mirror of
git://git.savannah.gnu.org/guix/maintenance.git
synced 2023-12-14 03:33:04 +01:00
38366d17e8
* cdn/terraform/s3.tf (guix-empty-bucket): Remove it.
48 lines
1.7 KiB
HCL
48 lines
1.7 KiB
HCL
# S3
|
|
|
|
# DO NOT DELETE THIS BUCKET! This bucket contains the Terraform
|
|
# state, shared by all Terraform users in the Guix project. In
|
|
# addition, the s3 backend will not function without it.
|
|
resource "aws_s3_bucket" "guix-terraform-state" {
|
|
bucket = "guix-terraform-state"
|
|
# Access should be granted via IAM policies.
|
|
acl = "private"
|
|
# This allows us to recover state if something ever goes wrong - as
|
|
# long as we do so within the time period specified by our lifecycle
|
|
# policy (see below). For details, see:
|
|
# https://docs.aws.amazon.com/AmazonS3/latest/dev/DeletingObjectVersions.html
|
|
versioning {
|
|
enabled = true
|
|
}
|
|
# When we destroy the bucket, destroy all objects first so that the
|
|
# bucket deletion succeeds. Of course, you should think twice
|
|
# before deleting this bucket!
|
|
force_destroy = true
|
|
# Encrypt data at rest using S3's server side encryption. See:
|
|
# https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
|
|
server_side_encryption_configuration {
|
|
rule {
|
|
apply_server_side_encryption_by_default {
|
|
sse_algorithm = "AES256"
|
|
}
|
|
}
|
|
}
|
|
# The intent of this rule is to retain the current version and zero
|
|
# or more recent non-current versions, while preventing the size of
|
|
# the bucket from growing out of hand.
|
|
lifecycle_rule {
|
|
id = "clean-up"
|
|
enabled = true
|
|
# It seems unlikely that Terraform would use multi-part uploads to
|
|
# upload the state, since the state is small, but just in case,
|
|
# let's automatically abort any stuck multi-part uploads.
|
|
abort_incomplete_multipart_upload_days = 7
|
|
# Clean up old non-current versions.
|
|
noncurrent_version_expiration {
|
|
days = 14
|
|
}
|
|
}
|
|
lifecycle {
|
|
prevent_destroy = true
|
|
}
|
|
}
|