/terraform-aws-s3

Terraform module to create default S3 bucket with logging and encryption type specific features.

Primary LanguageHCLApache License 2.0Apache-2.0

Terraform AWS S3

Terraform module to create default S3 bucket with logging and encryption type specific features.

Terraform Licence tfsec static-checks

We eat, drink, sleep and most importantly love DevOps. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure.

This module is basically combination of Terraform open source and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself.

We have fifty plus terraform modules. A few of them are comepleted and are available for open source usage while a few others are in progress.

Prerequisites

This module has a few dependencies:

Examples

IMPORTANT: Since the master branch used in source varies based on new modifications, we suggest that you use the release versions here.

Here are some examples of how you can use this module in your inventory structure:

Default Bucket

module "s3_bucket" {
  source              = "clouddrove/s3/aws"
  version             = "1.3.0"
  name                = "clouddrove-secure-bucket"
  environment         = "test"
  label_order         = ["name", "environment"]
  versioning          = true
  acl                 = "private"
  bucket_enabled      = true
}

Encryption Bucket

module "s3_bucket" {
  source                     = "clouddrove/s3/aws"
  version                    = "1.3.0"
  name                       = "clouddrove-encryption-bucket"
  environment                = "test"
  label_order                = ["name", "environment"]
  versioning                 = true
  acl                        = "private"
  bucket_encryption_enabled  = true
  sse_algorithm              = "aws:kms"
  kms_master_key_id          = module.kms_key.key_arn
}
### Logging-Encryption Bucket
```hcl
module "s3_bucket" {
  source                             = "clouddrove/s3/aws"
  version                            = "1.3.0"
  name                               = "clouddrove-logging-encryption-bucket"
  environment                        = "test"
  label_order                        = ["name", "environment"]
  versioning                         = true
  acl                                = "private"
  bucket_logging_encryption_enabled  = true
  sse_algorithm                      = "AES256"
  target_bucket                      = "bucket-logs12"
  target_prefix                      = "logs"
}

Logging Bucket

module "s3_bucket" {
  source                  = "clouddrove/s3/aws"
  version                 = "1.3.0"
  name                    = "clouddrove-logging-bucket"
  environment             = "test"
  label_order             = ["name", "environment"]
  versioning              = true
  acl                     = "private"
  bucket_logging_enabled  = true
  target_bucket           = "bucket-logs12"
  target_prefix           = "logs"
}

Website Host Bucket

module "s3_bucket" {
  source                              = "clouddrove/s3/aws"
  version                             = "1.3.0"
  name                                = "clouddrove-website-bucket"
  environment                         = "test"
  label_order                         = ["name", "environment"]
  versioning                          = true
  acl                                 = "private"
  website_hosting_bucket              = true
  website_index                       = "index.html"
  website_error                       = "error.html"
  bucket_policy                       = true
  lifecycle_expiration_enabled        = true
  lifecycle_expiration_object_prefix  = "test"
  lifecycle_days_to_expiration        = 10
  aws_iam_policy_document             = data.aws_iam_policy_document.default.json
}
data "aws_iam_policy_document" "default" {
  version = "2012-10-17"
  statement {
       sid = "Stmt1547315805704"
       effect = "Allow"
       principals {
            type = "AWS"
            identifiers = ["*"]
          }
       actions = ["s3:GetObject"]
       resources = ["arn:aws:s3:::clouddrove-website-bucket-test/*"]
   }
}

Cors Bucket

  module "s3_bucket" {
  source = "./../../"

  name        = "clouddrove-secure-bucket"
  environment = "test"
  attributes  = ["private"]
  label_order = ["name", "environment"]

  versioning = true
  acl        = "private"
  cors_rule = [{
  "allowed_headers" : ["*"]
  allowed_methods = ["PUT", "POST"],
  allowed_origins = ["https://s3-website-test.hashicorp.com"],
  expose_headers  = ["ETag"],
  max_age_seconds = 3000 }]
}

Inputs

Name Description Type Default Required
acceleration_status Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended bool false no
acl Canned ACL to apply to the S3 bucket. string null no
acl_grants A list of policy grants for the bucket. Conflicts with acl. Set acl to null to use this. 
list(object({
    id         = string
    type       = string
    permission = string
    uri        = string
  }))
 null no
attach_deny_insecure_transport_policy Controls if S3 bucket should have deny non-SSL transport policy attached bool false no
attach_elb_log_delivery_policy Controls if S3 bucket should have ELB log delivery policy attached bool false no
attach_lb_log_delivery_policy Controls if S3 bucket should have ALB/NLB log delivery policy attached bool false no
attach_policy Controls if S3 bucket should have bucket policy attached (set to true to use value of policy as bucket policy) bool false no
attach_public_policy Controls if a user defined public bucket policy will be attached (set to false to allow upstream to apply defaults to the bucket) bool true no
attach_require_latest_tls_policy Controls if S3 bucket should require the latest version of TLS bool false no
attributes Additional attributes (e.g. 1). list(any) [] no
aws_iam_policy_document Specifies the number of days after object creation when the object expires. string "" no
block_public_acls Whether Amazon S3 should block public ACLs for this bucket. bool false no
block_public_policy Whether Amazon S3 should block public bucket policies for this bucket. bool false no
bucket_policy Conditionally create S3 bucket policy. bool false no
bucket_prefix (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. string null no
control_object_ownership Whether to manage S3 Bucket Ownership Controls on this bucket. bool false no
