Merge pull request #1 from terraform-modules/initial

Initial
terraform-modules · Jun 19, 2020 · 28022fa · 28022fa
2 parents 805c71b + 448c08a
commit 28022fa
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -4,20 +4,20 @@ Module for creating Title 26 Compliant S3 Buckets
 
 # Requirements
 
-1. Encryption enforcement on the Bucket Policy 
 1. Only Cloud Administrators have bucket delete permissions
 1. Permissions tightly controlled with Bucket Policy and IAM role/policy for users, instances, and other services
-1. Dedicated KMS CMK key 
+1. Encryption enforcement on the Bucket Policy 
+1. Dedicated KMS Customer Master Key (CMK) created per S3 bucket
 1. MFA enforced API calls – required for all data migrations (Cloud and Data Admins)
 1. Object Level Logging enabled with 7 year retention on CloudWatch Log Group
-1. Backup logs to BCC (How often?)
+  * Backup logs to BCC (How often?)
 1. Server Access Logging enabled with 7 year retention on CloudWatch Log Group
-1. Backup logs to BCC (How often?)
+   * Backup logs to BCC (How often?)
 1. Versioning enabled
 1. Monthly Security Audit reviews
    * By customer?
    * By CSvD Security?
 1. IP Address Restriction policy enforced
 1. Not publically accessible
 1. Customer signature for key deletion(s) during decommissioning(s) and maximum wait period
-1. Delete CMK key for Data Sanitization.
+1. Delete CMK for Data Sanitization
diff --git a/main.tf b/main.tf
@@ -0,0 +1,44 @@
+#---
+# s3 bucket
+#---
+resource "aws_s3_bucket" "this" {
+  bucket = var.bucket_name
+  acl    = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = var.kms_key_id
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  versioning {
+    enabled = true
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  tags = merge(
+    var.tags,
+    local.enforced_tags,
+    map( "Name", var.bucket_name)
+  )
+
+  provisioner "local-exec" {
+    when = create
+    command = "sleep 120"
+  }
+}
+
+resource "aws_s3_bucket_object" "this_objects" {
+  bucket = aws_s3_bucket.this.id
+  count  = length(var.bucket_folders)
+  key    = format("%s/",element(var.bucket_folders,count.index))
+  source = "/dev/null"
+
+  depends_on [aws_s3_bucket.this]
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,16 @@
+variable "bucket_name" {
+  description = "AWS Bucket Name"
+  type = string
+}
+
+variable "bucket_folders" {
+  description = "List of folders (keys) to create after creation of bucket"
+  type = list(string)
+  default = [ ]
+}
+
+variable "kms_key_id" {
+  description = "AWS KMS Key ID (one per bucket)"
+  type = string
+  default = ""
+}