make bucket names configurable and cleanup

rudransh-shrivastava · rudransh-shrivastava · commit d59068f78e90 · 2025-11-30T19:39:02.000+05:30
diff --git a/infrastructure/backend/main.tf b/infrastructure/backend/main.tf
@@ -73,13 +73,23 @@ resource "aws_dynamodb_table" "state_lock" {
 
 resource "aws_s3_bucket" "logs" { # NOSONAR
   bucket = "${var.project_name}-terraform-state-logs-${random_id.suffix.hex}"
+
+  lifecycle {
+    prevent_destroy = true
+  }
   tags = {
     Name = "${var.project_name}-terraform-state-logs"
   }
 }
 
 resource "aws_s3_bucket" "state" { # NOSONAR
-  bucket = "${var.project_name}-terraform-state-${random_id.suffix.hex}"
+  bucket              = "${var.project_name}-terraform-state-${random_id.suffix.hex}"
+  object_lock_enabled = true
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
   tags = {
     Name = "${var.project_name}-terraform-state"
   }
@@ -123,6 +133,17 @@ resource "aws_s3_bucket_logging" "state" {
   target_prefix = "s3/"
 }
 
+resource "aws_s3_bucket_object_lock_configuration" "state" {
+  bucket = aws_s3_bucket.state.id
+
+  rule {
+    default_retention {
+      mode = "GOVERNANCE"
+      days = 30
+    }
+  }
+}
+
 resource "aws_s3_bucket_policy" "logs" {
   bucket = aws_s3_bucket.logs.id
   policy = data.aws_iam_policy_document.logs.json
@@ -169,6 +190,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "state" {
 
 resource "aws_s3_bucket_versioning" "state" {
   bucket = aws_s3_bucket.state.id
+
   versioning_configuration {
     status = "Enabled"
   }
diff --git a/infrastructure/modules/ecs/main.tf b/infrastructure/modules/ecs/main.tf
@@ -217,7 +217,7 @@ module "load_data_task" {
     set -e
     pip install --target=/tmp/awscli-packages awscli
     export PYTHONPATH="/tmp/awscli-packages:$PYTHONPATH"
-    python /tmp/awscli-packages/bin/aws s3 cp s3://${var.fixtures_s3_bucket}/nest.json.gz /tmp/nest.json.gz
+    python /tmp/awscli-packages/bin/aws s3 cp s3://${var.fixtures_bucket_name}/nest.json.gz /tmp/nest.json.gz
     python manage.py load_data --fixture-path /tmp/nest.json.gz
     EOT
   ]
diff --git a/infrastructure/modules/ecs/variables.tf b/infrastructure/modules/ecs/variables.tf
@@ -30,7 +30,7 @@ variable "fixtures_read_only_policy_arn" {
   type        = string
 }
 
-variable "fixtures_s3_bucket" {
+variable "fixtures_bucket_name" {
   description = "The name of the S3 bucket for fixtures"
   type        = string
 }
diff --git a/infrastructure/modules/storage/main.tf b/infrastructure/modules/storage/main.tf
@@ -5,6 +5,10 @@ terraform {
       source  = "hashicorp/aws"
       version = "6.22.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.7.2"
+    }
   }
 }
 
@@ -15,15 +19,19 @@ data "aws_iam_policy_document" "fixtures_read_only" {
     ]
     effect = "Allow"
     resources = [
-      "arn:aws:s3:::${var.fixtures_s3_bucket}/*"
+      "arn:aws:s3:::${var.fixtures_bucket_name}-${random_id.suffix.hex}/*"
     ]
   }
 }
 
+resource "random_id" "suffix" {
+  byte_length = 4
+}
+
 module "fixtures_bucket" {
   source = "./modules/s3-bucket"
 
-  bucket_name   = var.fixtures_s3_bucket
+  bucket_name   = "${var.fixtures_bucket_name}-${random_id.suffix.hex}"
   force_destroy = var.force_destroy_bucket
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-fixtures"
@@ -33,7 +41,7 @@ module "fixtures_bucket" {
 module "zappa_bucket" {
   source = "./modules/s3-bucket"
 
-  bucket_name   = var.zappa_s3_bucket
+  bucket_name   = "${var.zappa_bucket_name}-${random_id.suffix.hex}"
   force_destroy = var.force_destroy_bucket
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-zappa-deployments"
diff --git a/infrastructure/modules/storage/modules/s3-bucket/main.tf b/infrastructure/modules/storage/modules/s3-bucket/main.tf
@@ -35,10 +35,14 @@ data "aws_iam_policy_document" "this" {
   }
 }
 
