From 2b8f9a1be06895f28b3bf1468e672f2769209f66 Mon Sep 17 00:00:00 2001
From: Sebastian Melchior <sebastian@melchior.me>
Date: Thu, 3 Jan 2019 13:41:49 +0100
Subject: [PATCH] block public access to cloudtrail bucket

---
 changelog.md     | 2 +-
 provider.tf      | 2 +-
 s3_cloudtrail.tf | 9 +++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/changelog.md b/changelog.md
index 249a094..ea2a2e4 100644
--- a/changelog.md
+++ b/changelog.md
@@ -7,7 +7,7 @@ BACKWARDS INCOMPATIBILITIES / NOTES:
 * n.a.
 
 IMPROVEMENTS:
-* n.a.
+* Add Public Access Block for Cloudtrail S3 Bucket
 
 BUG FIXES:
 * n.a.
diff --git a/provider.tf b/provider.tf
index c697353..5708c64 100644
--- a/provider.tf
+++ b/provider.tf
@@ -1,4 +1,4 @@
 provider "aws" {
   region  = "${var.aws_region}"
-  version = "~> 1.6"
+  version = "~> 1.54"
 }
diff --git a/s3_cloudtrail.tf b/s3_cloudtrail.tf
index ec8cb8f..34b58e8 100644
--- a/s3_cloudtrail.tf
+++ b/s3_cloudtrail.tf
@@ -37,3 +37,12 @@ resource "aws_s3_bucket" "cloudtrail_bucket" {
 }
 EOF
 }
+
+resource "aws_s3_bucket_public_access_block" "cloudtrail_bucket" {
+  bucket                  = "${aws_s3_bucket.cloudtrail_bucket.id}"
+  count                   = "${var.trail_bucketname_create}"
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}