From af9daed176f5e30a5dc27b45444d0a45312dec84 Mon Sep 17 00:00:00 2001 From: Alex Jurkiewicz Date: Mon, 19 Jul 2021 19:51:58 +1000 Subject: [PATCH 1/4] Allow user to enable S3 Transfer Acceleration --- main.tf | 11 ++++++----- variables.tf | 6 ++++++ 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/main.tf b/main.tf index de580519..2bb03f7f 100644 --- a/main.tf +++ b/main.tf @@ -14,11 +14,12 @@ resource "aws_s3_bucket" "default" { #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629). #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because variables are not understood - count = local.enabled ? 1 : 0 - bucket = local.bucket_name - acl = try(length(var.grants), 0) == 0 ? var.acl : null - force_destroy = var.force_destroy - tags = module.this.tags + count = local.enabled ? 1 : 0 + bucket = local.bucket_name + acl = try(length(var.grants), 0) == 0 ? var.acl : null + force_destroy = var.force_destroy + tags = module.this.tags + acceleration_status = var.transfer_acceleration_enabled ? "Enabled" : null versioning { enabled = var.versioning_enabled diff --git a/variables.tf b/variables.tf index 3692d76a..631397aa 100644 --- a/variables.tf +++ b/variables.tf @@ -272,3 +272,9 @@ variable "privileged_principal_actions" { default = [] description = "List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`)" } + +variable "transfer_acceleration_enabled" { + type = bool + default = false + description = "Set this to true to enable S3 Transfer Acceleration for the bucket." +} From 93385e63ccbf3c5788243fbc578df235722f43e3 Mon Sep 17 00:00:00 2001 From: Alex Jurkiewicz Date: Mon, 19 Jul 2021 19:59:45 +1000 Subject: [PATCH 2/4] Disable a security alert related to bucket encryption --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 2bb03f7f..71f9e994 100644 --- a/main.tf +++ b/main.tf @@ -14,6 +14,7 @@ resource "aws_s3_bucket" "default" { #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629). #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because variables are not understood + #bridgecrew:skip=BC_AWS_GENERAL_56:Skipping `Ensure that S3 buckets are encrypted with KMS by default` because we do not have good defaults count = local.enabled ? 1 : 0 bucket = local.bucket_name acl = try(length(var.grants), 0) == 0 ? var.acl : null From 3f68ed46cee028097e1bfa929a2c56f194eda4fa Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Mon, 19 Jul 2021 10:01:36 +0000 Subject: [PATCH 3/4] Auto Format --- README.md | 1 + docs/terraform.md | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index c9d7b25e..673d3e53 100644 --- a/README.md +++ b/README.md @@ -289,6 +289,7 @@ Available targets: | [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no | | [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| [transfer\_acceleration\_enabled](#input\_transfer\_acceleration\_enabled) | Set this to true to enable S3 Transfer Acceleration for the bucket. | `bool` | `false` | no | | [user\_enabled](#input\_user\_enabled) | Set to `true` to create an IAM user with permission to access the bucket | `bool` | `false` | no | | [versioning\_enabled](#input\_versioning\_enabled) | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no | | [website\_inputs](#input\_website\_inputs) | Specifies the static website hosting configuration object. | 
list(object({
    index_document           = string
    error_document           = string
    redirect_all_requests_to = string
    routing_rules            = string
  }))
| `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 12f25ddd..25933322 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -80,6 +80,7 @@ | [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no | | [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| [transfer\_acceleration\_enabled](#input\_transfer\_acceleration\_enabled) | Set this to true to enable S3 Transfer Acceleration for the bucket. | `bool` | `false` | no | | [user\_enabled](#input\_user\_enabled) | Set to `true` to create an IAM user with permission to access the bucket | `bool` | `false` | no | | [versioning\_enabled](#input\_versioning\_enabled) | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no | | [website\_inputs](#input\_website\_inputs) | Specifies the static website hosting configuration object. | 
list(object({
    index_document           = string
    error_document           = string
    redirect_all_requests_to = string
    routing_rules            = string
  }))
| `null` | no | From 11ea2f40df8ed4585cd4559aafe3cb47521b9161 Mon Sep 17 00:00:00 2001 From: Alex Jurkiewicz Date: Tue, 20 Jul 2021 11:24:27 +1000 Subject: [PATCH 4/4] Enable transfer acceleration in examples/complete --- examples/complete/main.tf | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 31ac8d81..c9109f31 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -5,21 +5,22 @@ provider "aws" { module "s3_bucket" { source = "../../" - user_enabled = var.user_enabled - acl = var.acl - force_destroy = var.force_destroy - grants = var.grants - lifecycle_rules = var.lifecycle_rules - versioning_enabled = var.versioning_enabled - allow_encrypted_uploads_only = var.allow_encrypted_uploads_only - allowed_bucket_actions = var.allowed_bucket_actions - bucket_name = var.bucket_name - object_lock_configuration = var.object_lock_configuration - s3_replication_enabled = local.replication_enabled - s3_replica_bucket_arn = join("", module.s3_bucket_replication_target.*.bucket_arn) - s3_replication_rules = local.s3_replication_rules - privileged_principal_actions = var.privileged_principal_actions - privileged_principal_arns = local.privileged_principal_arns + user_enabled = var.user_enabled + acl = var.acl + force_destroy = var.force_destroy + grants = var.grants + lifecycle_rules = var.lifecycle_rules + versioning_enabled = var.versioning_enabled + allow_encrypted_uploads_only = var.allow_encrypted_uploads_only + allowed_bucket_actions = var.allowed_bucket_actions + bucket_name = var.bucket_name + object_lock_configuration = var.object_lock_configuration + s3_replication_enabled = local.replication_enabled + s3_replica_bucket_arn = join("", module.s3_bucket_replication_target.*.bucket_arn) + s3_replication_rules = local.s3_replication_rules + privileged_principal_actions = var.privileged_principal_actions + privileged_principal_arns = local.privileged_principal_arns + transfer_acceleration_enabled = true context = module.this.context }