A Terraform 0.12 base module for creating a secure S3-Bucket on Amazon Web Services (AWS).
- Module Features
- Getting Started
- Module Argument Reference
- Module Attributes Reference
- Module Versioning
- About Mineiros
- Reporting Issues
- Contributing
- License
In contrast to the plain aws_s3_bucket
resource this module creates secure
buckets by default. While all security features can be disabled as needed best practices
are pre-configured.
In addition to security easy cross-account access can be granted to the objects
of the bucket enforcing bucket-owner-full-control
acl for objects created by other accounts.
-
Default Security Settings: Bucket public access blocking all set to
true
by default, Server-Side-Encryption (SSE) at restenabled
by default (AES256), Bucket ACL defaults to cannedprivate
ACL -
Standard S3 Features: Server-Side-Encryption (SSE) enabled by default, Versioning, Bucket Logging, Lifecycle Rules, Request Payer, Cross-Origin Resource Sharing (CORS), Acceleration Status, Bucket Policy, Tags
-
Extended S3 Features: Bucket Public Access Blocking
-
Additional Features: Cross-Account access policy with forced
bucket-owner-full-control
ACL for direct access -
Features not yet implemented: Replication Configuration, Website Configuration, S3 Object Locking, Bucket Notifications, Bucket Metrics, Bucket Inventory, S3 Access Points (not yet supported by terraform aws provider), Cloudfront Origin Access Identity (OAI) policy, Generate Cross-Account role for OAI enabled buckets if desired, Generate KMS key to encrypt objects at rest if desired
Most basic usage creating a random named secure AWS bucket.
module "bucket" {
source = "mineiros-io/s3-bucket/aws"
version = "0.0.3"
}
See variables.tf and examples/ for details and use-cases.
-
create
: (Optionalbool
) Specifies whether the bucket should be created. Default istrue
. -
bucket
: (Optionalstring
, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. -
bucket_prefix
: (Optionalstring
, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. -
acl
: (Optionalstring
) The canned ACL to apply. Defaults toprivate
. -
policy
: (Optionaljson string
) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. Default isnull
. -
tags
: (Optionalmap(string)
) A mapping of tags to assign to the bucket. Default is{}
. -
force_destroy
: (Optionalbool
) A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. Default isfalse
. -
acceleration_status
: (Optionalstring
) Sets the accelerate configuration of an existing bucket. Can beEnabled
orSuspended
. Default isnull
. -
region
: (Optionalstring
) If specified, the AWS region this bucket should reside in. Default is the region used by the callee. -
request_payer
: (Optionalstring
) Specifies who should bear the cost of Amazon S3 data transfer. Can be eitherBucketOwner
orRequester
. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. -
cors_rule
: (Optionalobject
) specifying settings for Cross-Origin Resource Sharing (CORS) (documented below). Default is{}
. -
versioning
: (Optionalbool
orobject
) When set totrue
versioning will be enabled. Specifies Versioning Configuration when passed as an object (documented below). Default isfalse
. -
logging
: (Optionalobject
) Specifying a configuration for logging access logs (documented below). Default is{}
. -
apply_server_side_encryption_by_default
: (Optionalobject
) Specifying the server side encryption to apply to objects at rest (documented below). Default is to useAES256
encryption. -
lifecycle_rules
: (Optionallist(object)
) Specifying various rules specifying object lifecycle management (documented below). Default is[]
.
-
block_public_acls
: (Optionalbool
) Whether Amazon S3 should block public ACLs for this bucket. Enabling this setting does not affect existing policies or ACLs. Default istrue
causing the following behavior:PUT Bucket acl
andPUT Object acl
calls will fail if the specified ACL allows public access.PUT Object
calls will fail if the request includes an object ACL.
-
block_public_policy
: (Optionalbool
) Whether Amazon S3 should block public bucket policies for this bucket. Enabling this setting does not affect the existing bucket policy. Defaults totrue
causing Amazon S3 to:- Reject calls to
PUT Bucket policy
if the specified bucket policy allows public access.
- Reject calls to
-
ignore_public_acls
: (Optionalbool
) Whether Amazon S3 should ignore public ACLs for this bucket. Enabling this setting does not affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. Defaults totrue
causing Amazon S3 to:- Ignore public ACLs on this bucket and any objects that it contains.
-
restrict_public_buckets
: (Optionalbool
) Whether Amazon S3 should restrict public bucket policies for this bucket. Enabling this setting does not affect the previously stored bucket policy, except that public and cross-account access within the public bucket policy, including non-public delegation to specific accounts, is blocked. Default istrue
causing the following effect:- Only the bucket owner and AWS Services can access this buckets if it has a public policy.
-
cross_account_identifiers
: (Optionallist(sring)
) Specifies identifiers that should be granted cross account access to. If this list is empty Cross Account Access is not configured and all other options in this category are ignored. Default is[]
(disabled). -
cross_account_bucket_actions
: (Optionallist(string)
) Specifies actions on the bucket to grant from cross account. Default is["s3:ListBucket"]
. -
cross_account_object_actions
: (Optionallist(string)
) Specifies actions on bucket objects to grant from cross account. Default is["s3:GetObject"]
. -
cross_account_object_actions_with_forced_acl
: (Optionallist(string)
) Specifies actions on bucket objects to grant only with foreced ACL from cross account. Default is["s3:PutObject", "s3:PutObjectAcl"]
. -
cross_account_forced_acls
: (Optionallist(string)
) Specifies ACLs to force on new objects for cross account access. Default is["bucket-owner-full-control"]
.
