diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b71d691..3294764 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -6,9 +6,7 @@ repos:
- id: terraform_fmt
- id: terraform_docs_replace
args: ['table']
- exclude: common/*.tf
- exclude: version.tf
-
+ exclude: common
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.1.0
hooks:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 081e9eb..1309a51 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -42,3 +42,7 @@ Provides standard and t26 S3 bucket construction.
* v2.2.2 -- 20211104
- update documenation to include sample policy and policy document
+
+* v2.3.0 -- 20211117
+ - add submodule kms_key to be able to create a key, and then use it for later bucket
+ - allow kms_key_arn to passed in for standard and title26 buckets
diff --git a/common/README.md b/common/README.md
deleted file mode 100644
index fa95728..0000000
--- a/common/README.md
+++ /dev/null
@@ -1,63 +0,0 @@
-## Requirements
-
-No requirements.
-
-## Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | n/a |
-| [null](#provider\_null) | n/a |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
-| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_object.this_objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource |
-| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-
-## Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [access\_log\_bucket](#input\_access\_log\_bucket) | Server Access Logging Bucket ID | `string` | n/a | yes |
-| [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
-| [allowed\_cidr](#input\_allowed\_cidr) | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no |
-| [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
-| [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
-| [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
-| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no |
-| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
-| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
-| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no |
-| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
-| [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
-| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
-| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
-
-## Outputs
-
-| Name | Description |
-|------|-------------|
-| [kms\_key\_alias](#output\_kms\_key\_alias) | Created KMS Key Alias name |
-| [kms\_key\_arn](#output\_kms\_key\_arn) | Created KMS Key ARN |
-| [kms\_key\_id](#output\_kms\_key\_id) | Created KMS Key ID |
-| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | Created S3 Bucket ARN |
-| [s3\_bucket\_id](#output\_s3\_bucket\_id) | Created S3 Bucket ID |
diff --git a/common/base_settings.tf b/common/base_settings.tf
new file mode 100644
index 0000000..7d17c3d
--- /dev/null
+++ b/common/base_settings.tf
@@ -0,0 +1,23 @@
+locals {
+ account_id = data.aws_caller_identity.current.account_id
+ current_user_arn = data.aws_caller_identity.current.arn
+ partition = data.aws_arn.current.partition
+ region = data.aws_region.current.name
+}
+
+# enforced tags
+locals {
+ # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults
+ add_safeguard_tags = local.enable_title26 ? ["title26"] : []
+ _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d }
+ safeguard_tags = sort(distinct(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags))))
+ add_tags = {
+ safeguard = {
+ "exists" = { "boc:safeguard" = join(",", local.safeguard_tags) }
+ "not_exists" = {}
+ }
+ }
+ enforced_tags = merge(
+ local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"]
+ )
+}
diff --git a/common/base_tags.tf b/common/base_tags.tf
new file mode 100644
index 0000000..602b87a
--- /dev/null
+++ b/common/base_tags.tf
@@ -0,0 +1,6 @@
+locals {
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:created_by" = "terraform"
+ }
+}