-resource "aws_s3_bucket" "this" { #NOSONAR
+resource "aws_s3_bucket" "this" { # NOSONAR
   bucket        = var.bucket_name
   force_destroy = var.force_destroy
   tags          = var.tags
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
 
 resource "aws_s3_bucket_policy" "this" {
diff --git a/infrastructure/modules/storage/modules/s3-bucket/variables.tf b/infrastructure/modules/storage/modules/s3-bucket/variables.tf
@@ -16,7 +16,7 @@ variable "force_destroy" {
 }
 
 variable "noncurrent_version_expiration_days" {
-  description = "Specifies the number of days an object is noncurrent before it is expired."
+  description = "The number of days an object is noncurrent before it is expired."
   type        = number
   default     = 30
 }
diff --git a/infrastructure/modules/storage/variables.tf b/infrastructure/modules/storage/variables.tf
@@ -9,7 +9,7 @@ variable "environment" {
   type        = string
 }
 
-variable "fixtures_s3_bucket" {
+variable "fixtures_bucket_name" {
   description = "The name of the S3 bucket for fixtures"
   type        = string
 }
@@ -25,7 +25,7 @@ variable "project_name" {
   type        = string
 }
 
-variable "zappa_s3_bucket" {
+variable "zappa_bucket_name" {
   description = "The name of the S3 bucket for Zappa deployments"
   type        = string
 }
diff --git a/infrastructure/staging/main.tf b/infrastructure/staging/main.tf
@@ -60,7 +60,7 @@ module "ecs" {
   ecs_sg_id                     = module.security.ecs_sg_id
   environment                   = var.environment
   fixtures_read_only_policy_arn = module.storage.fixtures_read_only_policy_arn
-  fixtures_s3_bucket            = var.fixtures_s3_bucket
+  fixtures_bucket_name          = var.fixtures_bucket_name
   private_subnet_ids            = module.networking.private_subnet_ids
   project_name                  = var.project_name
 }
@@ -109,8 +109,8 @@ module "storage" {
 
   common_tags          = local.common_tags
   environment          = var.environment
-  fixtures_s3_bucket   = var.fixtures_s3_bucket
+  fixtures_bucket_name = var.fixtures_bucket_name
   force_destroy_bucket = var.force_destroy_bucket
   project_name         = var.project_name
-  zappa_s3_bucket      = var.zappa_s3_bucket
+  zappa_bucket_name    = var.zappa_bucket_name
 }
diff --git a/infrastructure/staging/variables.tf b/infrastructure/staging/variables.tf
@@ -87,10 +87,10 @@ variable "force_destroy_bucket" {
   default     = false
 }
 
-variable "fixtures_s3_bucket" {
+variable "fixtures_bucket_name" {
   description = "The name of the S3 bucket for fixtures"
   type        = string
-  default     = "nest-fixtures"
+  default     = "owasp-nest-fixtures"
 }
 
 variable "private_subnet_cidrs" {
@@ -141,7 +141,7 @@ variable "vpc_cidr" {
   default     = "10.0.0.0/16"
 }
 
-variable "zappa_s3_bucket" {
+variable "zappa_bucket_name" {
   description = "The name of the S3 bucket for Zappa deployments"
   type        = string
   default     = "owasp-nest-zappa-deployments"

