diff --git a/.gitignore b/.gitignore index 1fef4ab9..0bfaeffb 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,11 @@ # .tfvars files *.tfvars + +# IDE files +.idea +*.iml + +# Build harness files +.build-harness +build-harness \ No newline at end of file diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 00000000..b7cf9010 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,16 @@ +addons: + apt: + packages: + - git + - make + - curl + +install: + - make init + +script: + - make terraform/install + - make terraform/get-plugins + - make terraform/get-modules + - make terraform/lint + - make terraform/validate \ No newline at end of file diff --git a/LICENSE b/LICENSE index 261eeb9e..101fd7cd 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright [yyyy] [name of copyright owner] + Copyright 2019 Cloud Posse, LLC Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..655f6303 --- /dev/null +++ b/Makefile @@ -0,0 +1,10 @@ +SHELL := /bin/bash + +# List of targets the `readme` target should call before generating the readme +export README_DEPS ?= docs/targets.md docs/terraform.md + +-include $(shell curl -sSL -o .build-harness "https://git.io/build-harness"; echo .build-harness) + +## Lint terraform code +lint: + $(SELF) terraform/install terraform/get-modules terraform/get-plugins terraform/lint terraform/validate \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 00000000..badbcf3d --- /dev/null +++ b/README.md @@ -0,0 +1,301 @@ + +[![README Header][readme_header_img]][readme_header_link] + +[![Cloud Posse][logo]](https://cpco.io/homepage) + +# terraform-aws-s3-bucket [![Build Status](https://travis-ci.org/cloudposse/terraform-aws-s3-bucket.svg?branch=master)](https://travis-ci.org/cloudposse/terraform-aws-s3-bucket) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-s3-bucket.svg)](https://github.com/cloudposse/terraform-aws-s3-bucket/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) + + +This module creates an S3 bucket with support of versioning, encryption, ACL and bucket object policy. +If `user_enabled` variable is set to `true`, the module will provision a basic IAM user with permissions to access the bucket. + +This basic IAM system user is suitable for CI/CD systems (_e.g._ TravisCI, CircleCI) or systems which are *external* to AWS that cannot leverage [AWS IAM Instance Profiles](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html). + +We do not recommend creating IAM users this way for any other purpose. + + +--- + +This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps. +[][share_email] +[][share_googleplus] +[][share_facebook] +[][share_reddit] +[][share_linkedin] +[][share_twitter] + + +[![Terraform Open Source Modules](https://docs.cloudposse.com/images/terraform-open-source-modules.svg)][terraform_modules] + + + +It's 100% Open Source and licensed under the [APACHE2](LICENSE). + + + + + + + +We literally have [*hundreds of terraform modules*][terraform_modules] that are Open Source and well-maintained. Check them out! + + + + + + + +## Usage + +```hcl +module "s3_bucket" { + source = "git::https://github.com/cloudposse/terraform-aws-s3-bucket.git?ref=master" + enabled = "${var.enabled}" + user_enabled = "${var.user_enabled}" + versioning_enabled = "${var.versioning_enabled}" + allowed_bucket_actions = "${var.allowed_bucket_actions}" + name = "${var.name}" + stage = "${var.stage}" + namespace = "${var.namespace}" +} +``` + + + + + + +## Makefile Targets +``` +Available targets: + + help Help screen + help/all Display help for all targets + help/short This help short screen + lint Lint terraform code + +``` + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| acl | The canned ACL to apply. We recommend `private` to avoid exposing sensitive information | string | `private` | no | +| allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list | `` | no | +| attributes | Additional attributes (e.g. `1`) | list | `` | no | +| delimiter | Delimiter to be used between `namespace`, `stage`, `name` and `attributes` | string | `-` | no | +| enabled | Set to `false` to prevent the module from creating any resources | string | `true` | no | +| force_destroy | A boolean string that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | string | `false` | no | +| kms_master_key_id | The AWS KMS master key ID used for the `SSE-KMS` encryption. This can only be used when you set the value of `sse_algorithm` as `aws:kms`. The default aws/s3 AWS KMS master key is used if this element is absent while the `sse_algorithm` is `aws:kms` | string | `` | no | +| name | Name (e.g. `app` or `db`) | string | - | yes | +| namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes | +| policy | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. | string | `` | no | +| region | If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee. | string | `` | no | +| sse_algorithm | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | string | `AES256` | no | +| stage | Stage (e.g. `prod`, `dev`, `staging`) | string | - | yes | +| tags | Additional tags (e.g. `{ BusinessUnit = "XYZ" }` | map | `` | no | +| user_enabled | Set to `true` to create an S3 user with permission to access the bucket | string | `false` | no | +| versioning_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket. | string | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| access_key_id | The access key ID | +| bucket_arn | Bucket ARN | +| bucket_domain_name | FQDN of bucket | +| bucket_id | Bucket Name (aka ID) | +| enabled | Is module enabled | +| s3_bucket_arn | S3 bucket ARN | +| secret_access_key | The secret access key. This will be written to the state file in plain-text | +| user_arn | The ARN assigned by AWS for the user | +| user_enabled | Is user creation enabled | +| user_name | Normalized IAM user name | +| user_unique_id | The user unique ID assigned by AWS | + + + + +## Share the Love + +Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-s3-bucket)! (it helps us **a lot**) + +Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =) + + +## Related Projects + +Check out these related projects. + +- [terraform-aws-cloudfront-s3-cdn](https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn) - Terraform module to easily provision CloudFront CDN backed by an S3 origin +- [terraform-aws-s3-website](https://github.com/cloudposse/terraform-aws-s3-website) - Terraform Module for Creating S3 backed Websites and Route53 DNS +- [terraform-aws-user-data-s3-backend](https://github.com/cloudposse/terraform-aws-user-data-s3-backend) - Terraform Module to Offload User Data to S3 +- [terraform-aws-s3-logs-athena-query](https://github.com/cloudposse/terraform-aws-s3-logs-athena-query) - A Terraform module that creates an Athena Database and Structure for querying S3 access logs +- [terraform-aws-lb-s3-bucket](https://github.com/cloudposse/terraform-aws-lb-s3-bucket) - Terraform module to provision an S3 bucket with built in IAM policy to allow AWS Load Balancers to ship access logs +- [terraform-aws-s3-log-storage](https://github.com/cloudposse/terraform-aws-s3-log-storage) - Terraform module creates an S3 bucket suitable for receiving logs from other AWS services such as S3, CloudFront, and CloudTrail + + + +## Help + +**Got a question?** + +File a GitHub [issue](https://github.com/cloudposse/terraform-aws-s3-bucket/issues), send us an [email][email] or join our [Slack Community][slack]. + +[![README Commercial Support][readme_commercial_support_img]][readme_commercial_support_link] + +## Commercial Support + +Work directly with our team of DevOps experts via email, slack, and video conferencing. + +We provide [*commercial support*][commercial_support] for all of our [Open Source][github] projects. As a *Dedicated Support* customer, you have access to our team of subject matter experts at a fraction of the cost of a full-time engineer. + +[![E-Mail](https://img.shields.io/badge/email-hello@cloudposse.com-blue.svg)][email] + +- **Questions.** We'll use a Shared Slack channel between your team and ours. +- **Troubleshooting.** We'll help you triage why things aren't working. +- **Code Reviews.** We'll review your Pull Requests and provide constructive feedback. +- **Bug Fixes.** We'll rapidly work to fix any bugs in our projects. +- **Build New Terraform Modules.** We'll [develop original modules][module_development] to provision infrastructure. +- **Cloud Architecture.** We'll assist with your cloud strategy and design. +- **Implementation.