |
"key_id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"bypass_policy_lockout_safety_check": false, | |
"id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"enable_key_rotation": true, | |
"arn": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"policy": "{\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::99999999999:role/AWS-InnovationLabs-RDT-West-Admins\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM Permissions\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"s3.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Allow CloudTrail to use the key\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"Bool\":{\"kms:ViaService\":\"false\"},\"NotIpAddress\":{\"aws:SourceIp\":[\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotPrivateIp\"}],\"Version\":\"2012-10-17\"}", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"key_usage": "ENCRYPT_DECRYPT", | |
"multi_region": false, | |
"customer_master_key_spec": "SYMMETRIC_DEFAULT", | |
"custom_key_store_id": "", | |
"is_enabled": true, | |
"deletion_window_in_days": null | |
}, | |
"after": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "Key for S3 encryption", | |
"key_id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"bypass_policy_lockout_safety_check": false, | |
"id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"enable_key_rotation": true, | |
"arn": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"policy": "{\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::99999999999:role/AWS-InnovationLabs-RDT-West-Admins\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM Permissions\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"s3.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Allow CloudTrail to use the key\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"StringNotEquals\":{\"kms:CallerAccount\":\"99999999999\",\"kms:ViaService\":[\"cloudtrail.amazonaws.com\",\"s3.amazonaws.com\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotLocalAccount\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"Bool\":{\"kms:ViaService\":\"false\"},\"NotIpAddress\":{\"aws:SourceIp\":[\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotPrivateIp\"}],\"Version\":\"2012-10-17\"}", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"key_usage": "ENCRYPT_DECRYPT", | |
"multi_region": false, | |
"customer_master_key_spec": "SYMMETRIC_DEFAULT", | |
"custom_key_store_id": "", | |
"is_enabled": true, | |
"deletion_window_in_days": null | |
}, | |
"actions": [ | |
"update" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_s3_key", | |
"module_address": "module.kms_module" | |
}, | |
{ | |
"address": "module.s3_module.aws_cloudtrail.object_logging[\"0\"]", | |
"type": "aws_cloudtrail", | |
"name": "object_logging", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": { | |
"tags_all": {}, | |
"advanced_event_selector": [ | |
{ | |
"field_selector": [ | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"equals": [ | |
false | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"equals": [ | |
false | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [ | |
false | |
], | |
"equals": [], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
} | |
] | |
} | |
], | |
"tags": {}, | |
"insight_selector": [], | |
"event_selector": [] | |
}, | |
"before_sensitive": { | |
"tags_all": {}, | |
"advanced_event_selector": [ | |
{ | |
"field_selector": [ | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"equals": [ | |
false | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"equals": [ | |
false | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [ | |
false | |
], | |
"equals": [], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
} | |
] | |
} | |
], | |
"tags": {}, | |
"insight_selector": [], | |
"event_selector": [] | |
}, | |
"before": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"advanced_event_selector": [ | |
{ | |
"field_selector": [ | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"field": "resources.type", | |
"equals": [ | |
"AWS::S3::Object" | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"field": "eventCategory", | |
"equals": [ | |
"Data" | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [ | |
"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/" | |
], | |
"field": "resources.ARN", | |
"equals": [], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
} | |
], | |
"name": "" | |
} | |
], | |
"include_global_service_events": false, | |
"id": "saf-s3-demo-std-bucket-bucket_logging", | |
"enable_log_file_validation": true, | |
"kms_key_id": "arn:aws:kms:us-west-2:99999999999:key/bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"is_multi_region_trail": false, | |
"arn": "arn:aws:cloudtrail:us-west-2:99999999999:trail/saf-s3-demo-std-bucket-bucket_logging", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"name": "saf-s3-demo-std-bucket-bucket_logging", | |
"home_region": "us-west-2", | |
"insight_selector": [], | |
"event_selector": [], | |
"is_organization_trail": false, | |
"enable_logging": true, | |
"sns_topic_name": "", | |
"cloud_watch_logs_role_arn": "", | |
"s3_key_prefix": "object_logs", | |
"cloud_watch_logs_group_arn": "", | |
"s3_bucket_name": "saf-s3-logging-bucket-demo-bucket" | |
}, | |
"after": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"advanced_event_selector": [ | |
{ | |
"field_selector": [ | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"field": "resources.type", | |
"equals": [ | |
"AWS::S3::Object" | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"field": "eventCategory", | |
"equals": [ | |
"Data" | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [ | |
"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/" | |
], | |
"field": "resources.ARN", | |
"equals": [], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
} | |
], | |
"name": "" | |
} | |
], | |
"include_global_service_events": false, | |
"id": "saf-s3-demo-std-bucket-bucket_logging", | |
"enable_log_file_validation": true, | |
"kms_key_id": "arn:aws:kms:us-west-2:99999999999:alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"is_multi_region_trail": false, | |
"arn": "arn:aws:cloudtrail:us-west-2:99999999999:trail/saf-s3-demo-std-bucket-bucket_logging", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"name": "saf-s3-demo-std-bucket-bucket_logging", | |
"home_region": "us-west-2", | |
"insight_selector": [], | |
"event_selector": [], | |
"is_organization_trail": false, | |
"enable_logging": true, | |
"sns_topic_name": "", | |
"cloud_watch_logs_role_arn": "", | |
"s3_key_prefix": "object_logs", | |
"cloud_watch_logs_group_arn": "", | |
"s3_bucket_name": "saf-s3-logging-bucket-demo-bucket" | |
}, | |
"actions": [ | |
"update" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "0", | |