diff --git a/common/kms.tf b/common/kms.tf
new file mode 100644
index 0000000..e8df353
--- /dev/null
+++ b/common/kms.tf
@@ -0,0 +1,64 @@
+# data "aws_kms_key" "incoming_key" {
+# count = var.kms_key_arn != null ? 1 : 0
+# key_id = var.kms_key_arn
+# }
+#
+locals {
+ kms_key_arn = var.kms_key_arn == null ? aws_kms_key.key[0].arn : var.kms_key_arn
+ kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
+
+ kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
+ kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+ kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+}
+
+#---
+# create a key and alias if not specified
+#---
+resource "aws_kms_key" "key" {
+ count = var.kms_key_arn == null ? 1 : 0
+ description = "KMS CMK for S3 bucket ${local.name}"
+ enable_key_rotation = true
+ policy = data.aws_iam_policy_document.key_policy_combined.json
+
+ tags = merge(
+ local.base_tags,
+ var.tags,
+ local.enforced_tags,
+ map("Name", local.kms_key_name)
+ )
+}
+
+resource "aws_kms_alias" "key" {
+ count = var.kms_key_arn == null ? 1 : 0
+ name = "alias/${local.kms_key_name}"
+ target_key_id = var.kms_key_arn == null ? aws_kms_key.key[0].key_id : null
+}
+
+# auto includes root
+data "aws_iam_policy_document" "key_admin" {
+ statement {
+ sid = "BuiltinKMSAdminRoles"
+ effect = "Allow"
+ actions = ["kms:*"]
+ resources = ["*"]
+ principals {
+ type = "AWS"
+ identifiers = local.kms_admin_roles
+ }
+ }
+}
+
+data "aws_iam_policy_document" "key_policy_combined" {
+ source_policy_documents = [
+ data.aws_iam_policy_document.key_admin.json,
+ local.kms_policy_document
+ ]
+}
+
+data "aws_iam_policy_document" "empty" {}
+
+data "aws_kms_key" "incoming_key" {
+ count = var.kms_key_arn == null ? 0 : 1
+ key_id = var.kms_key_arn
+}
diff --git a/common/outputs.kms.tf b/common/outputs.kms.tf
new file mode 100644
index 0000000..b84af15
--- /dev/null
+++ b/common/outputs.kms.tf
@@ -0,0 +1,18 @@
+#---
+# key
+#---
+output "kms_key_id" {
+ description = "KMS Key ID. This is the created key id or the key id of kms_key_arn"
+ value = var.kms_key_arn == null ? aws_kms_key.key[0].id : data.aws_kms_key.incoming_key[0].id
+}
+
+output "kms_key_arn" {
+ description = "KMS Key ARN. This is the created key ARN or the key ARN of kms_key_arn"
+ value = var.kms_key_arn == null ? aws_kms_key.key[0].arn : data.aws_kms_key.incoming_key[0].arn
+}
+
+output "kms_key_alias" {
+ description = "KMS Key Alias name. If a kms_key_arn passed in, this will be null."
+ value = var.kms_key_arn == null ? aws_kms_alias.key[0].name : null
+}
+
diff --git a/common/outputs.s3.tf b/common/outputs.s3.tf
new file mode 100644
index 0000000..a29a743
--- /dev/null
+++ b/common/outputs.s3.tf
@@ -0,0 +1,12 @@
+#---
+# bucket
+#---
+output "s3_bucket_arn" {
+ description = "Created S3 Bucket ARN"
+ value = aws_s3_bucket.this.arn
+}
+
+output "s3_bucket_id" {
+ description = "Created S3 Bucket ID"
+ value = aws_s3_bucket.this.id
+}
diff --git a/common/outputs.tf b/common/outputs.tf
deleted file mode 100644
index 254a87e..0000000
--- a/common/outputs.tf
+++ /dev/null
@@ -1,30 +0,0 @@
-#---
-# bucket
-#---
-output "s3_bucket_arn" {
- description = "Created S3 Bucket ARN"
- value = aws_s3_bucket.this.arn
-}
-
-output "s3_bucket_id" {
- description = "Created S3 Bucket ID"
- value = aws_s3_bucket.this.id
-}
-
-#---
-# key
-#---
-output "kms_key_id" {
- description = "Created KMS Key ID"
- value = aws_kms_key.key.id
-}
-
-output "kms_key_arn" {
- description = "Created KMS Key ARN"
- value = aws_kms_key.key.arn
-}
-
-output "kms_key_alias" {
- description = "Created KMS Key Alias name"
- value = aws_kms_alias.key.name
-}
diff --git a/common/resources.tf b/common/resources.tf
index 5a5c541..23caa0c 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -1,24 +1,15 @@
-locals {
-
- account_id = data.aws_caller_identity.current.account_id
- current_user_arn = data.aws_caller_identity.current.arn
