cisagov · mcdonnnj · Aug 4, 2025 · Aug 4, 2025 · Aug 4, 2025
@@ -447,6 +447,7 @@ terraform apply -var-file=<your_workspace>.tfvars
 | [aws_route_table_association.mgmt_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
 | [aws_s3_bucket.cyhy_archive](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.moe_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_lifecycle_configuration.cyhy_archive](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_notification.fdi_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
 | [aws_s3_bucket_ownership_controls.cyhy_archive](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_ownership_controls.moe_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
@@ -642,6 +643,7 @@ terraform apply -var-file=<your_workspace>.tfvars
 | create\_bod\_flow\_logs | Whether or not to create flow logs for the BOD 18-01 VPC. | `bool` | `false` | no |
 | create\_cyhy\_flow\_logs | Whether or not to create flow logs for the CyHy VPC. | `bool` | `false` | no |
 | create\_mgmt\_flow\_logs | Whether or not to create flow logs for the Management VPC. | `bool` | `false` | no |
+| cyhy\_archive\_bucket\_lifecycle\_rule\_name | The name of the lifecycle rule for the cyhy-archive S3 bucket. | `string` | `"cyhy-archive-object-storage-class-transitions"` | no |
 | cyhy\_archive\_bucket\_name | S3 bucket for storing compressed archive files created by cyhy-archive. | `string` | `"ncats-cyhy-archive"` | no |
 | cyhy\_elastic\_ip\_cidr\_block | The CIDR block of elastic addresses available for use by CyHy scanner instances. | `string` | `""` | no |
 | cyhy\_portscan\_first\_elastic\_ip\_offset | The offset of the address (from the start of the elastic IP CIDR block) to be assigned to the *first* CyHy portscan instance.  For example, if the CIDR block is 192.168.1.0/24 and the offset is set to 10, the first portscan address used will be 192.168.1.10.  This is only used in production workspaces.  Each additional portscan instance will get the next consecutive address in the block.  NOTE: This will only work as intended when a contiguous CIDR block of EIP addresses is available. | `number` | `0` | no |

@@ -37,6 +37,41 @@ resource "aws_s3_bucket_ownership_controls" "cyhy_archive" {
   }
 }
 
+# Add a lifecycle configuration to the bucket to transition any cyhy-archive objects to
+# progressively slower and/or more expensive to access, but cheaper to store, storage
+# classes. The dates to transition take into account the minimum retention period
+# requirements for the storage class the object is transitioning from.
+resource "aws_s3_bucket_lifecycle_configuration" "cyhy_archive" {
+  bucket = aws_s3_bucket.cyhy_archive.id
+
+  rule {
+    id     = var.cyhy_archive_bucket_lifecycle_rule_name
+    status = "Enabled"
+
+    filter {
+      # This matches the prefix for the archive files produced by the cyhy-archive
+      # script.
+      prefix = "cyhy_archive_"
+    }
+
+    # After 30 days, transition archive objects to the Glacier Instant Retrieval
+    # storage class. This storage class has a 90 day minimum retention period.
+    transition {
+      days          = 30
+      storage_class = "GLACIER_IR"
+    }
+
+    # After 120 days (30 in Standard and 90 in Glacier Instant Retrieval), transition
+    # archive objects to the Glacier Deep Archive storage class. This storage class has
+    # a 180 day minimum retention period. This is the final storage class for these
+    # objects.
+    transition {
+      days          = 120
+      storage_class = "DEEP_ARCHIVE"
+    }
+  }
+}
+
 # IAM policy document that that allows S3 PutObject (write) on our
 # cyhy-archive bucket.  This will be applied to the cyhy-archive role.
 data "aws_iam_policy_document" "s3_cyhy_archive_write_doc" {

@@ -181,6 +181,13 @@ variable "create_mgmt_flow_logs" {
   type        = bool
 }
 
+variable "cyhy_archive_bucket_lifecycle_rule_name" {
+  default     = "cyhy-archive-object-storage-class-transitions"
+  description = "The name of the lifecycle rule for the cyhy-archive S3 bucket."
+  nullable    = false
+  type        = string
+}
+
 variable "cyhy_archive_bucket_name" {
   default     = "ncats-cyhy-archive"
   description = "S3 bucket for storing compressed archive files created by cyhy-archive."