cors_rule CORS Configuration specification for this bucket 
list(object({
    allowed_headers = list(string)
    allowed_methods = list(string)
    allowed_origins = list(string)
    expose_headers  = list(string)
    max_age_seconds = number
  }))
 null no
create_bucket Conditionally create S3 bucket. bool true no
delimiter Delimiter to be used between organization, environment, name and attributes. string "-" no
enable_kms Enable enable_server_side_encryption bool false no
enable_lifecycle_configuration_rules enable or disable lifecycle_configuration_rules bool false no
enable_server_side_encryption Enable enable_server_side_encryption bool false no
environment Environment (e.g. prod, dev, staging). string "" no
error_document he name of the error document for the website string "error.html" no
force_destroy A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. bool false no
grants ACL Policy grant.conflict with acl.set acl null to use this 
list(object({
    id          = string
    type        = string
    permissions = list(string)
    uri         = string
  }))
 null no
ignore_public_acls Whether Amazon S3 should ignore public ACLs for this bucket. bool false no
index_document The name of the index document for the website string "index.html" no
kms_master_key_id The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms. string "" no
label_order Label order, e.g. name,application. list(any) [] no
lifecycle_configuration_rules A list of lifecycle rules 
list(object({
    id      = string
    prefix  = string
    enabled = bool
    tags    = map(string)

    enable_glacier_transition            = bool
    enable_deeparchive_transition        = bool
    enable_standard_ia_transition        = bool
    enable_current_object_expiration     = bool
    enable_noncurrent_version_expiration = bool

    abort_incomplete_multipart_upload_days         = number
    noncurrent_version_glacier_transition_days     = number
    noncurrent_version_deeparchive_transition_days = number
    noncurrent_version_expiration_days             = number

    standard_transition_days    = number
    glacier_transition_days     = number
    deeparchive_transition_days = number
    expiration_days             = number
  }))
 null no
lifecycle_days_to_deep_archive_transition Specifies the number of days after object creation when it will be moved to DEEP ARCHIVE . number 180 no
lifecycle_days_to_expiration Specifies the number of days after object creation when the object expires. number 365 no
lifecycle_days_to_glacier_transition Specifies the number of days after object creation when it will be moved to Glacier storage. number 180 no
lifecycle_days_to_infrequent_storage_transition Specifies the number of days after object creation when it will be moved to standard infrequent access storage. number 60 no
lifecycle_deep_archive_object_prefix Object key prefix identifying one or more objects to which the lifecycle rule applies. string "" no
lifecycle_deep_archive_transition_enabled Specifies DEEP ARCHIVE transition lifecycle rule status. bool false no
lifecycle_expiration_enabled Specifies expiration lifecycle rule status. bool false no
lifecycle_expiration_object_prefix Object key prefix identifying one or more objects to which the lifecycle rule applies. string "" no
lifecycle_glacier_object_prefix Object key prefix identifying one or more objects to which the lifecycle rule applies. string "" no
lifecycle_glacier_transition_enabled Specifies Glacier transition lifecycle rule status. bool false no
lifecycle_infrequent_storage_object_prefix Object key prefix identifying one or more objects to which the lifecycle rule applies. string "" no
lifecycle_infrequent_storage_transition_enabled Specifies infrequent storage transition lifecycle rule status. bool false no
logging Logging Object to enable and disable logging bool false no
managedby ManagedBy, eg 'CloudDrove'. string "hello@clouddrove.com" no
mfa_delete Enable MFA delete for either Change the versioning state of your bucket or Permanently delete an object version. bool false no
name Name (e.g. app or cluster). string "" no
object_lock_configuration With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. 
object({
    mode  = string #Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
 null no
object_ownership Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. string "ObjectWriter" no
owner_id The canonical user ID associated with the AWS account. string "" no
redirect The redirect behavior for every request to this bucket's website endpoint string "documents/" no
replication_configuration Map containing cross-region replication configuration. any {} no
repository Terraform current module repo string "https://github.com/clouddrove/terraform-aws-s3" no
request_payer Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer bool false no
restrict_public_buckets Whether Amazon S3 should restrict public bucket policies for this bucket. bool false no
routing_rule ist of rules that define when a redirect is applied and the redirect behavior string "docs/" no
sse_algorithm The server-side encryption algorithm to use. Valid values are AES256 and aws:kms. string "AES256" no
tags Additional tags (e.g. map(BusinessUnit,XYZ). map(any) {} no
target_bucket The bucket where you want Amazon S3 to store server access logs. string "" no
target_prefix A prefix for all log object keys. string "" no
versioning Enable Versioning of S3. bool true no
website_config_enable enable or disable aws_s3_bucket_website_configuration bool false no

Outputs

Name Description
arn The ARN of the s3 bucket.
bucket_domain_name The Domain of the s3 bucket.
id The ID of the s3 bucket.
tags A mapping of tags to assign to the resource.

Testing

In this module testing is performed with terratest and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a GO environment in your system.

You need to run the following command in the testing folder:

  go test -run Test

Feedback

If you come accross a bug or have any feedback, please log it in our issue tracker, or feel free to drop us an email at hello@clouddrove.com.

If you have found it worth your time, go ahead and give us a ★ on our GitHub!

About us

At CloudDrove, we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering.

We are The Cloud Experts!

We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.