Skip to content

Commit

Permalink
update docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Mar 14, 2023
1 parent 3351ff1 commit 15fb3bc
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 4 deletions.
13 changes: 11 additions & 2 deletions standard/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,14 @@ optionally requires explicit encryption (`require_explicit_encryption` flag, def
and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
# Options
## Options :: bucket\_key\_eanbled
This will set the bucket to use a `bucket_key` (see [docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)). It is
now enabled by default. However, it cannot be changed through the module. If you need to turn it on for an existing bucket (with or without
objects), you will need to set it through the console or API. Likewise, disabling it once set will have to happen through the console or API,
and then you will want to set this flag to `false`. The reasoning behind this behavior is that existing objects will not use a bucket key. You
have to copy each object in order to cause it to use the bucket key. Changing it would lead to the intended behavior (enabled) not actually working
on existing objects.
## Options :: name\_include\_account
Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default
is false.
Expand Down Expand Up @@ -208,7 +216,7 @@ No modules.
| <a name="input_allowed_cidr"></a> [allowed\_cidr](#input\_allowed\_cidr) | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no |
| <a name="input_allowed_endpoints"></a> [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
| <a name="input_bucket_folders"></a> [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
| <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
| <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `true` | no |
| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
| <a name="input_bucket_owner"></a> [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no |
| <a name="input_bucket_policy_disabled"></a> [bucket\_policy\_disabled](#input\_bucket\_policy\_disabled) | Flag to enable or disable the default bucket policy. This is used for where we need to create the bucket policy outside of the module to prevent cyclical setup | `bool` | `false` | no |
Expand All @@ -228,10 +236,11 @@ No modules.
| <a name="input_name_include_region"></a> [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no |
| <a name="input_name_include_region_compact"></a> [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name\_include\_region. | `bool` | `true` | no |
| <a name="input_object_lock_enabled"></a> [object\_lock\_enabled](#input\_object\_lock\_enabled) | Flag to enable object lock. This can only be set on bucket creation. See AWS documentation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html | `bool` | `false` | no |
| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Map of strings to override prefixes such as s3 and kms. Recommended ONLY for advanced useage (say, for inf* things) | `map(string)` | `{}` | no |
| <a name="input_require_explicit_encryption"></a> [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
| <a name="input_use_kms_encryption"></a> [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no |
| <a name="input_versioning"></a> [versioning](#input\_versioning) | n/a | `bool` | `false` | no |
| <a name="input_versioning"></a> [versioning](#input\_versioning) | Flag to enable ot disable bucket versioning. This may be used for the standard submodule, but it is ignored for title26 (enforced to be enabled) | `bool` | `false` | no |
## Outputs
Expand Down
8 changes: 8 additions & 0 deletions standard/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,14 @@
* and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
*
* # Options
* ## Options :: bucket_key_eanbled
* This will set the bucket to use a `bucket_key` (see [docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)). It is
* now enabled by default. However, it cannot be changed through the module. If you need to turn it on for an existing bucket (with or without
* objects), you will need to set it through the console or API. Likewise, disabling it once set will have to happen through the console or API,
* and then you will want to set this flag to `false`. The reasoning behind this behavior is that existing objects will not use a bucket key. You
* have to copy each object in order to cause it to use the bucket key. Changing it would lead to the intended behavior (enabled) not actually working
* on existing objects.
*
* ## Options :: name_include_account
* Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default
* is false.
Expand Down
16 changes: 14 additions & 2 deletions title26/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,14 @@ optionally requires explicit encryption (`require_explicit_encryption` flag, def
and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
# Options
## Options :: bucket\_key\_eanbled
This will set the bucket to use a `bucket_key` (see [docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)). It is
now enabled by default. However, it cannot be changed through the module. If you need to turn it on for an existing bucket (with or without
objects), you will need to set it through the console or API. Likewise, disabling it once set will have to happen through the console or API,
and then you will want to set this flag to `false`. The reasoning behind this behavior is that existing objects will not use a bucket key. You
have to copy each object in order to cause it to use the bucket key. Changing it would lead to the intended behavior (enabled) not actually working
on existing objects.
## Options :: name\_include\_account
Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default
is false.
Expand Down Expand Up @@ -177,12 +185,12 @@ No modules.
| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
| [aws_s3_bucket_object.this_objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource |
| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [aws_s3_object.this_objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
| [null_resource.name_too_long](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
Expand All @@ -205,9 +213,10 @@ No modules.
| <a name="input_allowed_cidr"></a> [allowed\_cidr](#input\_allowed\_cidr) | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no |
| <a name="input_allowed_endpoints"></a> [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
| <a name="input_bucket_folders"></a> [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
| <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
| <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `true` | no |
| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
| <a name="input_bucket_owner"></a> [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no |
| <a name="input_bucket_policy_disabled"></a> [bucket\_policy\_disabled](#input\_bucket\_policy\_disabled) | Flag to enable or disable the default bucket policy. This is used for where we need to create the bucket policy outside of the module to prevent cyclical setup | `bool` | `false` | no |
| <a name="input_bucket_policy_document"></a> [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no |
| <a name="input_bucket_policy_document_template"></a> [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no |
| <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | <pre>[<br> "title26"<br>]</pre> | no |
Expand All @@ -218,14 +227,17 @@ No modules.
| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no |
| <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
| <a name="input_metadata_tags"></a> [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
| <a name="input_multi_region"></a> [multi\_region](#input\_multi\_region) | Flag to enable or disable the use of a multi-region KMS key (default=false) | `bool` | `false` | no |
| <a name="input_name_enforce_region_compact"></a> [name\_enforce\_region\_compact](#input\_name\_enforce\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name\_include\_region. | `bool` | `false` | no |
| <a name="input_name_include_account"></a> [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no |
| <a name="input_name_include_region"></a> [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no |
| <a name="input_name_include_region_compact"></a> [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name\_include\_region. | `bool` | `true` | no |
| <a name="input_object_lock_enabled"></a> [object\_lock\_enabled](#input\_object\_lock\_enabled) | Flag to enable object lock. This can only be set on bucket creation. See AWS documentation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html | `bool` | `false` | no |
| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Map of strings to override prefixes such as s3 and kms. Recommended ONLY for advanced useage (say, for inf* things) | `map(string)` | `{}` | no |
| <a name="input_require_explicit_encryption"></a> [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
| <a name="input_use_kms_encryption"></a> [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no |
| <a name="input_versioning"></a> [versioning](#input\_versioning) | Flag to enable ot disable bucket versioning. This may be used for the standard submodule, but it is ignored for title26 (enforced to be enabled) | `bool` | `false` | no |
## Outputs
Expand Down
8 changes: 8 additions & 0 deletions title26/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,14 @@
* and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
*
* # Options
* ## Options :: bucket_key_eanbled
* This will set the bucket to use a `bucket_key` (see [docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)). It is
* now enabled by default. However, it cannot be changed through the module. If you need to turn it on for an existing bucket (with or without
* objects), you will need to set it through the console or API. Likewise, disabling it once set will have to happen through the console or API,
* and then you will want to set this flag to `false`. The reasoning behind this behavior is that existing objects will not use a bucket key. You
* have to copy each object in order to cause it to use the bucket key. Changing it would lead to the intended behavior (enabled) not actually working
* on existing objects.
*
* ## Options :: name_include_account
* Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default
* is false.
Expand Down

0 comments on commit 15fb3bc

Please sign in to comment.