"module_address": "module.s3_module" | |
}, | |
{ | |
"address": "module.s3_module.aws_iam_role.bucket_replication_role[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_iam_role", | |
"name": "bucket_replication_role", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": { | |
"tags_all": {}, | |
"tags": {}, | |
"inline_policy": [], | |
"managed_policy_arns": [] | |
}, | |
"before_sensitive": { | |
"tags_all": {}, | |
"tags": {}, | |
"inline_policy": [], | |
"managed_policy_arns": [] | |
}, | |
"before": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "", | |
"permissions_boundary": null, | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"arn": "arn:aws:iam::99999999999:role/saf-s3-demo-std-bucket-bucket", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"force_detach_policies": false, | |
"name": "saf-s3-demo-std-bucket-bucket", | |
"inline_policy": [], | |
"name_prefix": "", | |
"max_session_duration": 3600, | |
"create_date": "2023-01-31T23:48:00Z", | |
"path": "/", | |
"managed_policy_arns": [], | |
"unique_id": "AROAZGGUE3TSSATBCWNIV" | |
}, | |
"after": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "", | |
"permissions_boundary": null, | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"arn": "arn:aws:iam::99999999999:role/saf-s3-demo-std-bucket-bucket", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"force_detach_policies": false, | |
"name": "saf-s3-demo-std-bucket-bucket", | |
"inline_policy": [], | |
"name_prefix": "", | |
"max_session_duration": 3600, | |
"create_date": "2023-01-31T23:48:00Z", | |
"path": "/", | |
"managed_policy_arns": [], | |
"unique_id": "AROAZGGUE3TSSATBCWNIV" | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket", | |
"module_address": "module.s3_module" | |
}, | |
{ | |
"address": "module.s3_module.aws_s3_bucket.s3_bucket[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket", | |
"name": "s3_bucket", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": { | |
"tags_all": {}, | |
"server_side_encryption_configuration": [ | |
{ | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{} | |
] | |
} | |
] | |
} | |
], | |
"website": [], | |
"object_lock_configuration": [], | |
"tags": {}, | |
"logging": [ | |
{} | |
], | |
"cors_rule": [], | |
"lifecycle_rule": [], | |
"replication_configuration": [], | |
"grant": [ | |
{ | |
"permissions": [ | |
false | |
] | |
} | |
], | |
"versioning": [ | |
{} | |
] | |
}, | |
"before_sensitive": { | |
"tags_all": {}, | |
"server_side_encryption_configuration": [ | |
{ | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{} | |
] | |
} | |
] | |
} | |
], | |
"website": [], | |
"object_lock_configuration": [], | |
"tags": {}, | |
"logging": [ | |
{} | |
], | |
"cors_rule": [], | |
"lifecycle_rule": [], | |
"replication_configuration": [], | |
"grant": [ | |
{ | |
"permissions": [ | |
false | |
] | |
} | |
], | |
"versioning": [ | |
{} | |
] | |
}, | |
"before": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Name": "S3 SAF Demo Bucket", | |
"Owner": "Some Guy" | |
}, | |
"server_side_encryption_configuration": [ | |
{ | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{ | |
"kms_master_key_id": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"sse_algorithm": "aws:kms" | |
} | |
], | |
"bucket_key_enabled": true | |
} | |
] | |
} | |
], | |
"hosted_zone_id": "Z3BJ6K6RIION7M", | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"website": [], | |
"website_domain": null, | |
"arn": "arn:aws:s3:::saf-s3-demo-std-bucket-bucket", | |
"policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"NotPrincipal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":[\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\",\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"],\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"region": "us-west-2", | |
"object_lock_enabled": false, | |
"object_lock_configuration": [], | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Name": "S3 SAF Demo Bucket", | |
"Owner": "Some Guy" | |
}, | |
"logging": [ | |
{ | |
"target_prefix": "s3_logs/", | |
"target_bucket": "saf-s3-logging-bucket-demo-bucket" | |
} | |
], | |
"bucket_prefix": null, | |
"request_payer": "BucketOwner", | |
"cors_rule": [], | |
"bucket_domain_name": "saf-s3-demo-std-bucket-bucket.s3.amazonaws.com", | |
"bucket_regional_domain_name": "saf-s3-demo-std-bucket-bucket.s3.us-west-2.amazonaws.com", | |
"lifecycle_rule": [], | |
"acceleration_status": "", | |
"timeouts": null, | |
"replication_configuration": [], | |
"grant": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"type": "CanonicalUser", | |
"permissions": [ | |
"FULL_CONTROL" | |
], | |
"uri": "" | |
} | |
], | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"versioning": [ | |
{ | |
"mfa_delete": false, | |
"enabled": true | |
} | |
], | |
"acl": null, | |
"force_destroy": true, | |
"website_endpoint": null | |
}, | |
"after": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Name": "S3 SAF Demo Bucket", | |
"Owner": "Some Guy" | |
}, | |
"server_side_encryption_configuration": [ | |
{ | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{ | |
"kms_master_key_id": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"sse_algorithm": "aws:kms" | |
} | |
], | |
"bucket_key_enabled": true | |
} | |
] | |
} | |
], | |
"hosted_zone_id": "Z3BJ6K6RIION7M", | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"website": [], | |
"website_domain": null, | |
"arn": "arn:aws:s3:::saf-s3-demo-std-bucket-bucket", | |
"policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"NotPrincipal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":[\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\",\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"],\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"region": "us-west-2", | |
"object_lock_enabled": false, | |
"object_lock_configuration": [], | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Name": "S3 SAF Demo Bucket", | |
"Owner": "Some Guy" | |
}, | |
"logging": [ | |
{ | |
"target_prefix": "s3_logs/", | |
"target_bucket": "saf-s3-logging-bucket-demo-bucket" | |
} | |
], | |
"bucket_prefix": null, | |
"request_payer": "BucketOwner", | |
"cors_rule": [], | |
"bucket_domain_name": "saf-s3-demo-std-bucket-bucket.s3.amazonaws.com", | |
"bucket_regional_domain_name": "saf-s3-demo-std-bucket-bucket.s3.us-west-2.amazonaws.com", | |
"lifecycle_rule": [], | |
"acceleration_status": "", | |
"timeouts": null, | |
"replication_configuration": [], | |
"grant": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"type": "CanonicalUser", | |
"permissions": [ | |
"FULL_CONTROL" | |
], | |
"uri": "" | |
} | |
], | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"versioning": [ | |
