Allow user to enable S3 Transfer Acceleration (#98)

* Allow user to enable S3 Transfer Acceleration * Disable a security alert related to bucket encryption * Auto Format * Enable transfer acceleration in examples/complete Co-authored-by: cloudpossebot <[email protected]>
cloudposse · Jul 20, 2021 · 3c2cde9 · 3c2cde9
1 parent 8aed497
commit 3c2cde9
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -289,6 +289,7 @@ Available targets:
 | <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| <a name="input_transfer_acceleration_enabled"></a> [transfer\_acceleration\_enabled](#input\_transfer\_acceleration\_enabled) | Set this to true to enable S3 Transfer Acceleration for the bucket. | `bool` | `false` | no |
 | <a name="input_user_enabled"></a> [user\_enabled](#input\_user\_enabled) | Set to `true` to create an IAM user with permission to access the bucket | `bool` | `false` | no |
 | <a name="input_versioning_enabled"></a> [versioning\_enabled](#input\_versioning\_enabled) | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no |
 | <a name="input_website_inputs"></a> [website\_inputs](#input\_website\_inputs) | Specifies the static website hosting configuration object. | <pre>list(object({<br>    index_document           = string<br>    error_document           = string<br>    redirect_all_requests_to = string<br>    routing_rules            = string<br>  }))</pre> | `null` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -80,6 +80,7 @@
 | <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| <a name="input_transfer_acceleration_enabled"></a> [transfer\_acceleration\_enabled](#input\_transfer\_acceleration\_enabled) | Set this to true to enable S3 Transfer Acceleration for the bucket. | `bool` | `false` | no |
 | <a name="input_user_enabled"></a> [user\_enabled](#input\_user\_enabled) | Set to `true` to create an IAM user with permission to access the bucket | `bool` | `false` | no |
 | <a name="input_versioning_enabled"></a> [versioning\_enabled](#input\_versioning\_enabled) | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no |
 | <a name="input_website_inputs"></a> [website\_inputs](#input\_website\_inputs) | Specifies the static website hosting configuration object. | <pre>list(object({<br>    index_document           = string<br>    error_document           = string<br>    redirect_all_requests_to = string<br>    routing_rules            = string<br>  }))</pre> | `null` | no |

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -5,21 +5,22 @@ provider "aws" {
 module "s3_bucket" {
   source = "../../"
 
-  user_enabled                 = var.user_enabled
-  acl                          = var.acl
-  force_destroy                = var.force_destroy
-  grants                       = var.grants
-  lifecycle_rules              = var.lifecycle_rules
-  versioning_enabled           = var.versioning_enabled
-  allow_encrypted_uploads_only = var.allow_encrypted_uploads_only
-  allowed_bucket_actions       = var.allowed_bucket_actions
-  bucket_name                  = var.bucket_name
-  object_lock_configuration    = var.object_lock_configuration
-  s3_replication_enabled       = local.replication_enabled
-  s3_replica_bucket_arn        = join("", module.s3_bucket_replication_target.*.bucket_arn)
-  s3_replication_rules         = local.s3_replication_rules
-  privileged_principal_actions = var.privileged_principal_actions
-  privileged_principal_arns    = local.privileged_principal_arns
+  user_enabled                  = var.user_enabled
+  acl                           = var.acl
+  force_destroy                 = var.force_destroy
+  grants                        = var.grants
+  lifecycle_rules               = var.lifecycle_rules
+  versioning_enabled            = var.versioning_enabled
+  allow_encrypted_uploads_only  = var.allow_encrypted_uploads_only
+  allowed_bucket_actions        = var.allowed_bucket_actions
+  bucket_name                   = var.bucket_name
+  object_lock_configuration     = var.object_lock_configuration
+  s3_replication_enabled        = local.replication_enabled
+  s3_replica_bucket_arn         = join("", module.s3_bucket_replication_target.*.bucket_arn)
+  s3_replication_rules          = local.s3_replication_rules
+  privileged_principal_actions  = var.privileged_principal_actions
+  privileged_principal_arns     = local.privileged_principal_arns
+  transfer_acceleration_enabled = true
 
   context = module.this.context
 }
diff --git a/main.tf b/main.tf
@@ -14,11 +14,13 @@ resource "aws_s3_bucket" "default" {
   #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
   #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov
   #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because variables are not understood
-  count         = local.enabled ? 1 : 0
-  bucket        = local.bucket_name
-  acl           = try(length(var.grants), 0) == 0 ? var.acl : null
-  force_destroy = var.force_destroy
-  tags          = module.this.tags
+  #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not have good defaults
+  count               = local.enabled ? 1 : 0
+  bucket              = local.bucket_name
+  acl                 = try(length(var.grants), 0) == 0 ? var.acl : null
+  force_destroy       = var.force_destroy
+  tags                = module.this.tags
+  acceleration_status = var.transfer_acceleration_enabled ? "Enabled" : null
 
   versioning {
     enabled = var.versioning_enabled

diff --git a/variables.tf b/variables.tf
@@ -272,3 +272,9 @@ variable "privileged_principal_actions" {
   default     = []
   description = "List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`)"
 }
+
+variable "transfer_acceleration_enabled" {
+  type        = bool
+  default     = false
+  description = "Set this to true to enable S3 Transfer Acceleration for the bucket."
+}