Skip to content

Commit

Permalink
Merge branch 'main' into GH-239-enhancement
Browse files Browse the repository at this point in the history
  • Loading branch information
nitrocode authored Nov 14, 2024
2 parents 1fe36ee + f780005 commit 1e130c9
Show file tree
Hide file tree
Showing 5 changed files with 41 additions and 13 deletions.
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,7 @@ Available targets:
| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_replication_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource |
| [aws_s3_bucket_request_payment_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_request_payment_configuration) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [aws_s3_bucket_website_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
Expand Down Expand Up @@ -283,7 +284,7 @@ Available targets:
| <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br/>Map of maps. Keys are names of descriptors. Values are maps of the form<br/>`{<br/> format = string<br/> labels = list(string)<br/>}`<br/>(Type is `any` so the map values can later be enhanced to provide additional options.)<br/>`format` is a Terraform format string to be passed to the `format()` function.<br/>`labels` is a list of labels, in order, to pass to `format()` function.<br/>Label values will be normalized before being passed to `format()` so they will be<br/>identical to how they appear in `id`.<br/>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <a name="input_event_notification_details"></a> [event\_notification\_details](#input\_event\_notification\_details) | (optional) S3 event notification details | <pre>object({<br/> enabled = bool<br/> lambda_list = optional(list(object({<br/> lambda_function_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> filter_prefix = string<br/> filter_suffix = string<br/> })), [])<br/><br/> queue_list = optional(list(object({<br/> queue_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> })), [])<br/><br/> topic_list = optional(list(object({<br/> topic_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> })), [])<br/><br/> })</pre> | <pre>{<br/> "enabled": false<br/>}</pre> | no |
| <a name="input_event_notification_details"></a> [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | <pre>object({<br/> enabled = bool<br/> eventbridge = optional(bool, false)<br/> lambda_list = optional(list(object({<br/> lambda_function_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> filter_prefix = string<br/> filter_suffix = string<br/> })), [])<br/><br/> queue_list = optional(list(object({<br/> queue_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> })), [])<br/><br/> topic_list = optional(list(object({<br/> topic_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> })), [])<br/> })</pre> | <pre>{<br/> "enabled": false<br/>}</pre> | no |
| <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner. <br/>More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.<br/>THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
| <a name="input_grants"></a> [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.<br/>Conflicts with `acl`. Set `acl` to `null` to use this.<br/>Deprecated by AWS in favor of bucket policies.<br/>Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | <pre>list(object({<br/> id = string<br/> type = string<br/> permissions = list(string)<br/> uri = string<br/> }))</pre> | `[]` | no |
Expand Down Expand Up @@ -314,6 +315,7 @@ Available targets:
| <a name="input_s3_replication_permissions_boundary_arn"></a> [s3\_replication\_permissions\_boundary\_arn](#input\_s3\_replication\_permissions\_boundary\_arn) | Permissions boundary ARN for the created IAM replication role. | `string` | `null` | no |
| <a name="input_s3_replication_rules"></a> [s3\_replication\_rules](#input\_s3\_replication\_rules) | Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | <pre>list(object({<br/> id = optional(string)<br/> priority = optional(number)<br/> prefix = optional(string)<br/> status = optional(string, "Enabled")<br/> # delete_marker_replication { status } had been flattened for convenience<br/> delete_marker_replication_status = optional(string, "Disabled")<br/> # Add the configuration as it appears in the resource, for consistency<br/> # this nested version takes precedence if both are provided.<br/> delete_marker_replication = optional(object({<br/> status = string<br/> }))<br/><br/> # destination_bucket is specified here rather than inside the destination object because before optional<br/> # attributes, it made it easier to work with the Terraform type system and create a list of consistent type.<br/> # It is preserved for backward compatibility, but the nested version takes priority if both are provided.