{ | |
"mfa_delete": false, | |
"enabled": true | |
} | |
], | |
"acl": null, | |
"force_destroy": true, | |
"website_endpoint": null | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket", | |
"module_address": "module.s3_module" | |
}, | |
{ | |
"address": "module.s3_module.aws_s3_bucket_acl.s3_acl[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_acl", | |
"name": "s3_acl", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": { | |
"access_control_policy": [ | |
{ | |
"owner": [ | |
{} | |
], | |
"grant": [ | |
{ | |
"grantee": [ | |
{} | |
] | |
} | |
] | |
} | |
] | |
}, | |
"before_sensitive": { | |
"access_control_policy": [ | |
{ | |
"owner": [ | |
{} | |
], | |
"grant": [ | |
{ | |
"grantee": [ | |
{} | |
] | |
} | |
] | |
} | |
] | |
}, | |
"before": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"access_control_policy": [ | |
{ | |
"owner": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"display_name": "aws-innovationlabs-rdt-west" | |
} | |
], | |
"grant": [ | |
{ | |
"permission": "FULL_CONTROL", | |
"grantee": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"type": "CanonicalUser", | |
"email_address": "", | |
"uri": "", | |
"display_name": "aws-innovationlabs-rdt-west" | |
} | |
] | |
} | |
] | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"acl": "" | |
}, | |
"after": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"access_control_policy": [ | |
{ | |
"owner": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"display_name": "aws-innovationlabs-rdt-west" | |
} | |
], | |
"grant": [ | |
{ | |
"permission": "FULL_CONTROL", | |
"grantee": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"type": "CanonicalUser", | |
"email_address": "", | |
"uri": "", | |
"display_name": "aws-innovationlabs-rdt-west" | |
} | |
] | |
} | |
] | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"acl": "" | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket", | |
"module_address": "module.s3_module" | |
}, | |
{ | |
"address": "module.s3_module.aws_s3_bucket_logging.s3_logging[\"0\"]", | |
"type": "aws_s3_bucket_logging", | |
"name": "s3_logging", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": { | |
"target_grant": [] | |
}, | |
"before_sensitive": { | |
"target_grant": [] | |
}, | |
"before": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"target_grant": [], | |
"target_prefix": "s3_logs/", | |
"target_bucket": "saf-s3-logging-bucket-demo-bucket", | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"after": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"target_grant": [], | |
"target_prefix": "s3_logs/", | |
"target_bucket": "saf-s3-logging-bucket-demo-bucket", | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "0", | |
"module_address": "module.s3_module" | |
}, | |
{ | |
"address": "module.s3_module.aws_s3_bucket_policy.other_policies[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_policy", | |
"name": "other_policies", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": {}, | |
"before_sensitive": {}, | |
"before": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":[\"false\"]}},\"Effect\":\"Deny\",\"NotPrincipal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":[\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\",\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"],\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"after": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":[\"false\"]}},\"Effect\":\"Deny\",\"NotPrincipal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":[\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\",\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"],\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket", | |
"module_address": "module.s3_module" | |
}, | |
{ | |
"address": "module.s3_module.aws_s3_bucket_public_access_block.s3_bucket_access[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_public_access_block", | |
"name": "s3_bucket_access", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": {}, | |
"before_sensitive": {}, | |
"before": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"restrict_public_buckets": true, | |
"block_public_policy": true, | |
"block_public_acls": true, | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"ignore_public_acls": true | |
}, | |
"after": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"restrict_public_buckets": true, | |
"block_public_policy": true, | |
"block_public_acls": true, | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"ignore_public_acls": true | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket", | |
"module_address": "module.s3_module" | |
}, | |
{ | |
"address": "module.s3_module.aws_s3_bucket_server_side_encryption_configuration.s3_sse[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_server_side_encryption_configuration", | |
"name": "s3_sse", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": { | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{} | |
] | |
} | |
] | |
}, | |
"before_sensitive": { | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{} | |
] | |
} | |
] | |
}, | |
"before": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{ | |
"kms_master_key_id": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"sse_algorithm": "aws:kms" | |
} | |
], | |
"bucket_key_enabled": true | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"after": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{ | |
"kms_master_key_id": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"sse_algorithm": "aws:kms" | |
} | |
], | |
"bucket_key_enabled": true | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket", | |
"module_address": "module.s3_module" | |
}, | |
{ | |
"address": "module.s3_module.aws_s3_bucket_versioning.s3_versioning[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_versioning", | |
"name": "s3_versioning", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": { | |
"versioning_configuration": [ | |
{} | |
] | |
}, | |
"before_sensitive": { | |
"versioning_configuration": [ | |
{} | |
] | |
}, | |
"before": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"versioning_configuration": [ | |
{ | |
"mfa_delete": "", | |
"status": "Enabled" | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"mfa": null | |
}, | |
"after": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"versioning_configuration": [ | |
{ | |
"mfa_delete": "", | |
"status": "Enabled" | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"mfa": null | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket", | |
"module_address": "module.s3_module" | |
}, | |
{ | |
"address": "module.s3_module.aws_s3_bucket_versioning.source_bucket_versioning[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_versioning", | |