- partition = data.aws_arn.current.partition
- region = data.aws_region.current.name
-}
-
locals {
base_name = var.bucket_name
name = replace(var.bucket_name, local._prefixes["s3"], "")
bucket_name = format("%s%s", local._prefixes["s3"], local.name)
bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json
- # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null
- kms_key_arn = aws_kms_key.key.arn
- kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
+ # kms_key_arn = aws_kms_key.key.arn
+ # kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
- kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
- kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles))
- kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
+ # kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)]
+ # kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles))
+ # kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json
condition_allowed_cidr = {
"test" : "NotIpAddress"
@@ -33,26 +24,6 @@ locals {
s3_bucket_conditions_list = list(local.condition_allowed_cidr, local.condition_allowed_endpoints)
s3_bucket_conditions = [for x in local.s3_bucket_conditions_list : x if length(x.values) > 0]
- # enforced_tags = {
- # "boc:safeguard" = "title26"
- # }
- base_tags = {
- "boc:tf_module_version" = local._module_version
- "boc:created_by" = "terraform"
- }
- # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults
- add_safeguard_tags = local.enable_title26 ? ["title26"] : []
- _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d }
- safeguard_tags = sort(distinct(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags))))
- add_tags = {
- safeguard = {
- "exists" = { "boc:safeguard" = join(",", local.safeguard_tags) }
- "not_exists" = {}
- }
- }
- enforced_tags = merge(
- local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"]
- )
metadata_tags = merge(
var.metadata_tags,
{ for k, v in local.enforced_tags : format("x-amzn-meta-%v", replace(k, "/\\W/", "_")) => v }
@@ -70,7 +41,8 @@ resource "aws_s3_bucket" "this" {
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
- kms_master_key_id = aws_kms_key.key.arn
+ # kms_master_key_id = aws_kms_key.key.arn
+ kms_master_key_id = local.kms_key_arn
sse_algorithm = "aws:kms"
}
}
@@ -218,49 +190,6 @@ resource "aws_s3_bucket_object" "this_objects" {
depends_on = [null_resource.policy_delay]
}
-#---
-# create a key and alias if not specified
-# right now, this can't use an external key, it has to create one per bucket
-#---
-resource "aws_kms_key" "key" {
- description = "KMS CMK for S3 bucket ${local.name}"
- enable_key_rotation = true
- policy = data.aws_iam_policy_document.key_policy_combined.json
-
- tags = merge(
- local.base_tags,
- var.tags,
- local.enforced_tags,
- map("Name", local.kms_key_name)
- )
-}
-
-resource "aws_kms_alias" "key" {
- name = "alias/${local.kms_key_name}"
- target_key_id = aws_kms_key.key.key_id
-}
-
-# auto includes root
-data "aws_iam_policy_document" "key_admin" {
- statement {
- sid = "BuiltinKMSAdminRoles"
- effect = "Allow"
- actions = ["kms:*"]
- resources = ["*"]
- principals {
- type = "AWS"
- identifiers = local.kms_admin_roles
- }
- }
-}
-
-data "aws_iam_policy_document" "key_policy_combined" {
- source_policy_documents = [
- data.aws_iam_policy_document.key_admin.json,
- local.kms_policy_document
- ]
-}
-
data "aws_iam_policy_document" "bucket_policy_combined" {
source_policy_documents = [
data.aws_iam_policy_document.this.json,
@@ -268,4 +197,3 @@ data "aws_iam_policy_document" "bucket_policy_combined" {
]
}
-data "aws_iam_policy_document" "empty" {}
diff --git a/common/variables.common.tf b/common/variables.common.tf
new file mode 100644
index 0000000..010acce
--- /dev/null
+++ b/common/variables.common.tf
@@ -0,0 +1,6 @@
+variable "tags" {
+ description = "AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data_safeguard field for such things."
