Add bucket acl for tfsec

Signed-off-by: Jim Enright <[email protected]>

modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml

@@ -0,0 +1,9 @@
+---
+#region TODO: Remove once https://github.com/aquasecurity/tfsec/issues/1799 is fixed
+exclude:
+  - aws-s3-block-public-acls
+  - aws-s3-block-public-policy
+  - aws-s3-ignore-public-acls
+  - aws-s3-no-public-buckets
+  - aws-s3-specify-public-access-block
+#endregion

modules/terraform-cdp-aws-pre-reqs/main.tf

@@ -241,6 +241,19 @@ resource "aws_s3_bucket" "cdp_storage_locations" {
   force_destroy = true
 }
 
+resource "aws_s3_bucket_public_access_block" "cdp_storage_locations" {
+
+  for_each = aws_s3_bucket.cdp_storage_locations
+
+  bucket = each.value.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+}
+
 # ------- AWS Buckets directory structures -------
 # # Data Storage Objects
 # NOTE: Removing creation of the data storage object because CDP overrides this