"name": "source_bucket_versioning", | |
"mode": "managed", | |
"change": { | |
"after_unknown": {}, | |
"after_sensitive": { | |
"versioning_configuration": [ | |
{} | |
] | |
}, | |
"before_sensitive": { | |
"versioning_configuration": [ | |
{} | |
] | |
}, | |
"before": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"versioning_configuration": [ | |
{ | |
"mfa_delete": "", | |
"status": "Enabled" | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"mfa": null | |
}, | |
"after": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"versioning_configuration": [ | |
{ | |
"mfa_delete": "", | |
"status": "Enabled" | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"mfa": null | |
}, | |
"actions": [ | |
"no-op" | |
] | |
}, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket", | |
"module_address": "module.s3_module" | |
} | |
], | |
"configuration": { | |
"provider_config": { | |
"aws.us-east-2": { | |
"expressions": { | |
"region": { | |
"constant_value": "us-east-2" | |
} | |
}, | |
"alias": "us-east-2", | |
"name": "aws", | |
"full_name": "registry.terraform.io/hashicorp/aws" | |
}, | |
"aws": { | |
"expressions": { | |
"region": { | |
"references": [ | |
"var.default_region" | |
] | |
} | |
}, | |
"name": "aws", | |
"full_name": "registry.terraform.io/hashicorp/aws" | |
}, | |
"aws.us-west-2": { | |
"expressions": { | |
"region": { | |
"constant_value": "us-west-2" | |
} | |
}, | |
"alias": "us-west-2", | |
"name": "aws", | |
"full_name": "registry.terraform.io/hashicorp/aws" | |
} | |
}, | |
"root_module": { | |
"resources": [ | |
{ | |
"address": "data.aws_caller_identity.current", | |
"type": "aws_caller_identity", | |
"name": "current", | |
"mode": "data", | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"statement": [ | |
{ | |
"effect": { | |
"constant_value": "Allow" | |
}, | |
"sid": { | |
"constant_value": "Enable IAM Permissions" | |
}, | |
"principals": [ | |
{ | |
"type": { | |
"constant_value": "AWS" | |
}, | |
"identifiers": { | |
"references": [ | |
"local.kms_key_admin_arn" | |
] | |
} | |
} | |
], | |
"resources": { | |
"constant_value": [ | |
"*" | |
] | |
}, | |
"actions": { | |
"constant_value": [ | |
"kms:*" | |
] | |
} | |
}, | |
{ | |
"effect": { | |
"constant_value": "Allow" | |
}, | |
"sid": { | |
"constant_value": "Allow CloudTrail to use the key" | |
}, | |
"principals": [ | |
{ | |
"type": { | |
"constant_value": "Service" | |
}, | |
"identifiers": { | |
"constant_value": [ | |
"cloudtrail.amazonaws.com", | |
"s3.amazonaws.com" | |
] | |
} | |
} | |
], | |
"resources": { | |
"constant_value": [ | |
"*" | |
] | |
}, | |
"actions": { | |
"constant_value": [ | |
"kms:Encrypt", | |
"kms:Decrypt", | |
"kms:ReEncrypt*", | |
"kms:GenerateDataKey*", | |
"kms:DescribeKey" | |
] | |
} | |
}, | |
{ | |
"effect": { | |
"constant_value": "Deny" | |
}, | |
"sid": { | |
"constant_value": "DenyNotLocalAccount" | |
}, | |
"condition": [ | |
{ | |
"values": { | |
"references": [ | |
"local.current_account_number" | |
] | |
}, | |
"variable": { | |
"constant_value": "kms:CallerAccount" | |
}, | |
"test": { | |
"constant_value": "StringNotEquals" | |
} | |
}, | |
{ | |
"values": { | |
"constant_value": [ | |
"cloudtrail.amazonaws.com", | |
"s3.amazonaws.com" | |
] | |
}, | |
"variable": { | |
"constant_value": "kms:ViaService" | |
}, | |
"test": { | |
"constant_value": "StringNotEquals" | |
} | |
} | |
], | |
"principals": [ | |
{ | |
"type": { | |
"constant_value": "AWS" | |
}, | |
"identifiers": { | |
"constant_value": [ | |
"*" | |
] | |
} | |
} | |
], | |
"resources": { | |
"constant_value": [ | |
"*" | |
] | |
}, | |
"actions": { | |
"constant_value": [ | |
"kms:Encrypt", | |
"kms:Decrypt", | |
"kms:ReEncrypt*", | |
"kms:GenerateDataKey*", | |
"kms:DescribeKey" | |
] | |
} | |
}, | |
{ | |
"effect": { | |
"constant_value": "Deny" | |
}, | |
"sid": { | |
"constant_value": "DenyNotPrivateIp" | |
}, | |
"condition": [ | |
{ | |
"values": { | |
"constant_value": [ | |
"10.0.0.0/8", | |
"172.16.0.0/12", | |
"192.168.0.0/16" | |
] | |
}, | |
"variable": { | |
"constant_value": "aws:SourceIp" | |
}, | |
"test": { | |
"constant_value": "NotIpAddress" | |
} | |
}, | |
{ | |
"values": { | |
"constant_value": [ | |
"false" | |
] | |
}, | |
"variable": { | |
"constant_value": "kms:ViaService" | |
}, | |
"test": { | |
"constant_value": "Bool" | |
} | |
} | |
], | |
"principals": [ | |
{ | |
"type": { | |
"constant_value": "AWS" | |
}, | |
"identifiers": { | |
"constant_value": [ | |
"*" | |
] | |
} | |
} | |
], | |
"resources": { | |
"constant_value": [ | |
"*" | |
] | |
}, | |
"actions": { | |
"constant_value": [ | |
"kms:Encrypt", | |
"kms:Decrypt", | |
"kms:ReEncrypt*", | |
"kms:GenerateDataKey*", | |
"kms:DescribeKey" | |
] | |
} | |
} | |
] | |
}, | |
"address": "data.aws_iam_policy_document.kms_key_policy", | |
"type": "aws_iam_policy_document", | |
"name": "kms_key_policy", | |
"mode": "data", | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
} | |
], | |
"module_calls": { | |
"kms_module": { | |
"expressions": { | |
"key_data": { | |
"references": [ | |
"local.kms_key_data" | |
] | |
}, | |
"tags": { | |
"references": [ | |
"local.global_tags" | |
] | |
} | |
}, | |
"module": { | |
"outputs": { | |
"kms_key_aliases": { | |
"expression": { | |
"references": [ | |
"aws_kms_alias.key_alias" | |
] | |
} | |
}, | |
"kms_keys": { | |
"expression": { | |
"references": [ | |
"aws_kms_key.the_key" | |
] | |
} | |
} | |
}, | |
"resources": [ | |
{ | |
"expressions": { | |
"target_key_id": { | |
"references": [ | |
"aws_kms_key.the_key", | |
"each.key" | |
] | |
}, | |
"name": { | |
"references": [ | |
"each.key" | |
] | |
} | |
}, | |
"address": "aws_kms_alias.key_alias", | |
"type": "aws_kms_alias", | |
"name": "key_alias", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"var.key_data" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"description": { | |
"references": [ | |
"each.value.description", | |
"each.value" | |
] | |
}, | |
"enable_key_rotation": { | |
"constant_value": true | |
}, | |
"policy": { | |
"references": [ | |
"each.value.policy", | |
"each.value" | |
] | |
}, | |
"tags": { | |
"references": [ | |
"var.tags" | |
] | |
}, | |
"multi_region": { | |
"constant_value": false | |
} | |
}, | |
"address": "aws_kms_key.the_key", | |
"type": "aws_kms_key", | |
"name": "the_key", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"var.key_data" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
} | |
], | |
"variables": { | |
"key_data": { | |
"description": "The configuration of the KMS key(s) to bne created. Please See example." | |
}, | |
"tags": { | |
"description": "A list of common tags to be applied to all objects that support tags." | |
} | |