<br/> destination_bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/><br/> destination = object({<br/> bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/> storage_class = optional(string, "STANDARD")<br/> # replica_kms_key_id at this level is for backward compatibility, and is overridden by the one in `encryption_configuration`<br/> replica_kms_key_id = optional(string, "")<br/> encryption_configuration = optional(object({<br/> replica_kms_key_id = string<br/> }))<br/> access_control_translation = optional(object({<br/> owner = string<br/> }))<br/> # account_id is for backward compatibility, overridden by account<br/> account_id = optional(string)<br/> account = optional(string)<br/> # For convenience, specifying either metrics or replication_time enables both<br/> metrics = optional(object({<br/> event_threshold = optional(object({<br/> minutes = optional(number, 15) # Currently 15 is the only valid number<br/> }), { minutes = 15 })<br/> status = optional(string, "Enabled")<br/> }), { status = "Disabled" })<br/> # To preserve backward compatibility, Replication Time Control (RTC) is automatically enabled<br/> # when metrics are enabled. To enable metrics without RTC, you must explicitly configure<br/> # replication_time.status = "Disabled".<br/> replication_time = optional(object({<br/> time = optional(object({<br/> minutes = optional(number, 15) # Currently 15 is the only valid number<br/> }), { minutes = 15 })<br/> status = optional(string)<br/> }))<br/> })<br/><br/> source_selection_criteria = optional(object({<br/> replica_modifications = optional(object({<br/> status = string # Either Enabled or Disabled<br/> }))<br/> sse_kms_encrypted_objects = optional(object({<br/> status = optional(string)<br/> }))<br/> }))<br/> # filter.prefix overrides top level prefix<br/> filter = optional(object({<br/> prefix = optional(string)<br/> tags = optional(map(string), {})<br/> }))<br/> }))</pre> | `null` | no |
| <a name="input_s3_replication_source_roles"></a> [s3\_replication\_source\_roles](#input\_s3\_replication\_source\_roles) | Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy). | `list(string)` | `[]` | no |
| <a name="input_s3_request_payment_configuration"></a> [s3\_request\_payment\_configuration](#input\_s3\_request\_payment\_configuration) | S3 request payment configuration | <pre>object({<br/> enabled = bool<br/> expected_bucket_owner = optional(string)<br/> payer = string<br/> })</pre> | <pre>{<br/> "enabled": false,<br/> "payer": "BucketOwner"<br/>}</pre> | no |
| <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket | `list(string)` | `[]` | no |
| <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON) that are merged together into the exported document.<br/>Statements defined in source\_policy\_documents must have unique SIDs.<br/>Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no |
| <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no |
Expand Down
2 changes: 1 addition & 1 deletion docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
| <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br/>Map of maps. Keys are names of descriptors. Values are maps of the form<br/>`{<br/> format = string<br/> labels = list(string)<br/>}`<br/>(Type is `any` so the map values can later be enhanced to provide additional options.)<br/>`format` is a Terraform format string to be passed to the `format()` function.<br/>`labels` is a list of labels, in order, to pass to `format()` function.<br/>Label values will be normalized before being passed to `format()` so they will be<br/>identical to how they appear in `id`.<br/>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <a name="input_event_notification_details"></a> [event\_notification\_details](#input\_event\_notification\_details) | (optional) S3 event notification details | <pre>object({<br/> enabled = bool<br/> lambda_list = optional(list(object({<br/> lambda_function_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> filter_prefix = string<br/> filter_suffix = string<br/> })), [])<br/><br/> queue_list = optional(list(object({<br/> queue_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> })), [])<br/><br/> topic_list = optional(list(object({<br/> topic_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> })), [])<br/><br/> })</pre> | <pre>{<br/> "enabled": false<br/>}</pre> | no |
| <a name="input_event_notification_details"></a> [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | <pre>object({<br/> enabled = bool<br/> eventbridge = optional(bool, false)<br/> lambda_list = optional(list(object({<br/> lambda_function_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> filter_prefix = string<br/> filter_suffix = string<br/> })), [])<br/><br/> queue_list = optional(list(object({<br/> queue_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> })), [])<br/><br/> topic_list = optional(list(object({<br/> topic_arn = string<br/> events = optional(list(string), ["s3:ObjectCreated:*"])<br/> })), [])<br/> })</pre> | <pre>{<br/> "enabled": false<br/>}</pre> | no |
| <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner. <br/>More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.<br/>THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
| <a name="input_grants"></a> [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.<br/>Conflicts with `acl`. Set `acl` to `null` to use this.<br/>Deprecated by AWS in favor of bucket policies.<br/>Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | <pre>list(object({<br/> id = string<br/> type = string<br/> permissions = list(string)<br/> uri = string<br/> }))</pre> | `[]` | no |
Expand Down
17 changes: 14 additions & 3 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -580,11 +580,14 @@ resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
create_duration = "30s"
destroy_duration = "30s"
}
// S3 event Bucket Notifications