** We'll provide hands-on support to implement our reference architectures. + + + +## Terraform Module Development + +Are you interested in custom Terraform module development? Submit your inquiry using [our form][module_development] today and we'll get back to you ASAP. + + +## Slack Community + +Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure. + +## Newsletter + +Signup for [our newsletter][newsletter] that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover. + +## Contributing + +### Bug Reports & Feature Requests + +Please use the [issue tracker](https://github.com/cloudposse/terraform-aws-s3-bucket/issues) to report any bugs or file feature requests. + +### Developing + +If you are interested in being a contributor and want to get involved in developing this project or [help out](https://cpco.io/help-out) with our other projects, we would love to hear from you! Shoot us an [email][email]. + +In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow. + + 1. **Fork** the repo on GitHub + 2. **Clone** the project to your own machine + 3. **Commit** changes to your own branch + 4. **Push** your work back up to your fork + 5. Submit a **Pull Request** so that we can review your changes + +**NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request! + + +## Copyright + +Copyright © 2017-2019 [Cloud Posse, LLC](https://cpco.io/copyright) + + + +## License + +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) + +See [LICENSE](LICENSE) for full details. + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + + + + + + + + + +## Trademarks + +All other trademarks referenced herein are the property of their respective owners. + +## About + +This project is maintained and funded by [Cloud Posse, LLC][website]. Like it? Please let us know by [leaving a testimonial][testimonial]! + +[![Cloud Posse][logo]][website] + +We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. We ❤️ [Open Source Software][we_love_open_source]. + +We offer [paid support][commercial_support] on all of our projects. + +Check out [our other projects][github], [follow us on twitter][twitter], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation. + + + +### Contributors + +| [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] | [![Maxim Mironenko][maximmi_avatar]][maximmi_homepage]
[Maxim Mironenko][maximmi_homepage] | [![Josh Myers][joshmyers_avatar]][joshmyers_homepage]
[Josh Myers][joshmyers_homepage] | +|---|---|---|---| + + [osterman_homepage]: https://github.com/osterman + [osterman_avatar]: https://github.com/osterman.png?size=150 + [aknysh_homepage]: https://github.com/aknysh + [aknysh_avatar]: https://github.com/aknysh.png?size=150 + [maximmi_homepage]: https://github.com/maximmi + [maximmi_avatar]: https://github.com/maximmi.png?size=150 + [joshmyers_homepage]: https://github.com/joshmyers + [joshmyers_avatar]: https://github.com/joshmyers.png?size=150 + + + +[![README Footer][readme_footer_img]][readme_footer_link] +[![Beacon][beacon]][website] + + [logo]: https://cloudposse.com/logo-300x69.svg + [docs]: https://cpco.io/docs + [website]: https://cpco.io/homepage + [github]: https://cpco.io/github + [jobs]: https://cpco.io/jobs + [hire]: https://cpco.io/hire + [slack]: https://cpco.io/slack + [linkedin]: https://cpco.io/linkedin + [twitter]: https://cpco.io/twitter + [testimonial]: https://cpco.io/leave-testimonial + [newsletter]: https://cpco.io/newsletter + [email]: https://cpco.io/email + [commercial_support]: https://cpco.io/commercial-support + [we_love_open_source]: https://cpco.io/we-love-open-source + [module_development]: https://cpco.io/module-development + [terraform_modules]: https://cpco.io/terraform-modules + [readme_header_img]: https://cloudposse.com/readme/header/img?repo=cloudposse/terraform-aws-s3-bucket + [readme_header_link]: https://cloudposse.com/readme/header/link?repo=cloudposse/terraform-aws-s3-bucket + [readme_footer_img]: https://cloudposse.com/readme/footer/img?repo=cloudposse/terraform-aws-s3-bucket + [readme_footer_link]: https://cloudposse.com/readme/footer/link?repo=cloudposse/terraform-aws-s3-bucket + [readme_commercial_support_img]: https://cloudposse.com/readme/commercial-support/img?repo=cloudposse/terraform-aws-s3-bucket + [readme_commercial_support_link]: https://cloudposse.com/readme/commercial-support/link?repo=cloudposse/terraform-aws-s3-bucket + [share_twitter]: https://twitter.com/intent/tweet/?text=terraform-aws-s3-bucket&url=https://github.com/cloudposse/terraform-aws-s3-bucket + [share_linkedin]: https://www.linkedin.com/shareArticle?mini=true&title=terraform-aws-s3-bucket&url=https://github.com/cloudposse/terraform-aws-s3-bucket + [share_reddit]: https://reddit.com/submit/?url=https://github.com/cloudposse/terraform-aws-s3-bucket + [share_facebook]: https://facebook.com/sharer/sharer.php?u=https://github.com/cloudposse/terraform-aws-s3-bucket + [share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-s3-bucket + [share_email]: mailto:?subject=terraform-aws-s3-bucket&body=https://github.com/cloudposse/terraform-aws-s3-bucket + [beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-s3-bucket?pixel&cs=github&cm=readme&an=terraform-aws-s3-bucket diff --git a/README.yaml b/README.yaml new file mode 100644 index 