} | |
}, | |
"source": "../../../modules/kms" | |
}, | |
"s3_module": { | |
"expressions": { | |
"s3_bucket": { | |
"references": [ | |
"local.s3_bucket_info" | |
] | |
}, | |
"tags": { | |
"references": [ | |
"local.global_tags" | |
] | |
}, | |
"kms_keys": { | |
"references": [ | |
"module.kms_module.kms_key_aliases", | |
"module.kms_module" | |
] | |
} | |
}, | |
"module": { | |
"outputs": { | |
"s3_bucket_info": { | |
"expression": { | |
"references": [ | |
"aws_s3_bucket.s3_bucket" | |
] | |
} | |
}, | |
"s3_other_policy_attached": { | |
"expression": { | |
"references": [ | |
"aws_s3_bucket_policy.other_policies" | |
] | |
} | |
} | |
}, | |
"resources": [ | |
{ | |
"expressions": { | |
"advanced_event_selector": [ | |
{ | |
"field_selector": [ | |
{ | |
"field": { | |
"constant_value": "eventCategory" | |
}, | |
"equals": { | |
"constant_value": [ | |
"Data" | |
] | |
} | |
}, | |
{ | |
"starts_with": { | |
"references": [ | |
"each.value.bucket", | |
"each.value" | |
] | |
}, | |
"field": { | |
"constant_value": "resources.ARN" | |
} | |
}, | |
{ | |
"field": { | |
"constant_value": "resources.type" | |
}, | |
"equals": { | |
"constant_value": [ | |
"AWS::S3::Object" | |
] | |
} | |
} | |
] | |
} | |
], | |
"include_global_service_events": { | |
"constant_value": false | |
}, | |
"enable_log_file_validation": { | |
"constant_value": true | |
}, | |
"kms_key_id": { | |
"references": [ | |
"each.value.kms_key", | |
"each.value" | |
] | |
}, | |
"tags": { | |
"references": [ | |
"var.tags" | |
] | |
}, | |
"name": { | |
"references": [ | |
"each.value.bucket", | |
"each.value" | |
] | |
}, | |
"s3_key_prefix": { | |
"references": [ | |
"each.value.prefix", | |
"each.value" | |
] | |
}, | |
"s3_bucket_name": { | |
"references": [ | |
"each.value.target_bucket", | |
"each.value" | |
] | |
} | |
}, | |
"address": "aws_cloudtrail.object_logging", | |
"type": "aws_cloudtrail", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket", | |
"aws_s3_bucket_policy.other_policies" | |
], | |
"name": "object_logging", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"local.object_logging_destinations" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"assume_role_policy": { | |
"references": [ | |
"data.aws_iam_policy_document.assume_role_policy.json", | |
"data.aws_iam_policy_document.assume_role_policy" | |
] | |
}, | |
"tags": { | |
"references": [ | |
"var.tags" | |
] | |
}, | |
"name": { | |
"references": [ | |
"each.key" | |
] | |
} | |
}, | |
"address": "aws_iam_role.bucket_replication_role", | |
"type": "aws_iam_role", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket" | |
], | |
"name": "bucket_replication_role", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"var.s3_bucket" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"tags": { | |
"references": [ | |
"var.tags", | |
"var.s3_bucket", | |
"each.key" | |
] | |
}, | |
"bucket": { | |
"references": [ | |
"each.key" | |
] | |
}, | |
"force_destroy": { | |
"constant_value": true | |
} | |
}, | |
"address": "aws_s3_bucket.s3_bucket", | |
"type": "aws_s3_bucket", | |
"name": "s3_bucket", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"var.s3_bucket" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"bucket": { | |
"references": [ | |
"each.key" | |
] | |
} | |
}, | |
"address": "aws_s3_bucket_acl.s3_acl", | |
"type": "aws_s3_bucket_acl", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket" | |
], | |
"name": "s3_acl", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"var.s3_bucket" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"target_prefix": { | |
"references": [ | |
"each.value.prefix", | |
"each.value" | |
] | |
}, | |
"target_bucket": { | |
"references": [ | |
"each.value.target_bucket", | |
"each.value" | |
] | |
}, | |
"bucket": { | |
"references": [ | |
"each.value.bucket", | |
"each.value" | |
] | |
} | |
}, | |
"address": "aws_s3_bucket_logging.s3_logging", | |
"type": "aws_s3_bucket_logging", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket" | |
], | |
"name": "s3_logging", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"local.logging_destinations" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"policy": { | |
"references": [ | |
"data.aws_iam_policy_document.default_bucket_policy", | |
"each.key" | |
] | |
}, | |
"bucket": { | |
"references": [ | |
"each.key" | |
] | |
} | |
}, | |
"address": "aws_s3_bucket_policy.other_policies", | |
"type": "aws_s3_bucket_policy", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket", | |
"aws_s3_bucket_public_access_block.s3_bucket_access" | |
], | |
"name": "other_policies", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"var.s3_bucket" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"restrict_public_buckets": { | |
"constant_value": true | |
}, | |
"block_public_policy": { | |
"constant_value": true | |
}, | |
"block_public_acls": { | |
"constant_value": true | |
}, | |
"bucket": { | |
"references": [ | |
"aws_s3_bucket.s3_bucket", | |
"each.key" | |
] | |
}, | |
"ignore_public_acls": { | |
"constant_value": true | |
} | |
}, | |
"address": "aws_s3_bucket_public_access_block.s3_bucket_access", | |
"type": "aws_s3_bucket_public_access_block", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket" | |
], | |
"name": "s3_bucket_access", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"aws_s3_bucket.s3_bucket" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"bucket": { | |
"references": [ | |
"each.key" | |
] | |
}, | |
"role": { | |
"references": [ | |
"aws_iam_role.bucket_replication_role", | |
"each.key" | |
] | |
} | |
}, | |
"address": "aws_s3_bucket_replication_configuration.bucket_replication", | |
"type": "aws_s3_bucket_replication_configuration", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket" | |
], | |
"name": "bucket_replication", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"var.s3_bucket" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{ | |
"kms_master_key_id": { | |
"references": [ | |
"local.kms_key_lookup", | |
"each.value.kms_key_name", | |
"each.value", | |
"local.kms_key_lookup", | |
"each.value.kms_key_name", | |
"each.value" | |
] | |
}, | |
"sse_algorithm": { | |
"references": [ | |
"local.kms_key_lookup", | |
"each.value.kms_key_name", | |
"each.value" | |
] | |
} | |
} | |
], | |
"bucket_key_enabled": { | |
"constant_value": true | |
} | |
} | |
], | |
"bucket": { | |
"references": [ | |
"each.key" | |
] | |
} | |
}, | |
"address": "aws_s3_bucket_server_side_encryption_configuration.s3_sse", | |
"type": "aws_s3_bucket_server_side_encryption_configuration", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket" | |
], | |
