remove icon s3 bucket, add log retention policy, make logs private explicitly

2026-05-25 20:57:11 -04:00 · 2026-05-25 20:57:11 -04:00 · e308718eb2
commit e308718eb2
parent 8c005c4f6c
1 changed files with 21 additions and 17 deletions
--- a/infra/main.tf
+++ b/infra/main.tf
@ -179,8 +179,6 @@ resource "aws_iam_role_policy" "s3_access" {
        Effect = "Allow"
        Action = ["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:HeadObject"]
        Resource = [
-          aws_s3_bucket.icons[0].arn,
-          "${aws_s3_bucket.icons[0].arn}/*",
          aws_s3_bucket.site.arn,
          "${aws_s3_bucket.site.arn}/*",
        ]
@ -205,21 +203,6 @@ resource "aws_iam_instance_profile" "ec2" {

 # --- S3 ---

-resource "aws_s3_bucket" "icons" {
-  count         = var.scanning ? 1 : 0
-  bucket        = "everytab-icons"
-  force_destroy = true
-}
-
-resource "aws_s3_bucket_public_access_block" "icons" {
-  count                   = var.scanning ? 1 : 0
-  bucket                  = aws_s3_bucket.icons[0].id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
 resource "aws_s3_bucket" "site" {
  bucket = "everytab-site"
 }
@ -228,6 +211,27 @@ resource "aws_s3_bucket" "logs" {
  bucket = "everytab-logs"
 }

+resource "aws_s3_bucket_lifecycle_configuration" "logs" {
+  bucket = aws_s3_bucket.logs.id
+
+  rule {
+    id     = "expire-old-logs"
+    status = "Enabled"
+
+    expiration {
+      days = 365
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "logs" {
+  bucket                  = aws_s3_bucket.logs.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 resource "aws_s3_bucket_ownership_controls" "logs" {
  bucket = aws_s3_bucket.logs.id
  rule {