00000000..a3d0d1dd --- /dev/null +++ b/README.yaml @@ -0,0 +1,104 @@ +--- +# +# This is the canonical configuration for the `README.md` +# Run `make readme` to rebuild the `README.md` +# + +# Name of this project +name: terraform-aws-s3-bucket + +# Tags of this project +tags: + - aws + - terraform + - terraform-modules + - s3 + - bucket + - glacier + - standard + - versioning + +# Categories of this project +categories: + - terraform-modules/storage + +# Logo for this project +#logo: docs/logo.png + +# License of this project +license: "APACHE2" + +# Canonical GitHub repo +github_repo: cloudposse/terraform-aws-s3-bucket + +# Badges to display +badges: + - name: "Build Status" + image: "https://travis-ci.org/cloudposse/terraform-aws-s3-bucket.svg?branch=master" + url: "https://travis-ci.org/cloudposse/terraform-aws-s3-bucket" + - name: "Latest Release" + image: "https://img.shields.io/github/release/cloudposse/terraform-aws-s3-bucket.svg" + url: "https://github.com/cloudposse/terraform-aws-s3-bucket/releases/latest" + - name: "Slack Community" + image: "https://slack.cloudposse.com/badge.svg" + url: "https://slack.cloudposse.com" + +related: + - name: "terraform-aws-cloudfront-s3-cdn" + description: "Terraform module to easily provision CloudFront CDN backed by an S3 origin" + url: "https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn" + - name: "terraform-aws-s3-website" + description: "Terraform Module for Creating S3 backed Websites and Route53 DNS" + url: "https://github.com/cloudposse/terraform-aws-s3-website" + - name: "terraform-aws-user-data-s3-backend" + description: "Terraform Module to Offload User Data to S3" + url: "https://github.com/cloudposse/terraform-aws-user-data-s3-backend" + - name: "terraform-aws-s3-logs-athena-query" + description: "A Terraform module that creates an Athena Database and Structure for querying S3 access logs" + url: "https://github.com/cloudposse/terraform-aws-s3-logs-athena-query" + - name: "terraform-aws-lb-s3-bucket" + description: "Terraform module to provision an S3 bucket with built in IAM policy to allow AWS Load Balancers to ship access logs" + url: "https://github.com/cloudposse/terraform-aws-lb-s3-bucket" + - name: "terraform-aws-s3-log-storage" + description: "Terraform module creates an S3 bucket suitable for receiving logs from other AWS services such as S3, CloudFront, and CloudTrail" + url: "https://github.com/cloudposse/terraform-aws-s3-log-storage" + + +# Short description of this project +description: |- + This module creates an S3 bucket with support of versioning, encryption, ACL and bucket object policy. + If `user_enabled` variable is set to `true`, the module will provision a basic IAM user with permissions to access the bucket. + + This basic IAM system user is suitable for CI/CD systems (_e.g._ TravisCI, CircleCI) or systems which are *external* to AWS that cannot leverage [AWS IAM Instance Profiles](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html). + + We do not recommend creating IAM users this way for any other purpose. + +# How to use this project +usage: |- + ```hcl + module "s3_bucket" { + source = "git::https://github.com/cloudposse/terraform-aws-s3-bucket.git?ref=master" + enabled = "${var.enabled}" + user_enabled = "${var.user_enabled}" + versioning_enabled = "${var.versioning_enabled}" + allowed_bucket_actions = "${var.allowed_bucket_actions}" + name = "${var.name}" + stage = "${var.stage}" + namespace = "${var.namespace}" + } + ``` + +include: + - "docs/targets.md" + - "docs/terraform.md" + +# Contributors to this project +contributors: + - name: "Erik Osterman" + github: "osterman" + - name: "Andriy Knysh" + github: "aknysh" + - name: "Maxim Mironenko" + github: "maximmi" + - name: "Josh Myers" + github: "joshmyers" diff --git a/docs/targets.md b/docs/targets.md new file mode 100644 index 00000000..3d4be2a7 --- /dev/null +++ b/docs/targets.md @@ -0,0 +1,10 @@ +## Makefile Targets +``` +Available targets: + + help Help screen + help/all Display help for all targets + help/short This help short screen + lint Lint terraform code + +``` diff --git a/docs/terraform.md b/docs/terraform.md new file mode 100644 index 00000000..d6ffe83a --- /dev/null +++ b/docs/terraform.md @@ -0,0 +1,38 @@ + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| acl | The canned ACL to apply. We recommend `private` to avoid exposing sensitive information | string | `private` | no | +| allowed_bucket_actions | List of actions the user is permitted to perform on the S3 bucket | list | `` | no | +| attributes | Additional attributes (e.g. `1`) | list | `` | no | +| delimiter | Delimiter to be used between `namespace`, `stage`, `name` and `attributes` | string | `-` | no | +| enabled | Set to `false` to prevent the module from creating any resources | string | `true` | no | +| force_destroy | A boolean string that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | string | `false` | no | +| kms_master_key_id | The AWS KMS master key ID used for the `SSE-KMS` encryption. This can only be used when you set the value of `sse_algorithm` as `aws:kms`. The default aws/s3 AWS KMS master key is used if this element is absent while the `sse_algorithm` is `aws:kms` | string | `` | no | +| name | Name (e.g. `app` or `db`) | string | - | yes | +| namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes | +| policy | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. | string | `` | no | +| region | If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee. | string | `` | no | +| sse_algorithm | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | string | `AES256` | no | +| stage | Stage (e.g. `prod`, `dev`, `staging`) | string | - | yes | +| tags | Additional tags (e.g. `{ BusinessUnit = "XYZ" }` | map | `` | no | +| user_enabled | Set to `true` to create an S3 user with permission to access the bucket | string | `false` | no | +| versioning_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket. | string | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| access_key_id | The access key ID | +| bucket_arn | Bucket ARN | +| bucket_domain_name | FQDN of bucket | +| bucket_id | Bucket Name (aka ID) | +| enabled | Is module enabled | +| s3_bucket_arn | S3 bucket ARN | +| secret_access_key | The secret access key. This will be written to the state file in plain-text | +| user_arn | The ARN assigned by AWS for the user | +| user_enabled | Is user creation enabled | +| user_name | Normalized IAM user name | +| user_unique_id | The user unique ID assigned by AWS | + diff --git a/examples/basic/main.tf b/examples/basic/main.tf new file mode 100644 index 00000000..566b987e --- /dev/null +++ b/examples/basic/main.tf @@ -0,0 +1,9 @@ +module "s3_bucket" { + source = "../../" + enabled = "true" + name = "s3-bucket" + stage = "test" + namespace = "example" + versioning_enabled = "true" + user_enabled = "true" +} diff --git a/examples/basic/outputs.tf b/examples/basic/outputs.tf new file mode 100644 index 00000000..328235dc --- /dev/null +++ b/examples/basic/outputs.tf @@ -0,0 +1,41 @@ +output "bucket_domain_name" { + value = "${module.s3_bucket.bucket_domain_name}" + description = "FQDN of bucket" +} + +output "bucket_id" { + value = "${module.s3_bucket.bucket_id}" + description = "Bucket Name (aka ID)" +} + +output "bucket_arn" { + value = "${module.s3_bucket.bucket_arn}" + description = "Bucket ARN" +} + +output "user_name" { + value = "${module.s3_bucket.user_name}" + description = "Normalized IAM user name" +} + +output "user_arn" { + value = "${module.s3_bucket.user_arn}" + description = "The ARN assigned by AWS for the user" +} + +output "user_unique_id" { + value = "${module.s3_bucket.user_unique_id}" + description = "The user unique ID assigned by AWS" +} + +output "access_key_id" { + value = "${module.s3_bucket.access_key_id}" + description = "The access key ID" + sensitive = true +} + +output "secret_access_key" { + value = "${module.s3_bucket.secret_access_key}" + description = "The secret access key. This will be written to the state file in plain-text" + sensitive = true +} diff --git a/main.tf b/main.tf new file mode 100644 index 00000000..efcee0a2 --- /dev/null +++ b/main.tf @@ -0,0 +1,48 @@ +module "default_label" { + source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3" + enabled = "${var.enabled}" + namespace = "${var.namespace}" + stage = "${var.stage}" + name = "${var.name}" + delimiter = "${var.delimiter}" + attributes = "${var.attributes}" + tags = "${var.tags}" +} + +resource "aws_s3_bucket" "default" { + count = "${var.enabled == "true" ? 