"name": "s3_sse", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"var.s3_bucket" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"versioning_configuration": [ | |
{ | |
"status": { | |
"references": [ | |
"each.value.versioning_enabled", | |
"each.value", | |
"each.value.versioning_enabled", | |
"each.value" | |
] | |
} | |
} | |
], | |
"bucket": { | |
"references": [ | |
"each.key" | |
] | |
} | |
}, | |
"address": "aws_s3_bucket_versioning.s3_versioning", | |
"type": "aws_s3_bucket_versioning", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket" | |
], | |
"name": "s3_versioning", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"var.s3_bucket" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"versioning_configuration": [ | |
{ | |
"status": { | |
"references": [ | |
"each.value.versioning_enabled", | |
"each.value", | |
"each.value.versioning_enabled", | |
"each.value" | |
] | |
} | |
} | |
], | |
"bucket": { | |
"references": [ | |
"aws_s3_bucket.s3_bucket", | |
"each.key" | |
] | |
} | |
}, | |
"address": "aws_s3_bucket_versioning.source_bucket_versioning", | |
"type": "aws_s3_bucket_versioning", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket" | |
], | |
"name": "source_bucket_versioning", | |
"mode": "managed", | |
"for_each_expression": { | |
"references": [ | |
"var.s3_bucket" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"address": "data.aws_caller_identity.current", | |
"type": "aws_caller_identity", | |
"name": "current", | |
"mode": "data", | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"address": "data.aws_canonical_user_id.current_user", | |
"type": "aws_canonical_user_id", | |
"name": "current_user", | |
"mode": "data", | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"statement": [ | |
{ | |
"effect": { | |
"constant_value": "Allow" | |
}, | |
"principals": [ | |
{ | |
"type": { | |
"constant_value": "Service" | |
}, | |
"identifiers": { | |
"constant_value": [ | |
"s3.amazonaws.com" | |
] | |
} | |
} | |
], | |
"actions": { | |
"constant_value": [ | |
"sts:AssumeRole" | |
] | |
} | |
} | |
] | |
}, | |
"address": "data.aws_iam_policy_document.assume_role_policy", | |
"type": "aws_iam_policy_document", | |
"name": "assume_role_policy", | |
"mode": "data", | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"source_policy_documents": { | |
"references": [ | |
"each.value.original_statement", | |
"each.value", | |
"each.value.saf_statement", | |
"each.value" | |
] | |
} | |
}, | |
"address": "data.aws_iam_policy_document.default_bucket_policy", | |
"type": "aws_iam_policy_document", | |
"name": "default_bucket_policy", | |
"mode": "data", | |
"for_each_expression": { | |
"references": [ | |
"local.enhanced_bucket_policy" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"expressions": { | |
"statement": [ | |
{ | |
"effect": { | |
"constant_value": "Allow" | |
}, | |
"resources": { | |
"references": [ | |
"aws_s3_bucket.s3_bucket", | |
"each.key" | |
] | |
}, | |
"actions": { | |
"constant_value": [ | |
"s3:GetReplicationConfiguration", | |
"s3:ListBucket" | |
] | |
} | |
}, | |
{ | |
"effect": { | |
"constant_value": "Allow" | |
}, | |
"resources": { | |
"references": [ | |
"aws_s3_bucket.s3_bucket", | |
"each.key" | |
] | |
}, | |
"actions": { | |
"constant_value": [ | |
"s3:GetObjectVersionForReplication", | |
"s3:GetObjectVersionAcl", | |
"s3:GetObjectVersionTagging" | |
] | |
} | |
} | |
] | |
}, | |
"address": "data.aws_iam_policy_document.replication_policy", | |
"type": "aws_iam_policy_document", | |
"depends_on": [ | |
"aws_s3_bucket.s3_bucket" | |
], | |
"name": "replication_policy", | |
"mode": "data", | |
"for_each_expression": { | |
"references": [ | |
"var.s3_bucket" | |
] | |
}, | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"address": "data.aws_region.current", | |
"type": "aws_region", | |
"name": "current", | |
"mode": "data", | |
"provider_config_key": "aws", | |
"schema_version": 0 | |
}, | |
{ | |
"address": "data.aws_region.secondary_region", | |
"type": "aws_region", | |
"name": "secondary_region", | |
"mode": "data", | |
"provider_config_key": "aws.us-east-2", | |
"schema_version": 0 | |
} | |
], | |
"variables": { | |
"s3_bucket": {}, | |
"tags": {}, | |
"kms_keys": {} | |
} | |
}, | |
"source": "../../../modules/s3" | |
} | |
}, | |
"variables": { | |
"dst_region": { | |
"default": "us-east-2" | |
}, | |
"profile": { | |
"default": "rdt" | |
}, | |
"src_region": { | |
"default": "us-west-2" | |
}, | |
"default_region": { | |
"default": "us-west-2" | |
} | |
} | |
} | |
}, | |
"terraform_version": "1.3.7", | |
"variables": { | |
"dst_region": { | |
"value": "us-east-2" | |
}, | |
"profile": { | |
"value": "rdt" | |
}, | |
"src_region": { | |
"value": "us-west-2" | |
}, | |
"default_region": { | |
"value": "us-west-2" | |
} | |
}, | |
"planned_values": { | |
"root_module": { | |
"child_modules": [ | |
{ | |
"address": "module.kms_module", | |
"resources": [ | |
{ | |
"values": { | |
"id": "alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"arn": "arn:aws:kms:us-west-2:99999999999:alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"target_key_id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"name": "alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"name_prefix": "", | |
"target_key_arn": "arn:aws:kms:us-west-2:99999999999:key/bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b" | |
}, | |
"address": "module.kms_module.aws_kms_alias.key_alias[\"saf_s3_demo_std_bucket_cloudtrail_key\"]", | |
"type": "aws_kms_alias", | |
"sensitive_values": {}, | |
"name": "key_alias", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_cloudtrail_key" | |
}, | |
{ | |
"values": { | |
"id": "alias/saf_s3_demo_std_bucket_s3_key", | |
"arn": "arn:aws:kms:us-west-2:99999999999:alias/saf_s3_demo_std_bucket_s3_key", | |
"target_key_id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"name": "alias/saf_s3_demo_std_bucket_s3_key", | |
"name_prefix": "", | |
"target_key_arn": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592" | |
}, | |
"address": "module.kms_module.aws_kms_alias.key_alias[\"saf_s3_demo_std_bucket_s3_key\"]", | |
"type": "aws_kms_alias", | |
"sensitive_values": {}, | |
"name": "key_alias", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_s3_key" | |
}, | |
{ | |
"values": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "Key for CloudTrail encryption", | |
"key_id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"bypass_policy_lockout_safety_check": false, | |
"id": "bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"enable_key_rotation": true, | |
"arn": "arn:aws:kms:us-west-2:99999999999:key/bb8bb8bb-8bb8-bb8b-b8bb-8bb8bb8bb8b", | |
