feat: Added object lock configuration to the export bucket. (#8)

Author: jamesiarmes

tofu/modules/system/main.tf

@@ -77,3 +77,17 @@ module "s3" {
 
   tags = var.tags
 }
+
+resource "aws_s3_bucket_object_lock_configuration" "export" {
+  for_each = var.export_lock_mode != "DISABLED" ? toset(["this"]) : toset([])
+
+  bucket = module.s3.bucket
+
+  rule {
+    default_retention {
+      mode  = var.export_lock_mode
+      days  = var.export_lock_period == "days" ? var.export_lock_age : null
+      years = var.export_lock_period == "years" ? var.export_lock_age : null
+    }
+  }
+}

tofu/modules/system/variables.tf

@@ -10,6 +10,34 @@ variable "export_expiration" {
   description = "Number of days before export files expire."
 }
 
+variable "export_lock_age" {
+  type        = number
+  description = "Age (based on the lock period) of an object before the lock is removed."
+  default     = 30
+}
+
+variable "export_lock_mode" {
+  type        = string
+  description = "Object lock mode for the export bucket."
+  default     = "GOVERNANCE"
+
+  validation {
+    condition     = contains(["COMPLIANCE", "GOVERNANCE", "DISABLED"], var.export_lock_mode)
+    error_message = "Valid object lock modes are: COMPLIANCE, GOVERNANCE, or DISABLED."
+  }
+}
+
+variable "export_lock_period" {
+  type        = string
+  description = "Period for which objects are locked. Valid values are days or years."
+  default     = "days"
+
+  validation {
+    condition     = contains(["days", "years"], var.export_lock_period)
+    error_message = "Valid object lock periods are: days, years."
+  }
+}
+
 variable "key_recovery_period" {
   type        = number
   default     = 30