# S3 event Bucket Notifications
resource "aws_s3_bucket_notification" "bucket_notification" {
count = var.event_notification_details.enabled ? 1 : 0
bucket = local.bucket_id

eventbridge = var.event_notification_details.eventbridge

dynamic "lambda_function" {
for_each = var.event_notification_details.lambda_list
content {
Expand Down Expand Up @@ -612,8 +615,8 @@ resource "aws_s3_bucket_notification" "bucket_notification" {
}
}

/// Directory Bucket
// https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_directory_bucket
# Directory Bucket
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_directory_bucket
resource "aws_s3_directory_bucket" "default" {
count = local.enabled && var.s3_directory_bucket_enabled ? 1 : 0
bucket = local.directory_bucket_name
Expand All @@ -623,3 +626,11 @@ resource "aws_s3_directory_bucket" "default" {
name = var.availability_zone_id
}
}

resource "aws_s3_bucket_request_payment_configuration" "default" {
count = local.enabled && var.s3_request_payment_configuration.enabled ? 1 : 0

bucket = local.bucket_id
expected_bucket_owner = var.s3_request_payment_configuration.expected_bucket_owner
payer = lower(var.s3_request_payment_configuration.payer) == "requester" ? "Requester" : "BucketOwner"
}
9 changes: 3 additions & 6 deletions replication.tf
Original file line number Diff line number Diff line change
@@ -1,11 +1,7 @@
locals {
replication_role = format("%s-replication", local.bucket_name)
}

resource "aws_iam_role" "replication" {
count = local.replication_enabled ? 1 : 0

name = local.replication_role
name = format("%s-replication", local.bucket_name)
assume_role_policy = data.aws_iam_policy_document.replication_sts[0].json
permissions_boundary = var.s3_replication_permissions_boundary_arn

Expand All @@ -32,7 +28,7 @@ data "aws_iam_policy_document" "replication_sts" {
resource "aws_iam_policy" "replication" {
count = local.replication_enabled ? 1 : 0

name = local.replication_role
name = aws_iam_role.replication[0].name
policy = data.aws_iam_policy_document.replication[0].json

tags = module.this.tags
Expand Down Expand Up @@ -68,6 +64,7 @@ data "aws_iam_policy_document" "replication" {
resources = toset(concat(
try(length(var.s3_replica_bucket_arn), 0) > 0 ? ["${var.s3_replica_bucket_arn}/*"] : [],
[for rule in local.s3_replication_rules : "${rule.destination_bucket}/*" if try(length(rule.destination_bucket), 0) > 0],
[for rule in local.s3_replication_rules : "${rule.destination.bucket}/*" if try(length(rule.destination.bucket), 0) > 0],
))
}
}
Expand Down
22 changes: 20 additions & 2 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -466,9 +466,11 @@ variable "expected_bucket_owner" {
More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html
EOT
}

variable "event_notification_details" {
type = object({
enabled = bool
enabled = bool
eventbridge = optional(bool, false)
lambda_list = optional(list(object({
lambda_function_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
Expand All @@ -485,11 +487,27 @@ variable "event_notification_details" {
topic_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
})), [])
})
description = "S3 event notification details"
default = {
enabled = false
}
}

variable "s3_request_payment_configuration" {
type = object({
enabled = bool
expected_bucket_owner = optional(string)
payer = string
})
description = "(optional) S3 event notification details"
description = "S3 request payment configuration"
default = {
enabled = false
payer = "BucketOwner"
}
validation {
condition = contains(["bucketowner", "requester"], lower(var.s3_request_payment_configuration.payer))
error_message = "The s3 request payment config's payer must be either BucketOwner or Requester"
}
}

Expand Down

0 comments on commit 1e130c9

Please sign in to comment.