Merges origin/Allow-blocking-public-access-on-dump-bucket (pull request #85)

Author: hajati

README.md

@@ -1312,6 +1312,32 @@ Type: `string`
 
 Default: `""`
 
+### <a name="input_rds_s3_dump_block_public_access"></a> [rds\_s3\_dump\_block\_public\_access](#input\_rds\_s3\_dump\_block\_public\_access)
+
+Description: Object that defines which public access should be blocked
+
+Type:
+
+```hcl
+object({
+    block_public_acls       = bool
+    block_public_policy     = bool
+    ignore_public_acls      = bool
+    restrict_public_buckets = bool
+  })
+```
+
+Default:
+
+```json
+{
+  "block_public_acls": true,
+  "block_public_policy": true,
+  "ignore_public_acls": true,
+  "restrict_public_buckets": true
+}
+```
+
 ### <a name="input_rds_s3_dump_lifecycle_rules"></a> [rds\_s3\_dump\_lifecycle\_rules](#input\_rds\_s3\_dump\_lifecycle\_rules)
 
 Description: RDS S3 Dump Lifecycle rules

rds-s3-dumps.tf

@@ -158,6 +158,17 @@ resource "aws_s3_bucket_acl" "rds_dumps" {
   acl    = "private"
 }
 
+resource "aws_s3_bucket_public_access_block" "archive" {
+  count = local.rds_dumps_enabled ? 1 : 0
+
+  bucket = aws_s3_bucket.rds_dumps[count.index].id
+
+  block_public_acls       = var.rds_s3_dump_block_public_access.block_public_acls
+  block_public_policy     = var.rds_s3_dump_block_public_access.block_public_policy
+  ignore_public_acls      = var.rds_s3_dump_block_public_access.ignore_public_acls
+  restrict_public_buckets = var.rds_s3_dump_block_public_access.restrict_public_buckets
+}
+
 resource "aws_iam_role_policy" "rds_dumps_role" {
   count = local.rds_dumps_enabled && var.rds_s3_dump_role_arn == "" ? 1 : 0
 

route53.tf

@@ -4,7 +4,7 @@
 locals {
   public_endpoint_enabled  = var.aws_route53_zone_endpoints_enabled && var.aws_route53_zone_public_endpoint_enabled
   private_endpoint_enabled = var.aws_route53_zone_endpoints_enabled && var.aws_route53_zone_private_endpoint_enabled
-  subdomain_name           = length(var.aws_route53_rds_subdomain_override) > 0 ? var.aws_route53_rds_subdomain_override : join(".", [module.rds.db_instance_id, local.rds_dns_subdomains[var.rds_engine]])
+  subdomain_name           = length(var.aws_route53_rds_subdomain_override) > 0 ? var.aws_route53_rds_subdomain_override : join(".", [module.rds.db_instance_identifier, local.rds_dns_subdomains[var.rds_engine]])
 }
 
 data "aws_route53_zone" "public_endpoint" {

variables.tf

@@ -787,6 +787,22 @@ variable "rds_s3_dump_role_arn" {
   default     = ""
 }
 
+variable "rds_s3_dump_block_public_access" {
+  description = "Object that defines which public access should be blocked"
+  type = object({
+    block_public_acls       = bool
+    block_public_policy     = bool
+    ignore_public_acls      = bool
+    restrict_public_buckets = bool
+  })
+  default = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+}
+
 variable "rds_s3_dump_lifecycle_rules" {
   description = "RDS S3 Dump Lifecycle rules"
   default     = []