From 9a299fd38acb0a8ecafca39a4728c1b32ebfeac8 Mon Sep 17 00:00:00 2001
From: Timo Hajati <20628630+hajati@users.noreply.github.com>
Date: Wed, 6 Nov 2024 11:12:18 +0100
Subject: [PATCH 1/3] Allows blocking public access (by default)

---
 README.md       | 17 +++++++++++++++++
 rds-s3-dumps.tf | 11 +++++++++++
 variables.tf    | 16 ++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/README.md b/README.md
index 16afa1a..8bdbf9a 100644
--- a/README.md
+++ b/README.md
@@ -1312,6 +1312,23 @@ Type: `string`
 
 Default: `""`
 
+### <a name="input_rds_s3_dump_block_public_access"></a> [rds\_s3\_dump\_block\_public\_access](#input\_rds\_s3\_dump\_block\_public\_access)
+
+Description: Object that defines which public access should be blocked
+
+Type: `object({})`
+
+Default:
+
+```json
+{
+  "block_public_acls": true,
+  "block_public_policy": true,
+  "ignore_public_acls": true,
+  "restrict_public_buckets": true
+}
+```
+
 ### <a name="input_rds_s3_dump_lifecycle_rules"></a> [rds\_s3\_dump\_lifecycle\_rules](#input\_rds\_s3\_dump\_lifecycle\_rules)
 
 Description: RDS S3 Dump Lifecycle rules
diff --git a/rds-s3-dumps.tf b/rds-s3-dumps.tf
index c1377fe..527ae3f 100644
--- a/rds-s3-dumps.tf
+++ b/rds-s3-dumps.tf
@@ -158,6 +158,17 @@ resource "aws_s3_bucket_acl" "rds_dumps" {
   acl    = "private"
 }
 
+resource "aws_s3_bucket_public_access_block" "archive" {
+  count = local.rds_dumps_enabled ? 1 : 0
+
+  bucket = aws_s3_bucket.rds_dumps[count.index].id
+
+  block_public_acls       = var.rds_s3_dump_block_public_access.block_public_acls
+  block_public_policy     = var.rds_s3_dump_block_public_access.block_public_policy
+  ignore_public_acls      = var.rds_s3_dump_block_public_access.ignore_public_acls
+  restrict_public_buckets = var.rds_s3_dump_block_public_access.restrict_public_buckets
+}
+
 resource "aws_iam_role_policy" "rds_dumps_role" {
   count = local.rds_dumps_enabled && var.rds_s3_dump_role_arn == "" ? 1 : 0
 
diff --git a/variables.tf b/variables.tf
index 167ab98..390d793 100644
--- a/variables.tf
+++ b/variables.tf
@@ -787,6 +787,22 @@ variable "rds_s3_dump_role_arn" {
   default     = ""
 }
 
+variable "rds_s3_dump_block_public_access" {
+  description = "Object that defines which public access should be blocked"
+  type        = object({
+    block_public_acls       = bool
+    block_public_policy     = bool
+    ignore_public_acls      = bool
+    restrict_public_buckets = bool
+  })
+  default = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+}
+
 variable "rds_s3_dump_lifecycle_rules" {
   description = "RDS S3 Dump Lifecycle rules"
   default     = []

From 77f3e965fde9ff393d1db943b3c6aa584c73c4a2 Mon Sep 17 00:00:00 2001
From: Timo Hajati <20628630+hajati@users.noreply.github.com>
Date: Wed, 6 Nov 2024 11:13:35 +0100
Subject: [PATCH 2/3] Fixes automatic subdomain name generation by adjusting
 renamed output of rds module

---
 route53.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/route53.tf b/route53.tf
index 338175a..b170c29 100644
--- a/route53.tf
+++ b/route53.tf
@@ -4,7 +4,7 @@
 locals {
   public_endpoint_enabled  = var.aws_route53_zone_endpoints_enabled && var.aws_route53_zone_public_endpoint_enabled
   private_endpoint_enabled = var.aws_route53_zone_endpoints_enabled && var.aws_route53_zone_private_endpoint_enabled
-  subdomain_name           = length(var.aws_route53_rds_subdomain_override) > 0 ? var.aws_route53_rds_subdomain_override : join(".", [module.rds.db_instance_id, local.rds_dns_subdomains[var.rds_engine]])
+  subdomain_name           = length(var.aws_route53_rds_subdomain_override) > 0 ? var.aws_route53_rds_subdomain_override : join(".", [module.rds.db_instance_identifier, local.rds_dns_subdomains[var.rds_engine]])
 }
 
 data "aws_route53_zone" "public_endpoint" {

From d8a4f0bbcc3b897031d9ca2074d80e8c3c223551 Mon Sep 17 00:00:00 2001
From: Timo Hajati <20628630+hajati@users.noreply.github.com>
Date: Wed, 6 Nov 2024 11:29:59 +0100
Subject: [PATCH 3/3] fmt

---
 README.md    | 11 ++++++++++-
 variables.tf |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8bdbf9a..5697c5d 100644
--- a/README.md
+++ b/README.md
@@ -1316,7 +1316,16 @@ Default: `""`
 
 Description: Object that defines which public access should be blocked
 
-Type: `object({})`
+Type:
+
+```hcl
+object({
+    block_public_acls       = bool
+    block_public_policy     = bool
+    ignore_public_acls      = bool
+    restrict_public_buckets = bool
+  })
+```
 
 Default:
 
diff --git a/variables.tf b/variables.tf
index 390d793..7ad8fcd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -789,7 +789,7 @@ variable "rds_s3_dump_role_arn" {
 
 variable "rds_s3_dump_block_public_access" {
   description = "Object that defines which public access should be blocked"
-  type        = object({
+  type = object({
     block_public_acls       = bool
     block_public_policy     = bool
     ignore_public_acls      = bool