Added s3 module

.github/workflows/pre-commit.yaml

@@ -0,0 +1,54 @@
+---
+name: "Run Pre Commit Checks"
+
+on:  # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - '**'
+      - '!main'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ## run pre-commit
+  pre-commit:
+    name: Run pre-commit checks
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: write
+      pages: write
+      id-token: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.ARC_JOB_TOKEN }}
+
+      - uses: actions/setup-python@v3
+
+      - name: Install terraform-docs
+        run: |
+          cd /tmp
+          curl -sSLo ./terraform-docs.tar.gz \
+            https://terraform-docs.io/dl/v0.16.0/terraform-docs-v0.16.0-$(uname)-amd64.tar.gz
+          tar -xzf terraform-docs.tar.gz
+          rm terraform-docs.tar.gz
+          chmod +x terraform-docs
+          mv terraform-docs /usr/local/bin/terraform-docs
+      - name: Install tflint
+        run: |
+          cd /tmp
+          curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
+      - name: Run pre-commit
+        uses: pre-commit/[email protected]
+        continue-on-error: true  # we want to push the changes pre-commit makes
+
+      - name: Push pre-commit changes to branch
+        uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          commit_message: Push pre-commit changes

.github/workflows/tag-release.yml

@@ -0,0 +1,29 @@
+---
+name: Bump version
+on:        # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - main
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Bump version and push tag
+        id: tag
+        uses: anothrNick/github-tag-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BUMP: patch
+          REPO_OWNER: sourcefuse
+      - name: Create Release
+        id: create_release
+        uses: actions/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ steps.tag.outputs.tag }}
+          release_name: v${{ steps.tag.outputs.tag }}
+          body: ${{ github.release_notes }}
+          draft: false
+          prerelease: false

.github/workflows/update-docs.yml

@@ -0,0 +1,50 @@
+---
+name: Update-docs
+on:              # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - main
+jobs:
+  transfer-file:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Pushes Readme file
+        uses: dmnemec/copy_file_to_another_repo_action@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          API_TOKEN_GITHUB: ${{ secrets.ARC_DOCS_API_TOKEN_GITHUB }}
+        with:
+          source_file: 'README.md'
+          destination_repo: 'sourcefuse/arc-docs'
+          destination_folder: 'docs/arc-iac-docs/modules/terraform-aws-arc-s3'
+          user_email: '[email protected]'
+          user_name: ${{ github.actor }}
+          commit_message: ${{ github.event.head_commit.message }}
+      - name: Pushes Module Usage Guide
+        uses: dmnemec/copy_file_to_another_repo_action@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          API_TOKEN_GITHUB: ${{ secrets.ARC_DOCS_API_TOKEN_GITHUB }}
+        with:
+          source_file: 'docs/module-usage-guide/README.md'
+          destination_repo: 'sourcefuse/arc-docs'
+          destination_folder: 'docs/arc-iac-docs/modules/terraform-aws-arc-s3/docs/module-usage-guide'
+          user_email: '[email protected]'
+          user_name: ${{ github.actor }}
+          commit_message: ${{ github.event.head_commit.message }}
+      - name: Pushes to another repository
+        uses: cpina/github-action-push-to-another-repository@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          API_TOKEN_GITHUB: ${{ secrets.ARC_DOCS_API_TOKEN_GITHUB }}
+        with:
+          source-directory: 'static'
+          destination-github-username: 'sourcefuse'
+          destination-repository-name: 'arc-docs'
+          target-directory: 'docs/arc-iac-docs/modules/terraform-aws-arc-s3/static'
+          user-email: '[email protected]'
+          user-name: ${{ github.actor }}
+          target-branch: main
+          commit-message: ${{ github.event.head_commit.message }}    

README.md

@@ -1,16 +1,44 @@
-# terraform-aws-module-template
+![Module Structure](./static/s3.png)
+
+# [terraform-aws-arc-s3](https://github.com/sourcefuse/terraform-aws-arc-s3)
+
+<a href="https://github.com/sourcefuse/terraform-aws-arc-s3/releases/latest"><img src="https://img.shields.io/github/release/sourcefuse/terraform-aws-arc-s3.svg?style=for-the-badge" alt="Latest Release"/></a> <a href="https://github.com/sourcefuse/terraform-aws-arc-s3/commits"><img src="https://img.shields.io/github/last-commit/sourcefuse/terraform-aws-arc-s3.svg?style=for-the-badge" alt="Last Updated"/></a> ![Terraform](https://img.shields.io/badge/terraform-%235835CC.svg?style=for-the-badge&logo=terraform&logoColor=white) ![GitHub Actions](https://img.shields.io/badge/github%20actions-%232671E5.svg?style=for-the-badge&logo=githubactions&logoColor=white)
+
+[![Quality gate](https://sonarcloud.io/api/project_badges/quality_gate?project=sourcefuse_terraform-aws-arc-s3&token=3c75a1b94d1b6ab3f1b98785e484d5ede197851e)](https://sonarcloud.io/summary/new_code?id=sourcefuse_terraform-aws-arc-s3)
+
+[![Known Vulnerabilities](https://github.com/sourcefuse/terraform-aws-arc-s3/actions/workflows/snyk.yaml/badge.svg)](https://github.com/sourcefuse/terraform-aws-arc-s3/actions/workflows/snyk.yaml)
 
 ## Overview
 
-SourceFuse AWS Reference Architecture (ARC) Terraform module for managing _________.
+SourceFuse AWS Reference Architecture (ARC) Terraform module for managing the s3 module.
+
+## Features
+ - Manages S3 buckets.
+ - Supports lifecycle rules.
+ - Configurable bucket policies and access controls.
+ - Supports CORS and website configurations.
+
+## Introduction
+
+SourceFuse's AWS Reference Architecture (ARC) Terraform module for managing S3 buckets centralizes and automates the deployment and management of S3 resources. This module helps you create and manage S3 buckets with options for lifecycle policies, access control lists (ACLs), and CORS configurations. It integrates with other AWS services, ensuring secure, scalable, and efficient storage solutions. The module supports various configurations, providing a robust solution for your storage needs across different environments.
 