cors_rule
Object Attributes
-
allowed_headers
: (Optionallist(string)
) Specifies which headers are allowed. Default is[]
. -
allowed_methods
: (Requiredlist(string)
) Specifies which methods are allowed. Can beGET
,PUT
,POST
,DELETE
orHEAD
. -
allowed_origins
: (Requiredlist(string)
) Specifies which origins are allowed. -
expose_headers
: (Optionallist(string)
) Specifies expose header in the response. Default is[]
. -
max_age_seconds
: (Optionalnumber
) Specifies time in seconds that browser can cache the response for a preflight request. Default isnull
.
versioning
Object Attributes
-
enabled
: (Optionalbool
) Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket. Default isnull
. -
mfa_delete
: (Optionalbool
) Enable MFA delete for either Change the versioning state of your bucket or permanently delete an object version. Default isfalse
.
logging
Object Attributes
-
target_bucket
: (Requiredstring
) The name of the bucket that will receive the log objects. -
target_prefix
: (Optionalstring
) To specify a key prefix for log objects. Default isnull
.
apply_server_side_encryption_by_default
Object Attributes
-
sse_algorithm
: (Optionalstring
) The server-side encryption algorithm to use. Valid values areAES256
andaws:kms
. Default isaws:kms
whenkms_master_key_id
is specified elseAES256
-
kms_master_key_id
: (Optionalstring
) The AWS KMS master key ID used for the SSE-KMS encryption. The defaultaws/s3
AWS KMS master key is used if this element is absent while the sse_algorithm isaws:kms
. Default isnull
.
lifecycle_rules
Object Attributes
-
id
: (Optionalstring
) Unique identifier for the rule. -
prefix
: (Optionalstring
) Object key prefix identifying one or more objects to which the rule applies. -
tags
: (Optionalmap
) Specifies object tags key and value. -
enabled
: (Requiredbool
) Specifies lifecycle rule status. -
abort_incomplete_multipart_upload_days
: (Optionalnumber
) Specifies the number of days after initiating a multipart upload when the multipart upload must be completed. -
expiration
: (Optionalobject
) Specifies a period in the object's expire (documented below). -
transition
: (Optionalobject
) Specifies a period in the object's transitions (documented below). -
noncurrent_version_expiration
: (Optionalobject
) Specifies when noncurrent object versions expire (documented below). -
noncurrent_version_transition
: (Optionalobject
) Specifies when noncurrent object versions transitions (documented below).
At least one of expiration
, transition
, noncurrent_version_expiration
, noncurrent_version_transition
must be specified.
expiration
Object Attributes
-
date
: (Optionalstring
) Specifies the date after which you want the corresponding action to take effect. -
days
: (Optionalstring
) Specifies the number of days after object creation when the specific rule action takes effect. -
expired_object_delete_marker
: (Optionalbool
) On a versioned bucket (versioning-enabled or versioning-suspended bucket), you can add this element in the lifecycle configuration to direct Amazon S3 to delete expired object delete markers.
transition
Object Attributes
-
date
: (Optionalstring
) Specifies the date after which you want the corresponding action to take effect. -
days
: (Optionalnumber
) Specifies the number of days after object creation when the specific rule action takes effect. -
storage_class
: (Requiredstring
) Specifies the Amazon S3 storage class to which you want the object to transition. Can beONEZONE_IA
,STANDARD_IA
,INTELLIGENT_TIERING
,GLACIER
, orDEEP_ARCHIVE
.
noncurrent_version_expiration
Object Attributes
days
: (Requirednumber
) Specifies the number of days an object is noncurrent object versions expire.
noncurrent_version_transition
Object Attributes
-
days
: (Requirednumber
) Specifies the number of days an object is noncurrent object versions expire. -
storage_class
: (Requiredstring
) Specifies the Amazon S3 storage class to which you want the noncurrent versions object to transition. Can beONEZONE_IA
,STANDARD_IA
,INTELLIGENT_TIERING
,GLACIER
, orDEEP_ARCHIVE
.
The following attributes are exported by the module:
bucket
: All bucket attributes as returned by theaws_s3_bucket
resource containing all arguments as specified above and the other attributes as specified below.id
: The name of the bucket.arn
: The ARN of the bucket. Will be of formatarn:aws:s3:::bucketname
.bucket_domain_name
: The bucket domain name. Will be of format bucketname.s3.amazonaws.com.bucket_regional_domain_name
: The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.hosted_zone_id
: The Route 53 Hosted Zone ID for this bucket's region.region
: The AWS region this bucket resides in.create
: Thecreate
argument.
This Module follows the principles of Semantic Versioning (SemVer).
Given a version number MAJOR.MINOR.PATCH
, we increment the:
MAJOR
version when we make incompatible changes,MINOR
version when we add functionality in a backwards compatible manner, andPATCH
version when we make backwards compatible bug fixes.
- Backwards compatibility in versions
0.0.z
is not guaranteed whenz
is increased. (Initial development) - Backwards compatibility in versions
0.y.z
is not guaranteed wheny
is increased. (Pre-release)
Mineiros is a DevOps as a Service Company based in Berlin, Germany. We offer Commercial Support for all of our projects, just send us an email to hello@mineiros.io.
We can also help you with:
- Terraform Modules for all types of infrastructure such as VPC's, Docker clusters, databases, logging and monitoring, CI, etc.
- Complex Cloud- and Multi Cloud environments.
- Consulting & Training on AWS, Terraform and DevOps.
We use GitHub Issues to track community reported issues and missing features.
Contributions are very welcome! We use Pull Requests for accepting changes. Please see our Contribution Guidelines for full details.
This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.
Copyright © 2020 Mineiros