resource "aws_s3_bucket" "emr_logs" { bucket = "${var.name_prefix}-emr-logs-${local.aws_account_id}-${local.aws_region}" } resource "aws_s3_bucket_policy" "emr_logs" { bucket = aws_s3_bucket.emr_logs.id policy = data.aws_iam_policy_document.emr_logs.json } data "aws_iam_policy_document" "emr_logs" { statement { principals { type = "*" identifiers = ["*"] } effect = "Deny" actions = [ "s3:*" ] resources = [ aws_s3_bucket.emr_logs.arn, "${aws_s3_bucket.emr_logs.arn}/*", ] condition { test = "Bool" variable = "aws:SecureTransport" values = ["false"] } } } resource "aws_s3_bucket_public_access_block" "emr_logs" { bucket = aws_s3_bucket.emr_logs.id block_public_acls = true ignore_public_acls = true block_public_policy = true restrict_public_buckets = true } resource "aws_s3_bucket_server_side_encryption_configuration" "emr_logs" { bucket = aws_s3_bucket.emr_logs.bucket rule { apply_server_side_encryption_by_default { sse_algorithm = "aws:kms" } } } resource "aws_s3_bucket_notification" "emr_logs" { bucket = aws_s3_bucket.emr_logs.id queue { id = "emr-log-stdout-file-created" queue_arn = aws_sqs_queue.emr_log_files.arn events = ["s3:ObjectCreated:*"] filter_prefix = var.log_bucket_key_prefix filter_suffix = "stdout.gz" } queue { id = "emr-log-stderr-file-created" queue_arn = aws_sqs_queue.emr_log_files.arn events = ["s3:ObjectCreated:*"] filter_prefix = var.log_bucket_key_prefix filter_suffix = "stderr.gz" } } # VPC Endpoint for S3 resource "aws_vpc_endpoint" "s3" { count = length(data.aws_elasticsearch_domain.logs.vpc_options) > 0 ? 1 : 0 vpc_id = data.aws_elasticsearch_domain.logs.vpc_options[0].vpc_id service_name = "com.amazonaws.${local.aws_region}.s3" } data "aws_vpc" "for_s3_endpoint" { count = length(data.aws_elasticsearch_domain.logs.vpc_options) > 0 ? 1 : 0 id = data.aws_elasticsearch_domain.logs.vpc_options[0].vpc_id } resource "aws_vpc_endpoint_route_table_association" "for_s3_endpoint" { count = length(data.aws_vpc.for_s3_endpoint) > 0 ? 1 : 0 vpc_endpoint_id = aws_vpc_endpoint.s3[0].id route_table_id = data.aws_vpc.for_s3_endpoint[0].main_route_table_id }