 ## Usage
 
 To see a full example, check out the [main.tf](./example/main.tf) file in the example folder.  
 
 ```hcl
-module "this" {
-  source = "git::https://github.com/sourcefuse/terraform-aws-refarch-<module_name>"
+module "arc-s3" {
+  source = "../"
+  bucket_name = var.bucket_name
+  enable_notifications = var.enable_notifications
+  enabled = var.enabled
+  bucket_key_enabled = var.bucket_key_enabled
+  acl = var.acl
+  lifecycle_rule = local.lifecycle_rule
+  website_configuration = var.website_configuration
+  cors_configuration = var.cors_configuration
+  allowed_bucket_actions = var.allowed_bucket_actions
+  tags = module.tags.tags
 }
 ```
 
@@ -42,13 +70,7 @@ No inputs.
 
 No outputs.
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
-## Versioning  
-This project uses a `.version` file at the root of the repo which the pipeline reads from and does a git tag.  
-
-When you intend to commit to `main`, you will need to increment this version. Once the project is merged,
-the pipeline will kick off and tag the latest git commit.  
-
+
 ## Development
 
 ### Prerequisites

data.tf

@@ -0,0 +1,150 @@
+data "aws_partition" "current" {}
+data "aws_canonical_user_id" "default" {}
+data "aws_iam_policy_document" "bucket_policy" {
+
+  dynamic "statement" {
+    for_each = var.allow_encrypted_uploads_only ? [1] : []
+
+    content {
+      sid       = "DenyIncorrectEncryptionHeader"
+      effect    = "Deny"
+      actions   = ["s3:PutObject"]
+      resources = ["${local.bucket_arn}/*"]
+
+      principals {
+        identifiers = ["*"]
+        type        = "*"
+      }
+
+      condition {
+        test     = "StringNotEquals"
+        values   = [var.sse_algorithm]
+        variable = "s3:x-amz-server-side-encryption"
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.allow_encrypted_uploads_only ? [1] : []
+
+    content {
+      sid       = "DenyUnEncryptedObjectUploads"
+      effect    = "Deny"
+      actions   = ["s3:PutObject"]
+      resources = ["${local.bucket_arn}/*"]
+
+      principals {
+        identifiers = ["*"]
+        type        = "*"
+      }
+
+      condition {
+        test     = "Null"
+        values   = ["true"]
+        variable = "s3:x-amz-server-side-encryption"
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.allow_ssl_requests_only ? [1] : []
+
+    content {
+      sid       = "ForceSSLOnlyAccess"
+      effect    = "Deny"
+      actions   = ["s3:*"]
+      resources = [local.bucket_arn, "${local.bucket_arn}/*"]
+
+      principals {
+        identifiers = ["*"]
+        type        = "*"
+      }
+
+      condition {
+        test     = "Bool"
+        values   = ["false"]
+        variable = "aws:SecureTransport"
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = length(var.s3_replication_source_roles) > 0 ? [1] : []
+
+    content {
+      sid = "CrossAccountReplicationObjects"
+      actions = [
+        "s3:ReplicateObject",
+        "s3:ReplicateDelete",
+        "s3:ReplicateTags",
+        "s3:GetObjectVersionTagging",
+        "s3:ObjectOwnerOverrideToBucketOwner"
+      ]
+      resources = ["${local.bucket_arn}/*"]
+      principals {
+        type        = "AWS"
+        identifiers = var.s3_replication_source_roles
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = length(var.s3_replication_source_roles) > 0 ? [1] : []
+
+    content {
+      sid       = "CrossAccountReplicationBucket"
+      actions   = ["s3:List*", "s3:GetBucketVersioning", "s3:PutBucketVersioning"]
+      resources = [local.bucket_arn]
+      principals {
+        type        = "AWS"
+        identifiers = var.s3_replication_source_roles
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = var.privileged_principal_arns
+
+    content {
+      sid     = "AllowPrivilegedPrincipal[${statement.key}]" # add indices to Sid
+      actions = var.privileged_principal_actions
+      resources = distinct(flatten([
+        "arn:${local.partition}:s3:::${local.bucket_id}",
+        formatlist("arn:${local.partition}:s3:::${local.bucket_id}/%s*", values(statement.value)[0]),
+      ]))
+      principals {
+        type        = "AWS"
+        identifiers = [keys(statement.value)[0]]
+      }
+    }
+  }
+
+  dynamic "statement" {
+    for_each = length(var.source_ip_allow_list) > 0 ? [1] : []
+
+    content {
+      sid       = "AllowIPPrincipals"
+      effect    = "Deny"
+      actions   = ["s3:*"]
+      resources = [local.bucket_arn, "${local.bucket_arn}/*"]
+      principals {
+        identifiers = ["*"]
+        type        = "*"
+      }
+      condition {
+        test     = "NotIpAddress"
+        variable = "aws:SourceIp"
+        values   = var.source_ip_allow_list
+      }
+    }
+
+  }
+
+}
+
+data "aws_iam_policy_document" "aggregated_policy" {
+  count = var.enabled ? 1 : 0
+
+  source_policy_documents   = [one(data.aws_iam_policy_document.bucket_policy[*].json)]
+  override_policy_documents = var.source_policy_documents
+}