From 15fb3bcb6d53831d2b52cc2989c8efe461f12315 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 14 Mar 2023 15:34:30 -0400 Subject: [PATCH] update docs --- standard/README.md | 13 +++++++++++-- standard/main.tf | 8 ++++++++ title26/README.md | 16 ++++++++++++++-- title26/main.tf | 8 ++++++++ 4 files changed, 41 insertions(+), 4 deletions(-) diff --git a/standard/README.md b/standard/README.md index a258002..bcd99fb 100644 --- a/standard/README.md +++ b/standard/README.md @@ -106,6 +106,14 @@ optionally requires explicit encryption (`require_explicit_encryption` flag, def and address restrictions (lists `allowed_cidr` and `allowed_endpoints`). # Options +## Options :: bucket\_key\_eanbled +This will set the bucket to use a `bucket_key` (see [docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)). It is +now enabled by default. However, it cannot be changed through the module. If you need to turn it on for an existing bucket (with or without +objects), you will need to set it through the console or API. Likewise, disabling it once set will have to happen through the console or API, +and then you will want to set this flag to `false`. The reasoning behind this behavior is that existing objects will not use a bucket key. You +have to copy each object in order to cause it to use the bucket key. Changing it would lead to the intended behavior (enabled) not actually working +on existing objects. + ## Options :: name\_include\_account Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default is false. @@ -208,7 +216,7 @@ No modules. | [allowed\_cidr](#input\_allowed\_cidr) | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no | | [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no | | [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no | -| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `true` | no | | [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes | | [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no | | [bucket\_policy\_disabled](#input\_bucket\_policy\_disabled) | Flag to enable or disable the default bucket policy. This is used for where we need to create the bucket policy outside of the module to prevent cyclical setup | `bool` | `false` | no | @@ -228,10 +236,11 @@ No modules. | [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no | | [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name\_include\_region. | `bool` | `true` | no | | [object\_lock\_enabled](#input\_object\_lock\_enabled) | Flag to enable object lock. This can only be set on bucket creation. See AWS documentation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html | `bool` | `false` | no | +| [override\_prefixes](#input\_override\_prefixes) | Map of strings to override prefixes such as s3 and kms. Recommended ONLY for advanced useage (say, for inf* things) | `map(string)` | `{}` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | | [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no | -| [versioning](#input\_versioning) | n/a | `bool` | `false` | no | +| [versioning](#input\_versioning) | Flag to enable ot disable bucket versioning. This may be used for the standard submodule, but it is ignored for title26 (enforced to be enabled) | `bool` | `false` | no | ## Outputs diff --git a/standard/main.tf b/standard/main.tf index 3463e6e..2445c2c 100644 --- a/standard/main.tf +++ b/standard/main.tf @@ -107,6 +107,14 @@ * and address restrictions (lists `allowed_cidr` and `allowed_endpoints`). * * # Options +* ## Options :: bucket_key_eanbled +* This will set the bucket to use a `bucket_key` (see [docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)). It is +* now enabled by default. However, it cannot be changed through the module. If you need to turn it on for an existing bucket (with or without +* objects), you will need to set it through the console or API. Likewise, disabling it once set will have to happen through the console or API, +* and then you will want to set this flag to `false`. The reasoning behind this behavior is that existing objects will not use a bucket key. You +* have to copy each object in order to cause it to use the bucket key. Changing it would lead to the intended behavior (enabled) not actually working +* on existing objects. +* * ## Options :: name_include_account * Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default * is false. diff --git a/title26/README.md b/title26/README.md index a7d0b15..5fb48d4 100644 --- a/title26/README.md +++ b/title26/README.md @@ -103,6 +103,14 @@ optionally requires explicit encryption (`require_explicit_encryption` flag, def and address restrictions (lists `allowed_cidr` and `allowed_endpoints`). # Options +## Options :: bucket\_key\_eanbled +This will set the bucket to use a `bucket_key` (see [docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)). It is +now enabled by default. However, it cannot be changed through the module. If you need to turn it on for an existing bucket (with or without +objects), you will need to set it through the console or API. Likewise, disabling it once set will have to happen through the console or API, +and then you will want to set this flag to `false`. The reasoning behind this behavior is that existing objects will not use a bucket key. You +have to copy each object in order to cause it to use the bucket key. Changing it would lead to the intended behavior (enabled) not actually working +on existing objects. + ## Options :: name\_include\_account Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default is false. @@ -177,12 +185,12 @@ No modules. | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | -| [aws_s3_bucket_object.this_objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource | | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_s3_object.this_objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | | [null_resource.name_too_long](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | @@ -205,9 +213,10 @@ No modules. | [allowed\_cidr](#input\_allowed\_cidr) | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no | | [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no | | [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no | -| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `true` | no | | [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes | | [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no | +| [bucket\_policy\_disabled](#input\_bucket\_policy\_disabled) | Flag to enable or disable the default bucket policy. This is used for where we need to create the bucket policy outside of the module to prevent cyclical setup | `bool` | `false` | no | | [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no | | [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no | | [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | 
[
  "title26"
]
| no | @@ -218,14 +227,17 @@ No modules. | [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no | | [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | | [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | +| [multi\_region](#input\_multi\_region) | Flag to enable or disable the use of a multi-region KMS key (default=false) | `bool` | `false` | no | | [name\_enforce\_region\_compact](#input\_name\_enforce\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name\_include\_region. | `bool` | `false` | no | | [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no | | [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no | | [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name\_include\_region. | `bool` | `true` | no | | [object\_lock\_enabled](#input\_object\_lock\_enabled) | Flag to enable object lock. This can only be set on bucket creation. See AWS documentation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html | `bool` | `false` | no | +| [override\_prefixes](#input\_override\_prefixes) | Map of strings to override prefixes such as s3 and kms. Recommended ONLY for advanced useage (say, for inf* things) | `map(string)` | `{}` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | | [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no | +| [versioning](#input\_versioning) | Flag to enable ot disable bucket versioning. This may be used for the standard submodule, but it is ignored for title26 (enforced to be enabled) | `bool` | `false` | no | ## Outputs diff --git a/title26/main.tf b/title26/main.tf index 9ec8c15..f7c2840 100644 --- a/title26/main.tf +++ b/title26/main.tf @@ -104,6 +104,14 @@ * and address restrictions (lists `allowed_cidr` and `allowed_endpoints`). * * # Options +* ## Options :: bucket_key_eanbled +* This will set the bucket to use a `bucket_key` (see [docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)). It is +* now enabled by default. However, it cannot be changed through the module. If you need to turn it on for an existing bucket (with or without +* objects), you will need to set it through the console or API. Likewise, disabling it once set will have to happen through the console or API, +* and then you will want to set this flag to `false`. The reasoning behind this behavior is that existing objects will not use a bucket key. You +* have to copy each object in order to cause it to use the bucket key. Changing it would lead to the intended behavior (enabled) not actually working +* on existing objects. +* * ## Options :: name_include_account * Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default * is false.