+ type = map(string)
+ default = {}
+}
+
diff --git a/common/variables.kms.tf b/common/variables.kms.tf
new file mode 100644
index 0000000..3fe6f33
--- /dev/null
+++ b/common/variables.kms.tf
@@ -0,0 +1,23 @@
+variable "kms_key_id" {
+ description = "AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated)."
+ type = string
+ default = null
+}
+
+variable "kms_key_arn" {
+ description = "AWS KMS Key ARN, a key created external to this module call."
+ type = string
+ default = null
+}
+
+variable "kms_policy_document" {
+ description = "AWS KMS Key Policy Document JSON, merged with admin policy document"
+ type = string
+ default = ""
+}
+
+variable "kms_admin_roles" {
+ description = "AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default."
+ type = list(string)
+ default = []
+}
diff --git a/common/variables.tf b/common/variables.s3.tf
similarity index 75%
rename from common/variables.tf
rename to common/variables.s3.tf
index 689fd00..6f15cf3 100644
--- a/common/variables.tf
+++ b/common/variables.s3.tf
@@ -15,30 +15,6 @@ variable "bucket_policy_document" {
default = ""
}
-variable "kms_key_id" {
- description = "AWS KMS Key ID (one per bucket). This is currently ignored."
- type = string
- default = ""
-}
-
-variable "kms_policy_document" {
- description = "AWS KMS Key Policy Document JSON, merged with admin policy document"
- type = string
- default = ""
-}
-
-variable "kms_admin_roles" {
- description = "AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default."
- type = list(string)
- default = []
-}
-
-variable "tags" {
- description = "AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data_safeguard field for such things."
- type = map(string)
- default = {}
-}
-
variable "metadata_tags" {
description = "AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data_safeguard labels are applied, they will be incorporated on any bucket objects created."
type = map(string)
diff --git a/common/version.tf b/common/version.tf
index 548c682..03d330b 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "2.2.2"
+ _module_version = "2.3.0"
}
diff --git a/examples/.terraform-docs.yml b/examples/.terraform-docs.yml
new file mode 100644
index 0000000..8391b9d
--- /dev/null
+++ b/examples/.terraform-docs.yml
@@ -0,0 +1,44 @@
+formatter: markdown table
+
+header-from: main.tf
+footer-from: ""
+
+sections:
+## hide: []
+ show:
+ - data-sources
+ - header
+ - footer
+ - inputs
+ - modules
+ - outputs
+ - providers
+ - requirements
+ - resources
+
+output:
+ file: README.md
+ mode: inject
+ template: |-
+
+ {{ .Content }}
+
+
+## output-values:
+## enabled: false
+## from: ""
+##
+## sort:
+## enabled: true
+## by: name
+##
+## settings:
+## anchor: true
+## color: true
+## default: true
+## description: false
+## escape: true
+## indent: 2
+## required: true
+## sensitive: true
+## type: true
diff --git a/examples/README.md b/examples/README.md
new file mode 100644
index 0000000..01962df
--- /dev/null
+++ b/examples/README.md
@@ -0,0 +1,11 @@
+# Examples
+
+Here we have some examples for use of this module and supporting submodules.
