remove icon s3 bucket, add log retention policy, make logs private explicitly

infra/main.tf

@@ -179,8 +179,6 @@ resource "aws_iam_role_policy" "s3_access" {
         Effect = "Allow"
         Action = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:HeadObject"]
         Resource = [
-          aws_s3_bucket.icons[0].arn,
-          "${aws_s3_bucket.icons[0].arn}/*",
           aws_s3_bucket.site.arn,
           "${aws_s3_bucket.site.arn}/*",
         ]
@@ -205,21 +203,6 @@ resource "aws_iam_instance_profile" "ec2" {
 
 # --- S3 ---
 
-resource "aws_s3_bucket" "icons" {
-  count         = var.scanning ? 1 : 0
-  bucket        = "everytab-icons"
-  force_destroy = true
-}
-
-resource "aws_s3_bucket_public_access_block" "icons" {
-  count                   = var.scanning ? 1 : 0
-  bucket                  = aws_s3_bucket.icons[0].id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
 resource "aws_s3_bucket" "site" {
   bucket = "everytab-site"
 }
@@ -228,6 +211,27 @@ resource "aws_s3_bucket" "logs" {
   bucket = "everytab-logs"
 }
 
+resource "aws_s3_bucket_lifecycle_configuration" "logs" {
+  bucket = aws_s3_bucket.logs.id
+
+  rule {
+    id     = "expire-old-logs"
+    status = "Enabled"
+
+    expiration {
+      days = 365
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "logs" {
+  bucket                  = aws_s3_bucket.logs.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 resource "aws_s3_bucket_ownership_controls" "logs" {
   bucket = aws_s3_bucket.logs.id
   rule {