1 : 0}" + bucket = "${module.default_label.id}" + acl = "${var.acl}" + region = "${var.region}" + force_destroy = "${var.force_destroy}" + policy = "${var.policy}" + + versioning { + enabled = "${var.versioning_enabled}" + } + + # https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html + # https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#enable-default-server-side-encryption + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "${var.sse_algorithm}" + kms_master_key_id = "${var.kms_master_key_id}" + } + } + } + + tags = "${module.default_label.tags}" +} + +module "s3_user" { + source = "git::https://github.com/cloudposse/terraform-aws-iam-s3-user.git?ref=tags/0.3.1" + namespace = "${var.namespace}" + stage = "${var.stage}" + name = "${var.name}" + attributes = "${var.attributes}" + tags = "${var.tags}" + enabled = "${var.enabled == "true" && var.user_enabled == "true" ? "true" : "false"}" + s3_actions = ["${var.allowed_bucket_actions}"] + s3_resources = ["${aws_s3_bucket.default.arn}/*", "${aws_s3_bucket.default.arn}"] +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 00000000..3ea27330 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,56 @@ +output "bucket_domain_name" { + value = "${var.enabled == "true" ? join("", aws_s3_bucket.default.*.bucket_domain_name) : ""}" + description = "FQDN of bucket" +} + +output "bucket_id" { + value = "${var.enabled == "true" ? join("", aws_s3_bucket.default.*.id) : ""}" + description = "Bucket Name (aka ID)" +} + +output "bucket_arn" { + value = "${var.enabled == "true" ? join("", aws_s3_bucket.default.*.arn) : ""}" + description = "Bucket ARN" +} + +output "enabled" { + value = "${var.enabled}" + description = "Is module enabled" +} + +output "user_enabled" { + value = "${var.user_enabled}" + description = "Is user creation enabled" +} + +output "user_name" { + value = "${module.s3_user.user_name}" + description = "Normalized IAM user name" +} + +output "user_arn" { + value = "${module.s3_user.user_arn}" + description = "The ARN assigned by AWS for the user" +} + +output "user_unique_id" { + value = "${module.s3_user.user_unique_id}" + description = "The user unique ID assigned by AWS" +} + +output "access_key_id" { + sensitive = true + value = "${module.s3_user.access_key_id}" + description = "The access key ID" +} + +output "secret_access_key" { + sensitive = true + value = "${module.s3_user.secret_access_key}" + description = "The secret access key. This will be written to the state file in plain-text" +} + +output "s3_bucket_arn" { + value = "${aws_s3_bucket.default.arn}" + description = "S3 bucket ARN" +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 00000000..254fff09 --- /dev/null +++ b/variables.tf @@ -0,0 +1,92 @@ +variable "namespace" { + type = "string" + description = "Namespace (e.g. `eg` or `cp`)" +} + +variable "stage" { + type = "string" + description = "Stage (e.g. `prod`, `dev`, `staging`)" +} + +variable "name" { + type = "string" + description = "Name (e.g. `app` or `db`)" +} + +variable "delimiter" { + type = "string" + default = "-" + description = "Delimiter to be used between `namespace`, `stage`, `name` and `attributes`" +} + +variable "attributes" { + type = "list" + default = [] + description = "Additional attributes (e.g. `1`)" +} + +variable "tags" { + type = "map" + default = {} + description = "Additional tags (e.g. `{ BusinessUnit = \"XYZ\" }`" +} + +variable "acl" { + type = "string" + default = "private" + description = "The canned ACL to apply. We recommend `private` to avoid exposing sensitive information" +} + +variable "policy" { + type = "string" + default = "" + description = "A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy." +} + +variable "region" { + type = "string" + default = "" + description = "If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee." +} + +variable "force_destroy" { + type = "string" + default = "false" + description = "A boolean string that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable." +} + +variable "versioning_enabled" { + type = "string" + default = "false" + description = "A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket." +} + +variable "sse_algorithm" { + type = "string" + default = "AES256" + description = "The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms`" +} + +variable "kms_master_key_id" { + type = "string" + default = "" + description = "The AWS KMS master key ID used for the `SSE-KMS` encryption. This can only be used when you set the value of `sse_algorithm` as `aws:kms`. The default aws/s3 AWS KMS master key is used if this element is absent while the `sse_algorithm` is `aws:kms`" +} + +variable "enabled" { + type = "string" + description = "Set to `false` to prevent the module from creating any resources" + default = "true" +} + +variable "user_enabled" { + type = "string" + default = "false" + description = "Set to `true` to create an S3 user with permission to access the bucket" +} + +variable "allowed_bucket_actions" { + type = "list" + default = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"] + description = "List of actions the user is permitted to perform on the S3 bucket" +}