+
+## policy
+## s3-standard
+## s3-title26
+## kms-key
+
+
+
diff --git a/examples/kms-key/README.md b/examples/kms-key/README.md
new file mode 100644
index 0000000..d172bd4
--- /dev/null
+++ b/examples/kms-key/README.md
@@ -0,0 +1,27 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [simple-key](#module\_simple-key) | git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [simple-key-info](#output\_simple-key-info) | KMS Key Info |
diff --git a/examples/kms-key/simple-kms-key.tf b/examples/kms-key/simple-kms-key.tf
new file mode 100644
index 0000000..9e8e9b1
--- /dev/null
+++ b/examples/kms-key/simple-kms-key.tf
@@ -0,0 +1,17 @@
+module "simple-key" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key"
+ key_name = "my-simple-key"
+
+ ## optional
+ # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+ # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+}
+
+output "simple-key-info" {
+ description = "KMS Key Info"
+ value = {
+ arn = module.simple-key.kms_key_arn
+ id = module.simple-key.kms_key_id
+ alias = module.simple-key.kms_key_alias
+ }
+}
diff --git a/examples/policy/README.md b/examples/policy/README.md
new file mode 100644
index 0000000..0acfbad
--- /dev/null
+++ b/examples/policy/README.md
@@ -0,0 +1,28 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
diff --git a/examples/standard/README.md b/examples/standard/README.md
new file mode 100644
index 0000000..f842a0e
--- /dev/null
+++ b/examples/standard/README.md
@@ -0,0 +1,27 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [my-bucket](#module\_my-bucket) | git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [my-bucket-info](#output\_my-bucket-info) | S3 Standard Bucket Info |
diff --git a/examples/standard/simple-bucket.tf b/examples/standard/simple-bucket.tf
new file mode 100644
index 0000000..8a62cc6
--- /dev/null
+++ b/examples/standard/simple-bucket.tf
@@ -0,0 +1,19 @@
+module "my-bucket" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard"
+
+ bucket_name = "my-normalbucket"
+ access_log_bucket = "my-logbucket"
+ # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+
+ ## optional
+ # kms_policy_document = data.aws_iam_policy_document.my-policy.json
+ # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+}
+
+output "my-bucket-info" {
+ description = "S3 Standard Bucket Info"
+ value = {
+ arn = module.my-bucket.s3_bucket_arn
+ id = module.my-bucket.s3_bucket_id
+ }
+}
diff --git a/kms_key/README.md b/kms_key/README.md
new file mode 100644
index 0000000..473bae2
--- /dev/null
+++ b/kms_key/README.md
@@ -0,0 +1,95 @@
+# About aws-s3 :: kms\_key
+
+This submodule allows you to create a KMS key for use with S3 buckets. You have to create the key first
+before trying to call it in a module. This is useful if you have a lot of buckets you wish to share the
+same key.
+
+## Usage: Create
+
+```hcl
+module "simple-key" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key"
+ key_name = "my-simple-key"
+
+ ## optional
+ # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+ # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+}
+
+output "simple-key-info" {
+ description = "KMS Key Info"
+ value = {
+ arn = module.simple-key.kms_key_arn
+ id = module.simple-key.kms_key_id
+ alias = module.simple-key.kms_key_alias
+ }
+}
+```
+
+## Usage: Reference
+```hcl
+module "my-bucket" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard"
+
+ bucket_name = "my-normalbucket"
+ access_log_bucket = "my-logbucket"
+ kms_key_arn = module.simple-key.kms_key_arn
+}
+
+output "my-bucket-info" {
+ description = "S3 Standard Bucket Info"
+ value = {
+ arn = module.my-bucket.s3_bucket_arn
+ id = module.my-bucket.s3_bucket_id
+ }
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
+| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
+| [key\_name](#input\_key\_name) | KMS Key Name (alias). Standard prefix will be added. | `string` | n/a | yes |
+| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
+| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
+| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no |
+| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [kms\_key\_alias](#output\_kms\_key\_alias) | KMS Key Alias name. If a kms\_key\_arn passed in, this will be null. |
+| [kms\_key\_arn](#output\_kms\_key\_arn) | KMS Key ARN. This is the created key ARN or the key ARN of kms\_key\_arn |
+| [kms\_key\_id](#output\_kms\_key\_id) | KMS Key ID. This is the created key id or the key id of kms\_key\_arn |
diff --git a/kms_key/base_settings.tf b/kms_key/base_settings.tf
new file mode 120000
index 0000000..396784e
--- /dev/null
+++ b/kms_key/base_settings.tf
@@ -0,0 +1 @@
+../common/base_settings.tf
\ No newline at end of file
diff --git a/kms_key/base_tags.tf b/kms_key/base_tags.tf
new file mode 120000
index 0000000..91c15aa
--- /dev/null
+++ b/kms_key/base_tags.tf
@@ -0,0 +1 @@
+../common/base_tags.tf
\ No newline at end of file
diff --git a/kms_key/data.tf b/kms_key/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/kms_key/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/kms_key/defaults.tf b/kms_key/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/kms_key/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/kms_key/kms.tf b/kms_key/kms.tf
new file mode 120000
index 0000000..b0b3f29
--- /dev/null
+++ b/kms_key/kms.tf
@@ -0,0 +1 @@
+../common/kms.tf
\ No newline at end of file
diff --git a/kms_key/main.tf b/kms_key/main.tf
new file mode 100644
index 0000000..067e762
--- /dev/null
+++ b/kms_key/main.tf
@@ -0,0 +1,58 @@
+/*
+* # About aws-s3 :: kms_key
+*
+* This submodule allows you to create a KMS key for use with S3 buckets. You have to create the key first
+* before trying to call it in a module. This is useful if you have a lot of buckets you wish to share the
+* same key.
