From 8f4c0338cb080e969a1211abb129b1e9adc9a4d4 Mon Sep 17 00:00:00 2001
From: Jim Enright <jenright@cloudera.com>
Date: Mon, 25 Sep 2023 12:31:44 +0100
Subject: [PATCH] Add bucket acl for tfsec

Signed-off-by: Jim Enright <jenright@cloudera.com>
---
 .../terraform-cdp-aws-pre-reqs/.tfsec/config.yml    |  9 +++++++++
 modules/terraform-cdp-aws-pre-reqs/main.tf          | 13 +++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml

diff --git a/modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml b/modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml
new file mode 100644
index 0000000..73b638e
--- /dev/null
+++ b/modules/terraform-cdp-aws-pre-reqs/.tfsec/config.yml
@@ -0,0 +1,9 @@
+---
+#region TODO: Remove once https://github.com/aquasecurity/tfsec/issues/1799 is fixed
+exclude:
+  - aws-s3-block-public-acls
+  - aws-s3-block-public-policy
+  - aws-s3-ignore-public-acls
+  - aws-s3-no-public-buckets
+  - aws-s3-specify-public-access-block
+#endregion
\ No newline at end of file
diff --git a/modules/terraform-cdp-aws-pre-reqs/main.tf b/modules/terraform-cdp-aws-pre-reqs/main.tf
index 5568aed..96d318b 100644
--- a/modules/terraform-cdp-aws-pre-reqs/main.tf
+++ b/modules/terraform-cdp-aws-pre-reqs/main.tf
@@ -241,6 +241,19 @@ resource "aws_s3_bucket" "cdp_storage_locations" {
   force_destroy = true
 }
 
+resource "aws_s3_bucket_public_access_block" "cdp_storage_locations" {
+
+  for_each = aws_s3_bucket.cdp_storage_locations
+
+  bucket = each.value.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+}
+
 # ------- AWS Buckets directory structures -------
 # # Data Storage Objects
 # NOTE: Removing creation of the data storage object because CDP overrides this