Block public access for S3 bucket

Enhanced logging on API Gateway and Lambda
Bubo-AI · Mar 1, 2022 · bb750e2 · bb750e2
1 parent 29bb6c7
commit bb750e2
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 5 deletions.
diff --git a/apigateway.tf b/apigateway.tf
@@ -57,8 +57,30 @@ resource "aws_api_gateway_deployment" "deployment" {
 }
 
 resource "aws_api_gateway_stage" "stage" {
-  stage_name    = "${local.prefix_kebab}${var.stage}"
-  rest_api_id   = aws_api_gateway_rest_api.sftp-idp-secrets.id
-  deployment_id = aws_api_gateway_deployment.deployment.id
+  stage_name           = "${local.prefix_kebab}${var.stage}"
+  rest_api_id          = aws_api_gateway_rest_api.sftp-idp-secrets.id
+  deployment_id        = aws_api_gateway_deployment.deployment.id
+  xray_tracing_enabled = true
+  access_log_settings {
+    destination_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/api_gateway/${local.prefix_kebab}${var.stage}"
+
+    format = jsonencode({
+      request = {
+        requestId         = "$context.requestId"
+        requestTime       = "$context.requestTime"
+        extendedRequestId = "$context.extendedRequestId"
+      }
+    })
+  }
 }
 
+resource "aws_api_gateway_method_settings" "this" {
+  rest_api_id = aws_api_gateway_rest_api.sftp-idp-secrets.id
+  stage_name  = aws_api_gateway_stage.stage.stage_name
+  method_path = "/servers/{serverId}/users/{username}/config/GET"
+  settings {
+    metrics_enabled      = true
+    logging_level        = "INFO"
+    cache_data_encrypted = true
+  }
+}
diff --git a/examples/public-secrets/bucket.tf b/examples/public-secrets/bucket.tf
@@ -12,3 +12,13 @@ resource "aws_s3_bucket" "sftp" {
     }
   }
 }
+
+
+resource "aws_s3_bucket_public_access_block" "sftp" {
+  bucket                  = aws_s3_bucket.sftp.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
diff --git a/examples/public-secrets/secret.tf b/examples/public-secrets/secret.tf
@@ -6,8 +6,6 @@ resource "aws_secretsmanager_secret" "user" {
     User     = var.username
     Prefix   = var.prefix
   }
-
-
 }
 
 resource "aws_secretsmanager_secret_version" "user" {

diff --git a/lambda.tf b/lambda.tf
@@ -19,6 +19,9 @@ resource "aws_lambda_function" "sftp-idp" {
       "prefix"                    = local.prefix_kebab
     }
   }
+  tracing_config {
+    mode = "Active"
+  }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,8 +6,6 @@ resource "aws_secretsmanager_secret" "user" { @@
         User     = var.username
         Prefix   = var.prefix
       }
     }
     resource "aws_secretsmanager_secret_version" "user" {
@@ Expand Down @@