+*
+* ## Usage: Create
+*
+* ```hcl
+* module "simple-key" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key"
+* key_name = "my-simple-key"
+*
+* ## optional
+* # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
+* }
+*
+* output "simple-key-info" {
+* description = "KMS Key Info"
+* value = {
+* arn = module.simple-key.kms_key_arn
+* id = module.simple-key.kms_key_id
+* alias = module.simple-key.kms_key_alias
+* }
+* }
+* ```
+*
+* ## Usage: Reference
+* ```hcl
+* module "my-bucket" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard"
+*
+* bucket_name = "my-normalbucket"
+* access_log_bucket = "my-logbucket"
+* kms_key_arn = module.simple-key.kms_key_arn
+* }
+*
+* output "my-bucket-info" {
+* description = "S3 Standard Bucket Info"
+* value = {
+* arn = module.my-bucket.s3_bucket_arn
+* id = module.my-bucket.s3_bucket_id
+* }
+* }
+* ```
+*/
+
+
+locals {
+ name = var.key_name
+ enable_title26 = var.enable_title26 ? true : false
+}
+
+
+
+
diff --git a/kms_key/outputs.kms.tf b/kms_key/outputs.kms.tf
new file mode 120000
index 0000000..74a8d7b
--- /dev/null
+++ b/kms_key/outputs.kms.tf
@@ -0,0 +1 @@
+../common/outputs.kms.tf
\ No newline at end of file
diff --git a/kms_key/prefixes.tf b/kms_key/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/kms_key/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/kms_key/safeguard_variables.tf b/kms_key/safeguard_variables.tf
new file mode 100644
index 0000000..a934cfc
--- /dev/null
+++ b/kms_key/safeguard_variables.tf
@@ -0,0 +1,14 @@
+/*
+* Valid values include: title13, title26, title42, pii, title5
+*/
+variable "data_safeguards" {
+ description = "Selected available safeguards which apply to the data in the bucket"
+ type = list(string)
+ default = []
+}
+
+variable "enable_title26" {
+ description = "Flag to enable bucket with Title 26 (FTI) settings"
+ type = bool
+ default = false
+}
diff --git a/kms_key/variables.common.tf b/kms_key/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/kms_key/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/kms_key/variables.kms.tf b/kms_key/variables.kms.tf
new file mode 120000
index 0000000..08cab47
--- /dev/null
+++ b/kms_key/variables.kms.tf
@@ -0,0 +1 @@
+../common/variables.kms.tf
\ No newline at end of file
diff --git a/kms_key/variables.tf b/kms_key/variables.tf
new file mode 100644
index 0000000..a076f54
--- /dev/null
+++ b/kms_key/variables.tf
@@ -0,0 +1,5 @@
+variable "key_name" {
+ description = "KMS Key Name (alias). Standard prefix will be added."
