From e308718eb2cbe5329da991a91d8b5d646acb7a5a Mon Sep 17 00:00:00 2001 From: Joe Lothan Date: Mon, 25 May 2026 20:57:11 -0400 Subject: [PATCH] remove icon s3 bucket, add log retention policy, make logs private explicitly --- infra/main.tf | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/infra/main.tf b/infra/main.tf index 1b3d7dd..bb5a110 100644 --- a/infra/main.tf +++ b/infra/main.tf @@ -179,8 +179,6 @@ resource "aws_iam_role_policy" "s3_access" { Effect = "Allow" Action = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:HeadObject"] Resource = [ - aws_s3_bucket.icons[0].arn, - "${aws_s3_bucket.icons[0].arn}/*", aws_s3_bucket.site.arn, "${aws_s3_bucket.site.arn}/*", ] @@ -205,21 +203,6 @@ resource "aws_iam_instance_profile" "ec2" { # --- S3 --- -resource "aws_s3_bucket" "icons" { - count = var.scanning ? 1 : 0 - bucket = "everytab-icons" - force_destroy = true -} - -resource "aws_s3_bucket_public_access_block" "icons" { - count = var.scanning ? 1 : 0 - bucket = aws_s3_bucket.icons[0].id - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} - resource "aws_s3_bucket" "site" { bucket = "everytab-site" } @@ -228,6 +211,27 @@ resource "aws_s3_bucket" "logs" { bucket = "everytab-logs" } +resource "aws_s3_bucket_lifecycle_configuration" "logs" { + bucket = aws_s3_bucket.logs.id + + rule { + id = "expire-old-logs" + status = "Enabled" + + expiration { + days = 365 + } + } +} + +resource "aws_s3_bucket_public_access_block" "logs" { + bucket = aws_s3_bucket.logs.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + resource "aws_s3_bucket_ownership_controls" "logs" { bucket = aws_s3_bucket.logs.id rule {