"policy": "{\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::99999999999:role/AWS-InnovationLabs-RDT-West-Admins\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM Permissions\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"s3.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Allow CloudTrail to use the key\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"StringNotEquals\":{\"kms:CallerAccount\":\"99999999999\",\"kms:ViaService\":[\"cloudtrail.amazonaws.com\",\"s3.amazonaws.com\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotLocalAccount\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"Bool\":{\"kms:ViaService\":\"false\"},\"NotIpAddress\":{\"aws:SourceIp\":[\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotPrivateIp\"}],\"Version\":\"2012-10-17\"}", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"key_usage": "ENCRYPT_DECRYPT", | |
"multi_region": false, | |
"customer_master_key_spec": "SYMMETRIC_DEFAULT", | |
"custom_key_store_id": "", | |
"is_enabled": true, | |
"deletion_window_in_days": null | |
}, | |
"address": "module.kms_module.aws_kms_key.the_key[\"saf_s3_demo_std_bucket_cloudtrail_key\"]", | |
"type": "aws_kms_key", | |
"sensitive_values": { | |
"tags_all": {}, | |
"tags": {} | |
}, | |
"name": "the_key", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_cloudtrail_key" | |
}, | |
{ | |
"values": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "Key for S3 encryption", | |
"key_id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"bypass_policy_lockout_safety_check": false, | |
"id": "fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"enable_key_rotation": true, | |
"arn": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"policy": "{\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::99999999999:role/AWS-InnovationLabs-RDT-West-Admins\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM Permissions\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"s3.amazonaws.com\",\"cloudtrail.amazonaws.com\"]},\"Resource\":\"*\",\"Sid\":\"Allow CloudTrail to use the key\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"StringNotEquals\":{\"kms:CallerAccount\":\"99999999999\",\"kms:ViaService\":[\"cloudtrail.amazonaws.com\",\"s3.amazonaws.com\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotLocalAccount\"},{\"Action\":[\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:Encrypt\",\"kms:DescribeKey\",\"kms:Decrypt\"],\"Condition\":{\"Bool\":{\"kms:ViaService\":\"false\"},\"NotIpAddress\":{\"aws:SourceIp\":[\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\"]}},\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Resource\":\"*\",\"Sid\":\"DenyNotPrivateIp\"}],\"Version\":\"2012-10-17\"}", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"key_usage": "ENCRYPT_DECRYPT", | |
"multi_region": false, | |
"customer_master_key_spec": "SYMMETRIC_DEFAULT", | |
"custom_key_store_id": "", | |
"is_enabled": true, | |
"deletion_window_in_days": null | |
}, | |
"address": "module.kms_module.aws_kms_key.the_key[\"saf_s3_demo_std_bucket_s3_key\"]", | |
"type": "aws_kms_key", | |
"sensitive_values": { | |
"tags_all": {}, | |
"tags": {} | |
}, | |
"name": "the_key", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf_s3_demo_std_bucket_s3_key" | |
} | |
] | |
}, | |
{ | |
"address": "module.s3_module", | |
"resources": [ | |
{ | |
"values": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"advanced_event_selector": [ | |
{ | |
"field_selector": [ | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"field": "resources.type", | |
"equals": [ | |
"AWS::S3::Object" | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"field": "eventCategory", | |
"equals": [ | |
"Data" | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [ | |
"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/" | |
], | |
"field": "resources.ARN", | |
"equals": [], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
} | |
], | |
"name": "" | |
} | |
], | |
"include_global_service_events": false, | |
"id": "saf-s3-demo-std-bucket-bucket_logging", | |
"enable_log_file_validation": true, | |
"kms_key_id": "arn:aws:kms:us-west-2:99999999999:alias/saf_s3_demo_std_bucket_cloudtrail_key", | |
"is_multi_region_trail": false, | |
"arn": "arn:aws:cloudtrail:us-west-2:99999999999:trail/saf-s3-demo-std-bucket-bucket_logging", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"name": "saf-s3-demo-std-bucket-bucket_logging", | |
"home_region": "us-west-2", | |
"insight_selector": [], | |
"event_selector": [], | |
"is_organization_trail": false, | |
"enable_logging": true, | |
"sns_topic_name": "", | |
"cloud_watch_logs_role_arn": "", | |
"s3_key_prefix": "object_logs", | |
"cloud_watch_logs_group_arn": "", | |
"s3_bucket_name": "saf-s3-logging-bucket-demo-bucket" | |
}, | |
"address": "module.s3_module.aws_cloudtrail.object_logging[\"0\"]", | |
"type": "aws_cloudtrail", | |
"sensitive_values": { | |
"tags_all": {}, | |
"advanced_event_selector": [ | |
{ | |
"field_selector": [ | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"equals": [ | |
false | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [], | |
"equals": [ | |
false | |
], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
}, | |
{ | |
"ends_with": [], | |
"starts_with": [ | |
false | |
], | |
"equals": [], | |
"not_ends_with": [], | |
"not_equals": [], | |
"not_starts_with": [] | |
} | |
] | |
} | |
], | |
"tags": {}, | |
"insight_selector": [], | |
"event_selector": [] | |
}, | |
"name": "object_logging", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "0" | |
}, | |
{ | |
"values": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"description": "", | |
"permissions_boundary": null, | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"arn": "arn:aws:iam::99999999999:role/saf-s3-demo-std-bucket-bucket", | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Owner": "Some Guy" | |
}, | |
"force_detach_policies": false, | |
"name": "saf-s3-demo-std-bucket-bucket", | |
"inline_policy": [], | |
"name_prefix": "", | |
"max_session_duration": 3600, | |
"create_date": "2023-01-31T23:48:00Z", | |
"path": "/", | |
"managed_policy_arns": [], | |
"unique_id": "AROAZGGUE3TSSATBCWNIV" | |
}, | |
"address": "module.s3_module.aws_iam_role.bucket_replication_role[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_iam_role", | |
"sensitive_values": { | |
"tags_all": {}, | |
"tags": {}, | |
"inline_policy": [], | |
"managed_policy_arns": [] | |
}, | |
"name": "bucket_replication_role", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"tags_all": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Name": "S3 SAF Demo Bucket", | |
"Owner": "Some Guy" | |
}, | |
"server_side_encryption_configuration": [ | |
{ | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{ | |
"kms_master_key_id": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"sse_algorithm": "aws:kms" | |