+ type = string
+}
+
diff --git a/kms_key/version.tf b/kms_key/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/kms_key/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/standard/README.md b/standard/README.md
index c6739b3..e6eb0f6 100644
--- a/standard/README.md
+++ b/standard/README.md
@@ -9,16 +9,24 @@ Other configurations such as versioning or data safegurad tagging (only on the b
# Usage
```hcl
-module "mybucket" {
+module "my-bucket" {
source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard"
- bucket_name = "mynormalbucket"
- access_log_bucket = "mylogbucket"
- kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+ bucket_name = "my-normalbucket"
+ access_log_bucket = "my-logbucket"
+ # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
## optional
- # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
- # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+ # kms_policy_document = data.aws_iam_policy_document.my-policy.json
+ # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+}
+
+output "my-bucket-info" {
+ description = "S3 Standard Bucket Info"
+ value = {
+ arn = module.my-bucket.s3_bucket_arn
+ id = module.my-bucket.s3_bucket_id
+ }
}
```
@@ -116,6 +124,7 @@ No modules.
| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
@@ -133,7 +142,8 @@ No modules.
| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
-| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no |
+| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
+| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no |
| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
| [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
@@ -143,8 +153,8 @@ No modules.
| Name | Description |
|------|-------------|
-| [kms\_key\_alias](#output\_kms\_key\_alias) | Created KMS Key Alias name |
-| [kms\_key\_arn](#output\_kms\_key\_arn) | Created KMS Key ARN |
-| [kms\_key\_id](#output\_kms\_key\_id) | Created KMS Key ID |
+| [kms\_key\_alias](#output\_kms\_key\_alias) | KMS Key Alias name. If a kms\_key\_arn passed in, this will be null. |
+| [kms\_key\_arn](#output\_kms\_key\_arn) | KMS Key ARN. This is the created key ARN or the key ARN of kms\_key\_arn |
+| [kms\_key\_id](#output\_kms\_key\_id) | KMS Key ID. This is the created key id or the key id of kms\_key\_arn |
| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | Created S3 Bucket ARN |
| [s3\_bucket\_id](#output\_s3\_bucket\_id) | Created S3 Bucket ID |
diff --git a/standard/base_settings.tf b/standard/base_settings.tf
new file mode 120000
index 0000000..396784e
--- /dev/null
+++ b/standard/base_settings.tf
@@ -0,0 +1 @@
+../common/base_settings.tf
\ No newline at end of file
diff --git a/standard/base_tags.tf b/standard/base_tags.tf
new file mode 120000
index 0000000..91c15aa
--- /dev/null
+++ b/standard/base_tags.tf
@@ -0,0 +1 @@
+../common/base_tags.tf
\ No newline at end of file
diff --git a/standard/kms.tf b/standard/kms.tf
new file mode 120000
index 0000000..b0b3f29
--- /dev/null
+++ b/standard/kms.tf
@@ -0,0 +1 @@
+../common/kms.tf
\ No newline at end of file
diff --git a/standard/main.tf b/standard/main.tf
index d21c81b..2de9d6c 100644
--- a/standard/main.tf
+++ b/standard/main.tf
@@ -10,16 +10,24 @@
* # Usage
*
* ```hcl
-* module "mybucket" {
+* module "my-bucket" {
* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard"
-*
-* bucket_name = "mynormalbucket"
-* access_log_bucket = "mylogbucket"
-* kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
-*
+*
+* bucket_name = "my-normalbucket"
+* access_log_bucket = "my-logbucket"
+* # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+*
* ## optional
-* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
-* # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+* # kms_policy_document = data.aws_iam_policy_document.my-policy.json
+* # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+* }
+*
+* output "my-bucket-info" {
+* description = "S3 Standard Bucket Info"
+* value = {
+* arn = module.my-bucket.s3_bucket_arn
+* id = module.my-bucket.s3_bucket_id
+* }
* }
* ```
*
@@ -91,4 +99,3 @@ locals {
}
-
diff --git a/standard/outputs.kms.tf b/standard/outputs.kms.tf
new file mode 120000
index 0000000..74a8d7b
--- /dev/null
+++ b/standard/outputs.kms.tf
@@ -0,0 +1 @@
+../common/outputs.kms.tf
\ No newline at end of file
diff --git a/standard/outputs.s3.tf b/standard/outputs.s3.tf
new file mode 120000
index 0000000..594685a
--- /dev/null
+++ b/standard/outputs.s3.tf
@@ -0,0 +1 @@
+../common/outputs.s3.tf
\ No newline at end of file
diff --git a/standard/outputs.tf b/standard/outputs.tf
deleted file mode 120000
index 93b0065..0000000
--- a/standard/outputs.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/outputs.tf
\ No newline at end of file
diff --git a/standard/variables.common.tf b/standard/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/standard/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/standard/variables.kms.tf b/standard/variables.kms.tf
new file mode 120000
index 0000000..08cab47
--- /dev/null
+++ b/standard/variables.kms.tf
@@ -0,0 +1 @@
+../common/variables.kms.tf
\ No newline at end of file
diff --git a/standard/variables.s3.tf b/standard/variables.s3.tf
new file mode 120000
index 0000000..49213df
--- /dev/null
+++ b/standard/variables.s3.tf
@@ -0,0 +1 @@
+../common/variables.s3.tf
\ No newline at end of file
diff --git a/standard/variables.tf b/standard/variables.tf
deleted file mode 120000
index 72202b3..0000000
--- a/standard/variables.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.tf
\ No newline at end of file
diff --git a/title26/base_settings.tf b/title26/base_settings.tf
new file mode 120000
index 0000000..396784e
--- /dev/null
+++ b/title26/base_settings.tf
@@ -0,0 +1 @@
+../common/base_settings.tf
\ No newline at end of file
diff --git a/title26/base_tags.tf b/title26/base_tags.tf
new file mode 120000
index 0000000..91c15aa
--- /dev/null
+++ b/title26/base_tags.tf
@@ -0,0 +1 @@
+../common/base_tags.tf
\ No newline at end of file
diff --git a/title26/kms.tf b/title26/kms.tf
new file mode 120000
index 0000000..b0b3f29
--- /dev/null
+++ b/title26/kms.tf
@@ -0,0 +1 @@
+../common/kms.tf
\ No newline at end of file
diff --git a/title26/outputs.kms.tf b/title26/outputs.kms.tf
new file mode 120000
index 0000000..74a8d7b
--- /dev/null
+++ b/title26/outputs.kms.tf
@@ -0,0 +1 @@
+../common/outputs.kms.tf
\ No newline at end of file
diff --git a/title26/outputs.s3.tf b/title26/outputs.s3.tf
new file mode 120000
index 0000000..594685a
--- /dev/null
+++ b/title26/outputs.s3.tf
@@ -0,0 +1 @@
+../common/outputs.s3.tf
\ No newline at end of file
diff --git a/title26/outputs.tf b/title26/outputs.tf
deleted file mode 120000
index 93b0065..0000000
--- a/title26/outputs.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/outputs.tf
\ No newline at end of file
diff --git a/title26/variables.common.tf b/title26/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/title26/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/title26/variables.kms.tf b/title26/variables.kms.tf
new file mode 120000
index 0000000..08cab47
--- /dev/null
+++ b/title26/variables.kms.tf
@@ -0,0 +1 @@
+../common/variables.kms.tf
\ No newline at end of file
diff --git a/title26/variables.s3.tf b/title26/variables.s3.tf
new file mode 120000
index 0000000..49213df
--- /dev/null
+++ b/title26/variables.s3.tf
@@ -0,0 +1 @@
+../common/variables.s3.tf
\ No newline at end of file
diff --git a/title26/variables.tf b/title26/variables.tf
deleted file mode 120000
index 72202b3..0000000
--- a/title26/variables.tf
+++ /dev/null
@@ -1 +0,0 @@
-../common/variables.tf
\ No newline at end of file