Original file line number	Diff line number	Diff line change
`@@ -217,7 +217,7 @@ module "load_data_task" {`
`217`	`217`	`set -e`
`218`	`218`	`pip install --target=/tmp/awscli-packages awscli`
`219`	`219`	`export PYTHONPATH="/tmp/awscli-packages:$PYTHONPATH"`
`220`		`- python /tmp/awscli-packages/bin/aws s3 cp s3://${var.fixtures_s3_bucket}/nest.json.gz /tmp/nest.json.gz`
	`220`	`+ python /tmp/awscli-packages/bin/aws s3 cp s3://${var.fixtures_bucket_name}/nest.json.gz /tmp/nest.json.gz`
`221`	`221`	`python manage.py load_data --fixture-path /tmp/nest.json.gz`
`222`	`222`	`EOT`
`223`	`223`	`]`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ variable "fixtures_read_only_policy_arn" {`
`30`	`30`	`type = string`
`31`	`31`	`}`
`32`	`32`
`33`		`-variable "fixtures_s3_bucket" {`
	`33`	`+variable "fixtures_bucket_name" {`
`34`	`34`	`description = "The name of the S3 bucket for fixtures"`
`35`	`35`	`type = string`
`36`	`36`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,10 @@ terraform {`
`5`	`5`	`source = "hashicorp/aws"`
`6`	`6`	`version = "6.22.0"`
`7`	`7`	`}`
	`8`	`+ random = {`
	`9`	`+ source = "hashicorp/random"`
	`10`	`+ version = "3.7.2"`
	`11`	`+ }`
`8`	`12`	`}`
`9`	`13`	`}`
`10`	`14`
`@@ -15,15 +19,19 @@ data "aws_iam_policy_document" "fixtures_read_only" {`
`15`	`19`	`]`
`16`	`20`	`effect = "Allow"`
`17`	`21`	`resources = [`
`18`		`- "arn:aws:s3:::${var.fixtures_s3_bucket}/*"`
	`22`	`+ "arn:aws:s3:::${var.fixtures_bucket_name}-${random_id.suffix.hex}/*"`
`19`	`23`	`]`
`20`	`24`	`}`
`21`	`25`	`}`
`22`	`26`
	`27`	`+resource "random_id" "suffix" {`
	`28`	`+ byte_length = 4`
	`29`	`+}`
	`30`	`+`
`23`	`31`	`module "fixtures_bucket" {`
`24`	`32`	`source = "./modules/s3-bucket"`
`25`	`33`
`26`		`- bucket_name = var.fixtures_s3_bucket`
	`34`	`+ bucket_name = "${var.fixtures_bucket_name}-${random_id.suffix.hex}"`
`27`	`35`	`force_destroy = var.force_destroy_bucket`
`28`	`36`	`tags = merge(var.common_tags, {`
`29`	`37`	`Name = "${var.project_name}-${var.environment}-fixtures"`
`@@ -33,7 +41,7 @@ module "fixtures_bucket" {`
`33`	`41`	`module "zappa_bucket" {`
`34`	`42`	`source = "./modules/s3-bucket"`
`35`	`43`
`36`		`- bucket_name = var.zappa_s3_bucket`
	`44`	`+ bucket_name = "${var.zappa_bucket_name}-${random_id.suffix.hex}"`
`37`	`45`	`force_destroy = var.force_destroy_bucket`
`38`	`46`	`tags = merge(var.common_tags, {`
`39`	`47`	`Name = "${var.project_name}-${var.environment}-zappa-deployments"`
Original file line number	Diff line number	Diff line change
`@@ -35,10 +35,14 @@ data "aws_iam_policy_document" "this" {`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`
`38`		`-resource "aws_s3_bucket" "this" { #NOSONAR`
	`38`	`+resource "aws_s3_bucket" "this" { # NOSONAR`
`39`	`39`	`bucket = var.bucket_name`
`40`	`40`	`force_destroy = var.force_destroy`
`41`	`41`	`tags = var.tags`
	`42`	`+`
	`43`	`+ lifecycle {`
	`44`	`+ prevent_destroy = true`
	`45`	`+ }`
`42`	`46`	`}`
`43`	`47`
`44`	`48`	`resource "aws_s3_bucket_policy" "this" {`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ variable "force_destroy" {`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`variable "noncurrent_version_expiration_days" {`
`19`		`- description = "Specifies the number of days an object is noncurrent before it is expired."`
	`19`	`+ description = "The number of days an object is noncurrent before it is expired."`
`20`	`20`	`type = number`
`21`	`21`	`default = 30`
`22`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@ variable "environment" {`
`9`	`9`	`type = string`
`10`	`10`	`}`
`11`	`11`
`12`		`-variable "fixtures_s3_bucket" {`
	`12`	`+variable "fixtures_bucket_name" {`
`13`	`13`	`description = "The name of the S3 bucket for fixtures"`
`14`	`14`	`type = string`
`15`	`15`	`}`
`@@ -25,7 +25,7 @@ variable "project_name" {`
`25`	`25`	`type = string`
`26`	`26`	`}`
`27`	`27`
`28`		`-variable "zappa_s3_bucket" {`
	`28`	`+variable "zappa_bucket_name" {`
`29`	`29`	`description = "The name of the S3 bucket for Zappa deployments"`
`30`	`30`	`type = string`
`31`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -87,10 +87,10 @@ variable "force_destroy_bucket" {`
`87`	`87`	`default = false`
`88`	`88`	`}`
`89`	`89`
`90`		`-variable "fixtures_s3_bucket" {`
	`90`	`+variable "fixtures_bucket_name" {`
`91`	`91`	`description = "The name of the S3 bucket for fixtures"`
`92`	`92`	`type = string`
`93`		`- default = "nest-fixtures"`
	`93`	`+ default = "owasp-nest-fixtures"`
`94`	`94`	`}`
`95`	`95`
`96`	`96`	`variable "private_subnet_cidrs" {`
`@@ -141,7 +141,7 @@ variable "vpc_cidr" {`
`141`	`141`	`default = "10.0.0.0/16"`
`142`	`142`	`}`
`143`	`143`
`144`		`-variable "zappa_s3_bucket" {`
	`144`	`+variable "zappa_bucket_name" {`
`145`	`145`	`description = "The name of the S3 bucket for Zappa deployments"`
`146`	`146`	`type = string`
`147`	`147`	`default = "owasp-nest-zappa-deployments"`