} | |
], | |
"bucket_key_enabled": true | |
} | |
] | |
} | |
], | |
"hosted_zone_id": "Z3BJ6K6RIION7M", | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"website": [], | |
"website_domain": null, | |
"arn": "arn:aws:s3:::saf-s3-demo-std-bucket-bucket", | |
"policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}},\"Effect\":\"Deny\",\"NotPrincipal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":[\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\",\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"],\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"region": "us-west-2", | |
"object_lock_enabled": false, | |
"object_lock_configuration": [], | |
"tags": { | |
"Expire": "31 March 2023", | |
"CreatorId": "XXXXXXXXXXXXXXXXXXXX", | |
"CreatorName": "email@address.com", | |
"Project": "Demo", | |
"Name": "S3 SAF Demo Bucket", | |
"Owner": "Some Guy" | |
}, | |
"logging": [ | |
{ | |
"target_prefix": "s3_logs/", | |
"target_bucket": "saf-s3-logging-bucket-demo-bucket" | |
} | |
], | |
"bucket_prefix": null, | |
"request_payer": "BucketOwner", | |
"cors_rule": [], | |
"bucket_domain_name": "saf-s3-demo-std-bucket-bucket.s3.amazonaws.com", | |
"bucket_regional_domain_name": "saf-s3-demo-std-bucket-bucket.s3.us-west-2.amazonaws.com", | |
"lifecycle_rule": [], | |
"acceleration_status": "", | |
"timeouts": null, | |
"replication_configuration": [], | |
"grant": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"type": "CanonicalUser", | |
"permissions": [ | |
"FULL_CONTROL" | |
], | |
"uri": "" | |
} | |
], | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"versioning": [ | |
{ | |
"mfa_delete": false, | |
"enabled": true | |
} | |
], | |
"acl": null, | |
"force_destroy": true, | |
"website_endpoint": null | |
}, | |
"address": "module.s3_module.aws_s3_bucket.s3_bucket[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket", | |
"sensitive_values": { | |
"tags_all": {}, | |
"server_side_encryption_configuration": [ | |
{ | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{} | |
] | |
} | |
] | |
} | |
], | |
"website": [], | |
"object_lock_configuration": [], | |
"tags": {}, | |
"logging": [ | |
{} | |
], | |
"cors_rule": [], | |
"lifecycle_rule": [], | |
"replication_configuration": [], | |
"grant": [ | |
{ | |
"permissions": [ | |
false | |
] | |
} | |
], | |
"versioning": [ | |
{} | |
] | |
}, | |
"name": "s3_bucket", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"access_control_policy": [ | |
{ | |
"owner": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"display_name": "aws-innovationlabs-rdt-west" | |
} | |
], | |
"grant": [ | |
{ | |
"permission": "FULL_CONTROL", | |
"grantee": [ | |
{ | |
"id": "4664f5415d52feb2d1fc6aaca001ac91de2ee758aacb86c8f788d34e66be08a2", | |
"type": "CanonicalUser", | |
"email_address": "", | |
"uri": "", | |
"display_name": "aws-innovationlabs-rdt-west" | |
} | |
] | |
} | |
] | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"acl": "" | |
}, | |
"address": "module.s3_module.aws_s3_bucket_acl.s3_acl[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_acl", | |
"sensitive_values": { | |
"access_control_policy": [ | |
{ | |
"owner": [ | |
{} | |
], | |
"grant": [ | |
{ | |
"grantee": [ | |
{} | |
] | |
} | |
] | |
} | |
] | |
}, | |
"name": "s3_acl", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"target_grant": [], | |
"target_prefix": "s3_logs/", | |
"target_bucket": "saf-s3-logging-bucket-demo-bucket", | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"address": "module.s3_module.aws_s3_bucket_logging.s3_logging[\"0\"]", | |
"type": "aws_s3_bucket_logging", | |
"sensitive_values": { | |
"target_grant": [] | |
}, | |
"name": "s3_logging", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "0" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"policy": "{\"Statement\":[{\"Action\":\"s3:*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":[\"false\"]}},\"Effect\":\"Deny\",\"NotPrincipal\":{\"Service\":\"delivery.logs.amazonaws.com\"},\"Resource\":[\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket\",\"arn:aws:s3:::saf-s3-demo-std-bucket-bucket/*\"],\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"address": "module.s3_module.aws_s3_bucket_policy.other_policies[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_policy", | |
"sensitive_values": {}, | |
"name": "other_policies", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"restrict_public_buckets": true, | |
"block_public_policy": true, | |
"block_public_acls": true, | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"ignore_public_acls": true | |
}, | |
"address": "module.s3_module.aws_s3_bucket_public_access_block.s3_bucket_access[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_public_access_block", | |
"sensitive_values": {}, | |
"name": "s3_bucket_access", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{ | |
"kms_master_key_id": "arn:aws:kms:us-west-2:99999999999:key/fab4808a-c8b3-45b9-bcfe-87e138fe7592", | |
"sse_algorithm": "aws:kms" | |
} | |
], | |
"bucket_key_enabled": true | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket" | |
}, | |
"address": "module.s3_module.aws_s3_bucket_server_side_encryption_configuration.s3_sse[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_server_side_encryption_configuration", | |
"sensitive_values": { | |
"rule": [ | |
{ | |
"apply_server_side_encryption_by_default": [ | |
{} | |
] | |
} | |
] | |
}, | |
"name": "s3_sse", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"versioning_configuration": [ | |
{ | |
"mfa_delete": "", | |
"status": "Enabled" | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"mfa": null | |
}, | |
"address": "module.s3_module.aws_s3_bucket_versioning.s3_versioning[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_versioning", | |
"sensitive_values": { | |
"versioning_configuration": [ | |
{} | |
] | |
}, | |
"name": "s3_versioning", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
}, | |
{ | |
"values": { | |
"id": "saf-s3-demo-std-bucket-bucket", | |
"versioning_configuration": [ | |
{ | |
"mfa_delete": "", | |
"status": "Enabled" | |
} | |
], | |
"expected_bucket_owner": "", | |
"bucket": "saf-s3-demo-std-bucket-bucket", | |
"mfa": null | |
}, | |
"address": "module.s3_module.aws_s3_bucket_versioning.source_bucket_versioning[\"saf-s3-demo-std-bucket-bucket\"]", | |
"type": "aws_s3_bucket_versioning", | |
"sensitive_values": { | |
"versioning_configuration": [ | |
{} | |
] | |
}, | |
"name": "source_bucket_versioning", | |
"mode": "managed", | |
"schema_version": 0, | |
"provider_name": "registry.terraform.io/hashicorp/aws", | |
"index": "saf-s3-demo-std-bucket-bucket" | |
} | |
] | |
} | |
] | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment