From 5b8369bdead2af36b0c4accb9232ee1cb8e53dde Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:06:56 -0500 Subject: [PATCH 01/16] add kms_key submodule, factor out code for passign in kms key --- CHANGELOG.md | 4 ++ common/README.md | 3 +- common/outputs.tf | 30 ------------ common/resources.tf | 66 +++----------------------- common/variables.tf | 86 ---------------------------------- common/version.tf | 2 +- kms_key/README.md | 65 +++++++++++++++++++++++++ kms_key/data.tf | 1 + kms_key/defaults.tf | 1 + kms_key/kms.tf | 1 + kms_key/main.tf | 23 +++++++++ kms_key/outputs.kms.tf | 1 + kms_key/prefixes.tf | 1 + kms_key/safeguard_variables.tf | 14 ++++++ kms_key/variables.common.tf | 1 + kms_key/variables.kms.tf | 1 + kms_key/variables.tf | 5 ++ kms_key/version.tf | 1 + standard/outputs.tf | 1 - standard/variables.tf | 1 - title26/outputs.tf | 1 - title26/variables.tf | 1 - 22 files changed, 129 insertions(+), 181 deletions(-) delete mode 100644 common/outputs.tf delete mode 100644 common/variables.tf create mode 100644 kms_key/README.md create mode 120000 kms_key/data.tf create mode 120000 kms_key/defaults.tf create mode 120000 kms_key/kms.tf create mode 100644 kms_key/main.tf create mode 120000 kms_key/outputs.kms.tf create mode 120000 kms_key/prefixes.tf create mode 100644 kms_key/safeguard_variables.tf create mode 120000 kms_key/variables.common.tf create mode 120000 kms_key/variables.kms.tf create mode 100644 kms_key/variables.tf create mode 120000 kms_key/version.tf delete mode 120000 standard/outputs.tf delete mode 120000 standard/variables.tf delete mode 120000 title26/outputs.tf delete mode 120000 title26/variables.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 081e9eb..3057c0e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -42,3 +42,7 @@ Provides standard and t26 S3 bucket construction. * v2.2.2 -- 20211104 - update documenation to include sample policy and policy document + +* v2.3.0 -- 20211117 + - allow kms_key_arn to be created externally + - prep submodule kms_key to be able to handle that diff --git a/common/README.md b/common/README.md index fa95728..41623d7 100644 --- a/common/README.md +++ b/common/README.md @@ -46,7 +46,8 @@ No modules. | [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no | | [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no | | [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no | -| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no | +| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no | +| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no | | [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | | [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | diff --git a/common/outputs.tf b/common/outputs.tf deleted file mode 100644 index 254a87e..0000000 --- a/common/outputs.tf +++ /dev/null @@ -1,30 +0,0 @@ -#--- -# bucket -#--- -output "s3_bucket_arn" { - description = "Created S3 Bucket ARN" - value = aws_s3_bucket.this.arn -} - -output "s3_bucket_id" { - description = "Created S3 Bucket ID" - value = aws_s3_bucket.this.id -} - -#--- -# key -#--- -output "kms_key_id" { - description = "Created KMS Key ID" - value = aws_kms_key.key.id -} - -output "kms_key_arn" { - description = "Created KMS Key ARN" - value = aws_kms_key.key.arn -} - -output "kms_key_alias" { - description = "Created KMS Key Alias name" - value = aws_kms_alias.key.name -} diff --git a/common/resources.tf b/common/resources.tf index 5a5c541..6496033 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -1,5 +1,4 @@ locals { - account_id = data.aws_caller_identity.current.account_id current_user_arn = data.aws_caller_identity.current.arn partition = data.aws_arn.current.partition @@ -12,13 +11,12 @@ locals { bucket_name = format("%s%s", local._prefixes["s3"], local.name) bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json - # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null - kms_key_arn = aws_kms_key.key.arn - kms_key_name = format("%s%s", local._prefixes["kms"], local.name) + # kms_key_arn = aws_kms_key.key.arn + # kms_key_name = format("%s%s", local._prefixes["kms"], local.name) - kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)] - kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles)) - kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json + # kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)] + # kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles)) + # kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json condition_allowed_cidr = { "test" : "NotIpAddress" @@ -70,7 +68,8 @@ resource "aws_s3_bucket" "this" { server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.key.arn + # kms_master_key_id = aws_kms_key.key.arn + kms_master_key_id = local.kms_key_arn sse_algorithm = "aws:kms" } } @@ -218,54 +217,3 @@ resource "aws_s3_bucket_object" "this_objects" { depends_on = [null_resource.policy_delay] } -#--- -# create a key and alias if not specified -# right now, this can't use an external key, it has to create one per bucket -#--- -resource "aws_kms_key" "key" { - description = "KMS CMK for S3 bucket ${local.name}" - enable_key_rotation = true - policy = data.aws_iam_policy_document.key_policy_combined.json - - tags = merge( - local.base_tags, - var.tags, - local.enforced_tags, - map("Name", local.kms_key_name) - ) -} - -resource "aws_kms_alias" "key" { - name = "alias/${local.kms_key_name}" - target_key_id = aws_kms_key.key.key_id -} - -# auto includes root -data "aws_iam_policy_document" "key_admin" { - statement { - sid = "BuiltinKMSAdminRoles" - effect = "Allow" - actions = ["kms:*"] - resources = ["*"] - principals { - type = "AWS" - identifiers = local.kms_admin_roles - } - } -} - -data "aws_iam_policy_document" "key_policy_combined" { - source_policy_documents = [ - data.aws_iam_policy_document.key_admin.json, - local.kms_policy_document - ] -} - -data "aws_iam_policy_document" "bucket_policy_combined" { - source_policy_documents = [ - data.aws_iam_policy_document.this.json, - local.bucket_policy_document - ] -} - -data "aws_iam_policy_document" "empty" {} diff --git a/common/variables.tf b/common/variables.tf deleted file mode 100644 index 689fd00..0000000 --- a/common/variables.tf +++ /dev/null @@ -1,86 +0,0 @@ -variable "bucket_name" { - description = "AWS Bucket Name. Standard prefix will be applied here, do not include here." - type = string -} - -variable "bucket_folders" { - description = "List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata_tags and data_safeguard labels." - type = list(string) - default = [] -} - -variable "bucket_policy_document" { - description = "IAM Policy document describing additiona policy to be attached to the bucket beyond the default" - type = string - default = "" -} - -variable "kms_key_id" { - description = "AWS KMS Key ID (one per bucket). This is currently ignored." - type = string - default = "" -} - -variable "kms_policy_document" { - description = "AWS KMS Key Policy Document JSON, merged with admin policy document" - type = string - default = "" -} - -variable "kms_admin_roles" { - description = "AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default." - type = list(string) - default = [] -} - -variable "tags" { - description = "AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data_safeguard field for such things." - type = map(string) - default = {} -} - -variable "metadata_tags" { - description = "AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data_safeguard labels are applied, they will be incorporated on any bucket objects created." - type = map(string) - default = {} -} - -variable "access_log_bucket_prefix" { - description = "Access log bucket prefix, to which the bucket name will be appended to make the target_prefix" - type = string - default = "s3" -} - -variable "access_log_bucket" { - description = "Server Access Logging Bucket ID" - type = string - # default = null -} - -variable "allowed_cidr" { - description = "List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed_endpoints for access within a VPC." - type = list(string) - default = [] -} - -variable "allowed_endpoints" { - description = "List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints." - type = list(string) - default = [] -} - -variable "force_destroy" { - description = "Sets force_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource." - type = bool - default = false -} - -variable "require_explicit_encryption" { - description = "When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed." - type = bool - default = false -} - -# TBD -# variable "kms_policy_read_arns" { } -# variable "kms_policy_write_arns" { } diff --git a/common/version.tf b/common/version.tf index 548c682..03d330b 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.2.2" + _module_version = "2.3.0" } diff --git a/kms_key/README.md b/kms_key/README.md new file mode 100644 index 0000000..3359374 --- /dev/null +++ b/kms_key/README.md @@ -0,0 +1,65 @@ +# About aws-s3 :: kms\_key + +This submodule allows you to create a KMS key for use with S3 buckets. + +# Usage + +```hcl +module "mykey" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key" + key_name = "mykeyname" + + ## optional + # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] + # kms_policy_document = data.aws_iam_policy_document.mypolicy.json +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no | +| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no | +| [key\_name](#input\_key\_name) | KMS Key Name (alias). Standard prefix will be added. | `string` | n/a | yes | +| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no | +| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no | +| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no | +| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [kms\_key\_alias](#output\_kms\_key\_alias) | Created KMS Key Alias name | +| [kms\_key\_arn](#output\_kms\_key\_arn) | Created KMS Key ARN | +| [kms\_key\_id](#output\_kms\_key\_id) | Created KMS Key ID | diff --git a/kms_key/data.tf b/kms_key/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/kms_key/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/kms_key/defaults.tf b/kms_key/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/kms_key/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/kms_key/kms.tf b/kms_key/kms.tf new file mode 120000 index 0000000..b0b3f29 --- /dev/null +++ b/kms_key/kms.tf @@ -0,0 +1 @@ +../common/kms.tf \ No newline at end of file diff --git a/kms_key/main.tf b/kms_key/main.tf new file mode 100644 index 0000000..6f47c84 --- /dev/null +++ b/kms_key/main.tf @@ -0,0 +1,23 @@ +/* +* # About aws-s3 :: kms_key +* +* This submodule allows you to create a KMS key for use with S3 buckets. +* +* # Usage +* +* ```hcl +* module "mykey" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key" +* key_name = "mykeyname" +* +* ## optional +* # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] +* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json +* } +* ``` +*/ + + +locals { + name = var.key_name +} diff --git a/kms_key/outputs.kms.tf b/kms_key/outputs.kms.tf new file mode 120000 index 0000000..74a8d7b --- /dev/null +++ b/kms_key/outputs.kms.tf @@ -0,0 +1 @@ +../common/outputs.kms.tf \ No newline at end of file diff --git a/kms_key/prefixes.tf b/kms_key/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/kms_key/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/kms_key/safeguard_variables.tf b/kms_key/safeguard_variables.tf new file mode 100644 index 0000000..a934cfc --- /dev/null +++ b/kms_key/safeguard_variables.tf @@ -0,0 +1,14 @@ +/* +* Valid values include: title13, title26, title42, pii, title5 +*/ +variable "data_safeguards" { + description = "Selected available safeguards which apply to the data in the bucket" + type = list(string) + default = [] +} + +variable "enable_title26" { + description = "Flag to enable bucket with Title 26 (FTI) settings" + type = bool + default = false +} diff --git a/kms_key/variables.common.tf b/kms_key/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/kms_key/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/kms_key/variables.kms.tf b/kms_key/variables.kms.tf new file mode 120000 index 0000000..08cab47 --- /dev/null +++ b/kms_key/variables.kms.tf @@ -0,0 +1 @@ +../common/variables.kms.tf \ No newline at end of file diff --git a/kms_key/variables.tf b/kms_key/variables.tf new file mode 100644 index 0000000..a076f54 --- /dev/null +++ b/kms_key/variables.tf @@ -0,0 +1,5 @@ +variable "key_name" { + description = "KMS Key Name (alias). Standard prefix will be added." + type = string +} + diff --git a/kms_key/version.tf b/kms_key/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/kms_key/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/standard/outputs.tf b/standard/outputs.tf deleted file mode 120000 index 93b0065..0000000 --- a/standard/outputs.tf +++ /dev/null @@ -1 +0,0 @@ -../common/outputs.tf \ No newline at end of file diff --git a/standard/variables.tf b/standard/variables.tf deleted file mode 120000 index 72202b3..0000000 --- a/standard/variables.tf +++ /dev/null @@ -1 +0,0 @@ -../common/variables.tf \ No newline at end of file diff --git a/title26/outputs.tf b/title26/outputs.tf deleted file mode 120000 index 93b0065..0000000 --- a/title26/outputs.tf +++ /dev/null @@ -1 +0,0 @@ -../common/outputs.tf \ No newline at end of file diff --git a/title26/variables.tf b/title26/variables.tf deleted file mode 120000 index 72202b3..0000000 --- a/title26/variables.tf +++ /dev/null @@ -1 +0,0 @@ -../common/variables.tf \ No newline at end of file From c0518de1e2b881d4d9f83426182b9f79d12a5298 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:07:42 -0500 Subject: [PATCH 02/16] exclude common/ --- .pre-commit-config.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b71d691..3294764 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,9 +6,7 @@ repos: - id: terraform_fmt - id: terraform_docs_replace args: ['table'] - exclude: common/*.tf - exclude: version.tf - + exclude: common - repo: https://github.com/pre-commit/pre-commit-hooks rev: v3.1.0 hooks: From a138cf2930996d900f1d6012186af1520581d80e Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:08:11 -0500 Subject: [PATCH 03/16] factor out kms code --- common/README.md | 64 ---------------------------------- common/kms.tf | 66 ++++++++++++++++++++++++++++++++++++ common/outputs.kms.tf | 18 ++++++++++ common/outputs.s3.tf | 12 +++++++ common/variables.common.tf | 6 ++++ common/variables.kms.tf | 23 +++++++++++++ common/variables.s3.tf | 62 +++++++++++++++++++++++++++++++++ examples/policy/README.md | 28 +++++++++++++++ standard/kms.tf | 1 + standard/outputs.kms.tf | 1 + standard/outputs.s3.tf | 1 + standard/variables.common.tf | 1 + standard/variables.kms.tf | 1 + standard/variables.s3.tf | 1 + title26/kms.tf | 1 + title26/outputs.kms.tf | 1 + title26/outputs.s3.tf | 1 + title26/variables.common.tf | 1 + title26/variables.kms.tf | 1 + title26/variables.s3.tf | 1 + 20 files changed, 227 insertions(+), 64 deletions(-) delete mode 100644 common/README.md create mode 100644 common/kms.tf create mode 100644 common/outputs.kms.tf create mode 100644 common/outputs.s3.tf create mode 100644 common/variables.common.tf create mode 100644 common/variables.kms.tf create mode 100644 common/variables.s3.tf create mode 100644 examples/policy/README.md create mode 120000 standard/kms.tf create mode 120000 standard/outputs.kms.tf create mode 120000 standard/outputs.s3.tf create mode 120000 standard/variables.common.tf create mode 120000 standard/variables.kms.tf create mode 120000 standard/variables.s3.tf create mode 120000 title26/kms.tf create mode 120000 title26/outputs.kms.tf create mode 120000 title26/outputs.s3.tf create mode 120000 title26/variables.common.tf create mode 120000 title26/variables.kms.tf create mode 120000 title26/variables.s3.tf diff --git a/common/README.md b/common/README.md deleted file mode 100644 index 41623d7..0000000 --- a/common/README.md +++ /dev/null @@ -1,64 +0,0 @@ -## Requirements - -No requirements. - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | n/a | -| [null](#provider\_null) | n/a | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_object.this_objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource | -| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | -| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | -| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | -| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [access\_log\_bucket](#input\_access\_log\_bucket) | Server Access Logging Bucket ID | `string` | n/a | yes | -| [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | -| [allowed\_cidr](#input\_allowed\_cidr) | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no | -| [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no | -| [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no | -| [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes | -| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additiona policy to be attached to the bucket beyond the default | `string` | `""` | no | -| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no | -| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no | -| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no | -| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no | -| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | -| [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | -| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | -| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [kms\_key\_alias](#output\_kms\_key\_alias) | Created KMS Key Alias name | -| [kms\_key\_arn](#output\_kms\_key\_arn) | Created KMS Key ARN | -| [kms\_key\_id](#output\_kms\_key\_id) | Created KMS Key ID | -| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | Created S3 Bucket ARN | -| [s3\_bucket\_id](#output\_s3\_bucket\_id) | Created S3 Bucket ID | diff --git a/common/kms.tf b/common/kms.tf new file mode 100644 index 0000000..b42ca3e --- /dev/null +++ b/common/kms.tf @@ -0,0 +1,66 @@ +# data "aws_kms_key" "incoming_key" { +# count = var.kms_key_arn != null ? 1 : 0 +# key_id = var.kms_key_arn +# } +# +locals { + kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : aws_kms_key.key.arn + kms_key_name = format("%s%s", local._prefixes["kms"], local.name) + + kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)] + kms_admin_roles = compact(concat(local.kms_admin_root, var.kms_admin_roles)) + kms_policy_document = length(var.kms_policy_document) > 0 ? var.kms_policy_document : data.aws_iam_policy_document.empty.json +} + +#--- +# create a key and alias if not specified +#--- +resource "aws_kms_key" "key" { + count = var.kms_key_arn == null ? 1 : 0 + description = "KMS CMK for S3 bucket ${local.name}" + enable_key_rotation = true + policy = data.aws_iam_policy_document.key_policy_combined.json + + tags = merge( + local.base_tags, + var.tags, + local.enforced_tags, + map("Name", local.kms_key_name) + ) +} + +resource "aws_kms_alias" "key" { + count = var.kms_key_arn == null ? 1 : 0 + name = "alias/${local.kms_key_name}" + target_key_id = var.kms_key_arn == null ? aws_kms_key.key[0].key_id : null +} + +# auto includes root +data "aws_iam_policy_document" "key_admin" { + statement { + sid = "BuiltinKMSAdminRoles" + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + principals { + type = "AWS" + identifiers = local.kms_admin_roles + } + } +} + +data "aws_iam_policy_document" "key_policy_combined" { + source_policy_documents = [ + data.aws_iam_policy_document.key_admin.json, + local.kms_policy_document + ] +} + +data "aws_iam_policy_document" "bucket_policy_combined" { + source_policy_documents = [ + data.aws_iam_policy_document.this.json, + local.bucket_policy_document + ] +} + +data "aws_iam_policy_document" "empty" {} diff --git a/common/outputs.kms.tf b/common/outputs.kms.tf new file mode 100644 index 0000000..4ad613a --- /dev/null +++ b/common/outputs.kms.tf @@ -0,0 +1,18 @@ +#--- +# key +#--- +output "kms_key_id" { + description = "Created KMS Key ID" + value = aws_kms_key.key.id +} + +output "kms_key_arn" { + description = "Created KMS Key ARN" + value = aws_kms_key.key.arn +} + +output "kms_key_alias" { + description = "Created KMS Key Alias name" + value = aws_kms_alias.key.name +} + diff --git a/common/outputs.s3.tf b/common/outputs.s3.tf new file mode 100644 index 0000000..a29a743 --- /dev/null +++ b/common/outputs.s3.tf @@ -0,0 +1,12 @@ +#--- +# bucket +#--- +output "s3_bucket_arn" { + description = "Created S3 Bucket ARN" + value = aws_s3_bucket.this.arn +} + +output "s3_bucket_id" { + description = "Created S3 Bucket ID" + value = aws_s3_bucket.this.id +} diff --git a/common/variables.common.tf b/common/variables.common.tf new file mode 100644 index 0000000..010acce --- /dev/null +++ b/common/variables.common.tf @@ -0,0 +1,6 @@ +variable "tags" { + description = "AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data_safeguard field for such things." + type = map(string) + default = {} +} + diff --git a/common/variables.kms.tf b/common/variables.kms.tf new file mode 100644 index 0000000..3fe6f33 --- /dev/null +++ b/common/variables.kms.tf @@ -0,0 +1,23 @@ +variable "kms_key_id" { + description = "AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated)." + type = string + default = null +} + +variable "kms_key_arn" { + description = "AWS KMS Key ARN, a key created external to this module call." + type = string + default = null +} + +variable "kms_policy_document" { + description = "AWS KMS Key Policy Document JSON, merged with admin policy document" + type = string + default = "" +} + +variable "kms_admin_roles" { + description = "AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default." + type = list(string) + default = [] +} diff --git a/common/variables.s3.tf b/common/variables.s3.tf new file mode 100644 index 0000000..6f15cf3 --- /dev/null +++ b/common/variables.s3.tf @@ -0,0 +1,62 @@ +variable "bucket_name" { + description = "AWS Bucket Name. Standard prefix will be applied here, do not include here." + type = string +} + +variable "bucket_folders" { + description = "List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata_tags and data_safeguard labels." + type = list(string) + default = [] +} + +variable "bucket_policy_document" { + description = "IAM Policy document describing additiona policy to be attached to the bucket beyond the default" + type = string + default = "" +} + +variable "metadata_tags" { + description = "AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data_safeguard labels are applied, they will be incorporated on any bucket objects created." + type = map(string) + default = {} +} + +variable "access_log_bucket_prefix" { + description = "Access log bucket prefix, to which the bucket name will be appended to make the target_prefix" + type = string + default = "s3" +} + +variable "access_log_bucket" { + description = "Server Access Logging Bucket ID" + type = string + # default = null +} + +variable "allowed_cidr" { + description = "List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed_endpoints for access within a VPC." + type = list(string) + default = [] +} + +variable "allowed_endpoints" { + description = "List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints." + type = list(string) + default = [] +} + +variable "force_destroy" { + description = "Sets force_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource." + type = bool + default = false +} + +variable "require_explicit_encryption" { + description = "When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed." + type = bool + default = false +} + +# TBD +# variable "kms_policy_read_arns" { } +# variable "kms_policy_write_arns" { } diff --git a/examples/policy/README.md b/examples/policy/README.md new file mode 100644 index 0000000..0acfbad --- /dev/null +++ b/examples/policy/README.md @@ -0,0 +1,28 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +No inputs. + +## Outputs + +No outputs. diff --git a/standard/kms.tf b/standard/kms.tf new file mode 120000 index 0000000..b0b3f29 --- /dev/null +++ b/standard/kms.tf @@ -0,0 +1 @@ +../common/kms.tf \ No newline at end of file diff --git a/standard/outputs.kms.tf b/standard/outputs.kms.tf new file mode 120000 index 0000000..74a8d7b --- /dev/null +++ b/standard/outputs.kms.tf @@ -0,0 +1 @@ +../common/outputs.kms.tf \ No newline at end of file diff --git a/standard/outputs.s3.tf b/standard/outputs.s3.tf new file mode 120000 index 0000000..594685a --- /dev/null +++ b/standard/outputs.s3.tf @@ -0,0 +1 @@ +../common/outputs.s3.tf \ No newline at end of file diff --git a/standard/variables.common.tf b/standard/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/standard/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/standard/variables.kms.tf b/standard/variables.kms.tf new file mode 120000 index 0000000..08cab47 --- /dev/null +++ b/standard/variables.kms.tf @@ -0,0 +1 @@ +../common/variables.kms.tf \ No newline at end of file diff --git a/standard/variables.s3.tf b/standard/variables.s3.tf new file mode 120000 index 0000000..49213df --- /dev/null +++ b/standard/variables.s3.tf @@ -0,0 +1 @@ +../common/variables.s3.tf \ No newline at end of file diff --git a/title26/kms.tf b/title26/kms.tf new file mode 120000 index 0000000..b0b3f29 --- /dev/null +++ b/title26/kms.tf @@ -0,0 +1 @@ +../common/kms.tf \ No newline at end of file diff --git a/title26/outputs.kms.tf b/title26/outputs.kms.tf new file mode 120000 index 0000000..74a8d7b --- /dev/null +++ b/title26/outputs.kms.tf @@ -0,0 +1 @@ +../common/outputs.kms.tf \ No newline at end of file diff --git a/title26/outputs.s3.tf b/title26/outputs.s3.tf new file mode 120000 index 0000000..594685a --- /dev/null +++ b/title26/outputs.s3.tf @@ -0,0 +1 @@ +../common/outputs.s3.tf \ No newline at end of file diff --git a/title26/variables.common.tf b/title26/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/title26/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/title26/variables.kms.tf b/title26/variables.kms.tf new file mode 120000 index 0000000..08cab47 --- /dev/null +++ b/title26/variables.kms.tf @@ -0,0 +1 @@ +../common/variables.kms.tf \ No newline at end of file diff --git a/title26/variables.s3.tf b/title26/variables.s3.tf new file mode 120000 index 0000000..49213df --- /dev/null +++ b/title26/variables.s3.tf @@ -0,0 +1 @@ +../common/variables.s3.tf \ No newline at end of file From 699559b0051303bd0aeeaad06ceb53b9c0f8e4d5 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:11:02 -0500 Subject: [PATCH 04/16] add docs for examples --- examples/.terraform-docs.yml | 44 ++++++++++++++++++++++++++++++++++++ examples/README.md | 12 ++++++++++ 2 files changed, 56 insertions(+) create mode 100644 examples/.terraform-docs.yml create mode 100644 examples/README.md diff --git a/examples/.terraform-docs.yml b/examples/.terraform-docs.yml new file mode 100644 index 0000000..8391b9d --- /dev/null +++ b/examples/.terraform-docs.yml @@ -0,0 +1,44 @@ +formatter: markdown table + +header-from: main.tf +footer-from: "" + +sections: +## hide: [] + show: + - data-sources + - header + - footer + - inputs + - modules + - outputs + - providers + - requirements + - resources + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + + +## output-values: +## enabled: false +## from: "" +## +## sort: +## enabled: true +## by: name +## +## settings: +## anchor: true +## color: true +## default: true +## description: false +## escape: true +## indent: 2 +## required: true +## sensitive: true +## type: true diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 0000000..d14d1fa --- /dev/null +++ b/examples/README.md @@ -0,0 +1,12 @@ +# Examples + +Here we have some examples for use of this module and supporting submodules. + +## policy +## s3 standard +## s3 title26 +## kms_key + + +{{ .Content }} + From 271896d295e53c0f0c5ea7ad101621d5748a5cff Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:11:56 -0500 Subject: [PATCH 05/16] update --- examples/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/README.md b/examples/README.md index d14d1fa..8ea2923 100644 --- a/examples/README.md +++ b/examples/README.md @@ -8,5 +8,4 @@ Here we have some examples for use of this module and supporting submodules. ## kms_key -{{ .Content }} From bc94be2b1e929658f5aeb02addf5b7ca7bb91ff2 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:15:13 -0500 Subject: [PATCH 06/16] add exmaple for kms key --- examples/README.md | 6 +++--- examples/kms-key/simple-kms-key.tf | 17 +++++++++++++++++ 2 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 examples/kms-key/simple-kms-key.tf diff --git a/examples/README.md b/examples/README.md index 8ea2923..01962df 100644 --- a/examples/README.md +++ b/examples/README.md @@ -3,9 +3,9 @@ Here we have some examples for use of this module and supporting submodules. ## policy -## s3 standard -## s3 title26 -## kms_key +## s3-standard +## s3-title26 +## kms-key diff --git a/examples/kms-key/simple-kms-key.tf b/examples/kms-key/simple-kms-key.tf new file mode 100644 index 0000000..c68429d --- /dev/null +++ b/examples/kms-key/simple-kms-key.tf @@ -0,0 +1,17 @@ +module "simple-key" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key" + key_name = "my-simple-key" + + ## optional + # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] + # kms_policy_document = data.aws_iam_policy_document.mypolicy.json +} + +output "my-simple-key" { + description = "KMS Key Details" + value = { + arn = module.simple-key.kms_key_arn + id = module.simple-key.kms_key_id + alias = module.simple-key.kms_key_alias + } +} From e65e2f470ff61bee8f4302e568b2080f039912b7 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:18:21 -0500 Subject: [PATCH 07/16] add exmaple for s3-standard --- examples/kms-key/README.md | 27 +++++++++++++++++++++++++++ examples/kms-key/simple-kms-key.tf | 4 ++-- examples/s3-standard/README.md | 27 +++++++++++++++++++++++++++ examples/s3-standard/simple-bucket.tf | 19 +++++++++++++++++++ 4 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 examples/kms-key/README.md create mode 100644 examples/s3-standard/README.md create mode 100644 examples/s3-standard/simple-bucket.tf diff --git a/examples/kms-key/README.md b/examples/kms-key/README.md new file mode 100644 index 0000000..d172bd4 --- /dev/null +++ b/examples/kms-key/README.md @@ -0,0 +1,27 @@ +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [simple-key](#module\_simple-key) | git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key | n/a | + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [simple-key-info](#output\_simple-key-info) | KMS Key Info | diff --git a/examples/kms-key/simple-kms-key.tf b/examples/kms-key/simple-kms-key.tf index c68429d..9e8e9b1 100644 --- a/examples/kms-key/simple-kms-key.tf +++ b/examples/kms-key/simple-kms-key.tf @@ -7,8 +7,8 @@ module "simple-key" { # kms_policy_document = data.aws_iam_policy_document.mypolicy.json } -output "my-simple-key" { - description = "KMS Key Details" +output "simple-key-info" { + description = "KMS Key Info" value = { arn = module.simple-key.kms_key_arn id = module.simple-key.kms_key_id diff --git a/examples/s3-standard/README.md b/examples/s3-standard/README.md new file mode 100644 index 0000000..f842a0e --- /dev/null +++ b/examples/s3-standard/README.md @@ -0,0 +1,27 @@ +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [my-bucket](#module\_my-bucket) | git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard | n/a | + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [my-bucket-info](#output\_my-bucket-info) | S3 Standard Bucket Info | diff --git a/examples/s3-standard/simple-bucket.tf b/examples/s3-standard/simple-bucket.tf new file mode 100644 index 0000000..8a62cc6 --- /dev/null +++ b/examples/s3-standard/simple-bucket.tf @@ -0,0 +1,19 @@ +module "my-bucket" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard" + + bucket_name = "my-normalbucket" + access_log_bucket = "my-logbucket" + # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] + + ## optional + # kms_policy_document = data.aws_iam_policy_document.my-policy.json + # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json +} + +output "my-bucket-info" { + description = "S3 Standard Bucket Info" + value = { + arn = module.my-bucket.s3_bucket_arn + id = module.my-bucket.s3_bucket_id + } +} From 803de86e086dc31e5df1848b4868251f41cfca65 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:26:00 -0500 Subject: [PATCH 08/16] fix policies --- common/kms.tf | 7 ------- common/resources.tf | 7 +++++++ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/common/kms.tf b/common/kms.tf index b42ca3e..cdbb0da 100644 --- a/common/kms.tf +++ b/common/kms.tf @@ -56,11 +56,4 @@ data "aws_iam_policy_document" "key_policy_combined" { ] } -data "aws_iam_policy_document" "bucket_policy_combined" { - source_policy_documents = [ - data.aws_iam_policy_document.this.json, - local.bucket_policy_document - ] -} - data "aws_iam_policy_document" "empty" {} diff --git a/common/resources.tf b/common/resources.tf index 6496033..50378e5 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -217,3 +217,10 @@ resource "aws_s3_bucket_object" "this_objects" { depends_on = [null_resource.policy_delay] } +data "aws_iam_policy_document" "bucket_policy_combined" { + source_policy_documents = [ + data.aws_iam_policy_document.this.json, + local.bucket_policy_document + ] +} + From d330eafd483e14f0c31858bf2018b42e2f15aee4 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:28:19 -0500 Subject: [PATCH 09/16] pull out tags and settings --- common/base_settings.tf | 6 ++++++ common/base_tags.tf | 6 ++++++ common/resources.tf | 11 ----------- kms_key/base_settings.tf | 1 + kms_key/base_tags.tf | 1 + standard/base_settings.tf | 1 + standard/base_tags.tf | 1 + title26/base_settings.tf | 1 + title26/base_tags.tf | 1 + 9 files changed, 18 insertions(+), 11 deletions(-) create mode 100644 common/base_settings.tf create mode 100644 common/base_tags.tf create mode 120000 kms_key/base_settings.tf create mode 120000 kms_key/base_tags.tf create mode 120000 standard/base_settings.tf create mode 120000 standard/base_tags.tf create mode 120000 title26/base_settings.tf create mode 120000 title26/base_tags.tf diff --git a/common/base_settings.tf b/common/base_settings.tf new file mode 100644 index 0000000..4e852ac --- /dev/null +++ b/common/base_settings.tf @@ -0,0 +1,6 @@ +locals { + account_id = data.aws_caller_identity.current.account_id + current_user_arn = data.aws_caller_identity.current.arn + partition = data.aws_arn.current.partition + region = data.aws_region.current.name +} diff --git a/common/base_tags.tf b/common/base_tags.tf new file mode 100644 index 0000000..602b87a --- /dev/null +++ b/common/base_tags.tf @@ -0,0 +1,6 @@ +locals { + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} diff --git a/common/resources.tf b/common/resources.tf index 50378e5..d1410ec 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -1,10 +1,3 @@ -locals { - account_id = data.aws_caller_identity.current.account_id - current_user_arn = data.aws_caller_identity.current.arn - partition = data.aws_arn.current.partition - region = data.aws_region.current.name -} - locals { base_name = var.bucket_name name = replace(var.bucket_name, local._prefixes["s3"], "") @@ -34,10 +27,6 @@ locals { # enforced_tags = { # "boc:safeguard" = "title26" # } - base_tags = { - "boc:tf_module_version" = local._module_version - "boc:created_by" = "terraform" - } # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults add_safeguard_tags = local.enable_title26 ? ["title26"] : [] _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d } diff --git a/kms_key/base_settings.tf b/kms_key/base_settings.tf new file mode 120000 index 0000000..396784e --- /dev/null +++ b/kms_key/base_settings.tf @@ -0,0 +1 @@ +../common/base_settings.tf \ No newline at end of file diff --git a/kms_key/base_tags.tf b/kms_key/base_tags.tf new file mode 120000 index 0000000..91c15aa --- /dev/null +++ b/kms_key/base_tags.tf @@ -0,0 +1 @@ +../common/base_tags.tf \ No newline at end of file diff --git a/standard/base_settings.tf b/standard/base_settings.tf new file mode 120000 index 0000000..396784e --- /dev/null +++ b/standard/base_settings.tf @@ -0,0 +1 @@ +../common/base_settings.tf \ No newline at end of file diff --git a/standard/base_tags.tf b/standard/base_tags.tf new file mode 120000 index 0000000..91c15aa --- /dev/null +++ b/standard/base_tags.tf @@ -0,0 +1 @@ +../common/base_tags.tf \ No newline at end of file diff --git a/title26/base_settings.tf b/title26/base_settings.tf new file mode 120000 index 0000000..396784e --- /dev/null +++ b/title26/base_settings.tf @@ -0,0 +1 @@ +../common/base_settings.tf \ No newline at end of file diff --git a/title26/base_tags.tf b/title26/base_tags.tf new file mode 120000 index 0000000..91c15aa --- /dev/null +++ b/title26/base_tags.tf @@ -0,0 +1 @@ +../common/base_tags.tf \ No newline at end of file From 15302161134e5979b7a2d3f6f789c73cf6e27781 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:35:19 -0500 Subject: [PATCH 10/16] add enable_title26 --- common/base_settings.tf | 17 +++++++++++++++++ common/resources.tf | 16 ---------------- kms_key/README.md | 1 - kms_key/main.tf | 3 ++- standard/README.md | 3 ++- standard/main.tf | 3 --- 6 files changed, 21 insertions(+), 22 deletions(-) diff --git a/common/base_settings.tf b/common/base_settings.tf index 4e852ac..7d17c3d 100644 --- a/common/base_settings.tf +++ b/common/base_settings.tf @@ -4,3 +4,20 @@ locals { partition = data.aws_arn.current.partition region = data.aws_region.current.name } + +# enforced tags +locals { + # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults + add_safeguard_tags = local.enable_title26 ? ["title26"] : [] + _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d } + safeguard_tags = sort(distinct(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags)))) + add_tags = { + safeguard = { + "exists" = { "boc:safeguard" = join(",", local.safeguard_tags) } + "not_exists" = {} + } + } + enforced_tags = merge( + local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"] + ) +} diff --git a/common/resources.tf b/common/resources.tf index d1410ec..23caa0c 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -24,22 +24,6 @@ locals { s3_bucket_conditions_list = list(local.condition_allowed_cidr, local.condition_allowed_endpoints) s3_bucket_conditions = [for x in local.s3_bucket_conditions_list : x if length(x.values) > 0] - # enforced_tags = { - # "boc:safeguard" = "title26" - # } - # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults - add_safeguard_tags = local.enable_title26 ? ["title26"] : [] - _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d } - safeguard_tags = sort(distinct(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags)))) - add_tags = { - safeguard = { - "exists" = { "boc:safeguard" = join(",", local.safeguard_tags) } - "not_exists" = {} - } - } - enforced_tags = merge( - local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"] - ) metadata_tags = merge( var.metadata_tags, { for k, v in local.enforced_tags : format("x-amzn-meta-%v", replace(k, "/\\W/", "_")) => v } diff --git a/kms_key/README.md b/kms_key/README.md index 3359374..6d323d1 100644 --- a/kms_key/README.md +++ b/kms_key/README.md @@ -37,7 +37,6 @@ No modules. | [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | diff --git a/kms_key/main.tf b/kms_key/main.tf index 6f47c84..60dd993 100644 --- a/kms_key/main.tf +++ b/kms_key/main.tf @@ -19,5 +19,6 @@ locals { - name = var.key_name + name = var.key_name + enable_title26 = var.enable_title26 ? true : false } diff --git a/standard/README.md b/standard/README.md index c6739b3..0e39c1c 100644 --- a/standard/README.md +++ b/standard/README.md @@ -133,7 +133,8 @@ No modules. | [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no | | [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no | | [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no | -| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no | +| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no | +| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no | | [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | | [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | diff --git a/standard/main.tf b/standard/main.tf index d21c81b..ca24540 100644 --- a/standard/main.tf +++ b/standard/main.tf @@ -89,6 +89,3 @@ locals { enable_title26 = var.enable_title26 ? true : false versioning = false } - - - From 262ac95c33ecc16f39e127fc792b1bbd73530909 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:39:36 -0500 Subject: [PATCH 11/16] fix --- common/kms.tf | 5 +++++ common/outputs.kms.tf | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/common/kms.tf b/common/kms.tf index cdbb0da..18c4b35 100644 --- a/common/kms.tf +++ b/common/kms.tf @@ -57,3 +57,8 @@ data "aws_iam_policy_document" "key_policy_combined" { } data "aws_iam_policy_document" "empty" {} + +data "aws_kms_key" "incoming_key" { + count = var.kms_key_arn == null ? 0 : 1 + key_id = var.kms_key_arn +} diff --git a/common/outputs.kms.tf b/common/outputs.kms.tf index 4ad613a..9333784 100644 --- a/common/outputs.kms.tf +++ b/common/outputs.kms.tf @@ -3,16 +3,16 @@ #--- output "kms_key_id" { description = "Created KMS Key ID" - value = aws_kms_key.key.id + value = var.kms_key_arn == null ? aws_kms_key.key[0].id : data.aws_kms_key.incoming_key[0].id } output "kms_key_arn" { description = "Created KMS Key ARN" - value = aws_kms_key.key.arn + value = var.kms_key_arn == null ? aws_kms_key.key[0].arn : data.aws_kms_key.incoming_key[0].arn } output "kms_key_alias" { description = "Created KMS Key Alias name" - value = aws_kms_alias.key.name + value = var.kms_key_arn == null ? aws_kms_key.key[0].name : data.aws_kms_key.incoming_key[0].name } From 11c64285a15d95c478425af605295ad8c99708dd Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:41:37 -0500 Subject: [PATCH 12/16] fix --- common/kms.tf | 2 +- common/outputs.kms.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/common/kms.tf b/common/kms.tf index 18c4b35..e8df353 100644 --- a/common/kms.tf +++ b/common/kms.tf @@ -4,7 +4,7 @@ # } # locals { - kms_key_arn = var.kms_key_arn != null ? var.kms_key_arn : aws_kms_key.key.arn + kms_key_arn = var.kms_key_arn == null ? aws_kms_key.key[0].arn : var.kms_key_arn kms_key_name = format("%s%s", local._prefixes["kms"], local.name) kms_admin_root = [format("arn:%v:iam::%v:root", local.partition, local.account_id)] diff --git a/common/outputs.kms.tf b/common/outputs.kms.tf index 9333784..b972a09 100644 --- a/common/outputs.kms.tf +++ b/common/outputs.kms.tf @@ -13,6 +13,6 @@ output "kms_key_arn" { output "kms_key_alias" { description = "Created KMS Key Alias name" - value = var.kms_key_arn == null ? aws_kms_key.key[0].name : data.aws_kms_key.incoming_key[0].name + value = var.kms_key_arn == null ? aws_kms_alias.key[0].name : data.aws_kms_key.incoming_key[0].name } From b876d4dfde1665499c9d106b5900a6f1b6f6bc9f Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:46:16 -0500 Subject: [PATCH 13/16] fix --- common/outputs.kms.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/common/outputs.kms.tf b/common/outputs.kms.tf index b972a09..b84af15 100644 --- a/common/outputs.kms.tf +++ b/common/outputs.kms.tf @@ -2,17 +2,17 @@ # key #--- output "kms_key_id" { - description = "Created KMS Key ID" + description = "KMS Key ID. This is the created key id or the key id of kms_key_arn" value = var.kms_key_arn == null ? aws_kms_key.key[0].id : data.aws_kms_key.incoming_key[0].id } output "kms_key_arn" { - description = "Created KMS Key ARN" + description = "KMS Key ARN. This is the created key ARN or the key ARN of kms_key_arn" value = var.kms_key_arn == null ? aws_kms_key.key[0].arn : data.aws_kms_key.incoming_key[0].arn } output "kms_key_alias" { - description = "Created KMS Key Alias name" - value = var.kms_key_arn == null ? aws_kms_alias.key[0].name : data.aws_kms_key.incoming_key[0].name + description = "KMS Key Alias name. If a kms_key_arn passed in, this will be null." + value = var.kms_key_arn == null ? aws_kms_alias.key[0].name : null } From 03598122a46cd5c6d2a225210ae3691fea93ab42 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 13:48:35 -0500 Subject: [PATCH 14/16] rename --- examples/{s3-standard => standard}/README.md | 0 examples/{s3-standard => standard}/simple-bucket.tf | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename examples/{s3-standard => standard}/README.md (100%) rename examples/{s3-standard => standard}/simple-bucket.tf (100%) diff --git a/examples/s3-standard/README.md b/examples/standard/README.md similarity index 100% rename from examples/s3-standard/README.md rename to examples/standard/README.md diff --git a/examples/s3-standard/simple-bucket.tf b/examples/standard/simple-bucket.tf similarity index 100% rename from examples/s3-standard/simple-bucket.tf rename to examples/standard/simple-bucket.tf From 3bd270d0067616369574d2d5c2c70200374e7fbf Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 14:01:35 -0500 Subject: [PATCH 15/16] update readme --- kms_key/README.md | 47 ++++++++++++++++++++++++++++++++++++++-------- kms_key/main.tf | 46 +++++++++++++++++++++++++++++++++++++++------ standard/README.md | 27 +++++++++++++++++--------- standard/main.tf | 26 +++++++++++++++++-------- 4 files changed, 115 insertions(+), 31 deletions(-) diff --git a/kms_key/README.md b/kms_key/README.md index 6d323d1..473bae2 100644 --- a/kms_key/README.md +++ b/kms_key/README.md @@ -1,18 +1,48 @@ # About aws-s3 :: kms\_key -This submodule allows you to create a KMS key for use with S3 buckets. +This submodule allows you to create a KMS key for use with S3 buckets. You have to create the key first +before trying to call it in a module. This is useful if you have a lot of buckets you wish to share the +same key. -# Usage +## Usage: Create ```hcl -module "mykey" { - source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key" - key_name = "mykeyname" +module "simple-key" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key" + key_name = "my-simple-key" ## optional # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] # kms_policy_document = data.aws_iam_policy_document.mypolicy.json } + +output "simple-key-info" { + description = "KMS Key Info" + value = { + arn = module.simple-key.kms_key_arn + id = module.simple-key.kms_key_id + alias = module.simple-key.kms_key_alias + } +} +``` + +## Usage: Reference +```hcl +module "my-bucket" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard" + + bucket_name = "my-normalbucket" + access_log_bucket = "my-logbucket" + kms_key_arn = module.simple-key.kms_key_arn +} + +output "my-bucket-info" { + description = "S3 Standard Bucket Info" + value = { + arn = module.my-bucket.s3_bucket_arn + id = module.my-bucket.s3_bucket_id + } +} ``` ## Requirements @@ -40,6 +70,7 @@ No modules. | [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs @@ -59,6 +90,6 @@ No modules. | Name | Description | |------|-------------| -| [kms\_key\_alias](#output\_kms\_key\_alias) | Created KMS Key Alias name | -| [kms\_key\_arn](#output\_kms\_key\_arn) | Created KMS Key ARN | -| [kms\_key\_id](#output\_kms\_key\_id) | Created KMS Key ID | +| [kms\_key\_alias](#output\_kms\_key\_alias) | KMS Key Alias name. If a kms\_key\_arn passed in, this will be null. | +| [kms\_key\_arn](#output\_kms\_key\_arn) | KMS Key ARN. This is the created key ARN or the key ARN of kms\_key\_arn | +| [kms\_key\_id](#output\_kms\_key\_id) | KMS Key ID. This is the created key id or the key id of kms\_key\_arn | diff --git a/kms_key/main.tf b/kms_key/main.tf index 60dd993..067e762 100644 --- a/kms_key/main.tf +++ b/kms_key/main.tf @@ -1,19 +1,49 @@ /* * # About aws-s3 :: kms_key * -* This submodule allows you to create a KMS key for use with S3 buckets. +* This submodule allows you to create a KMS key for use with S3 buckets. You have to create the key first +* before trying to call it in a module. This is useful if you have a lot of buckets you wish to share the +* same key. * -* # Usage +* ## Usage: Create * * ```hcl -* module "mykey" { -* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key" -* key_name = "mykeyname" -* +* module "simple-key" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//kms_key" +* key_name = "my-simple-key" +* * ## optional * # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] * # kms_policy_document = data.aws_iam_policy_document.mypolicy.json * } +* +* output "simple-key-info" { +* description = "KMS Key Info" +* value = { +* arn = module.simple-key.kms_key_arn +* id = module.simple-key.kms_key_id +* alias = module.simple-key.kms_key_alias +* } +* } +* ``` +* +* ## Usage: Reference +* ```hcl +* module "my-bucket" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard" +* +* bucket_name = "my-normalbucket" +* access_log_bucket = "my-logbucket" +* kms_key_arn = module.simple-key.kms_key_arn +* } +* +* output "my-bucket-info" { +* description = "S3 Standard Bucket Info" +* value = { +* arn = module.my-bucket.s3_bucket_arn +* id = module.my-bucket.s3_bucket_id +* } +* } * ``` */ @@ -22,3 +52,7 @@ locals { name = var.key_name enable_title26 = var.enable_title26 ? true : false } + + + + diff --git a/standard/README.md b/standard/README.md index 0e39c1c..e6eb0f6 100644 --- a/standard/README.md +++ b/standard/README.md @@ -9,16 +9,24 @@ Other configurations such as versioning or data safegurad tagging (only on the b # Usage ```hcl -module "mybucket" { +module "my-bucket" { source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard" - bucket_name = "mynormalbucket" - access_log_bucket = "mylogbucket" - kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] + bucket_name = "my-normalbucket" + access_log_bucket = "my-logbucket" + # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] ## optional - # kms_policy_document = data.aws_iam_policy_document.mypolicy.json - # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json + # kms_policy_document = data.aws_iam_policy_document.my-policy.json + # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json +} + +output "my-bucket-info" { + description = "S3 Standard Bucket Info" + value = { + arn = module.my-bucket.s3_bucket_arn + id = module.my-bucket.s3_bucket_id + } } ``` @@ -116,6 +124,7 @@ No modules. | [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs @@ -144,8 +153,8 @@ No modules. | Name | Description | |------|-------------| -| [kms\_key\_alias](#output\_kms\_key\_alias) | Created KMS Key Alias name | -| [kms\_key\_arn](#output\_kms\_key\_arn) | Created KMS Key ARN | -| [kms\_key\_id](#output\_kms\_key\_id) | Created KMS Key ID | +| [kms\_key\_alias](#output\_kms\_key\_alias) | KMS Key Alias name. If a kms\_key\_arn passed in, this will be null. | +| [kms\_key\_arn](#output\_kms\_key\_arn) | KMS Key ARN. This is the created key ARN or the key ARN of kms\_key\_arn | +| [kms\_key\_id](#output\_kms\_key\_id) | KMS Key ID. This is the created key id or the key id of kms\_key\_arn | | [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | Created S3 Bucket ARN | | [s3\_bucket\_id](#output\_s3\_bucket\_id) | Created S3 Bucket ID | diff --git a/standard/main.tf b/standard/main.tf index ca24540..2de9d6c 100644 --- a/standard/main.tf +++ b/standard/main.tf @@ -10,16 +10,24 @@ * # Usage * * ```hcl -* module "mybucket" { +* module "my-bucket" { * source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard" -* -* bucket_name = "mynormalbucket" -* access_log_bucket = "mylogbucket" -* kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] -* +* +* bucket_name = "my-normalbucket" +* access_log_bucket = "my-logbucket" +* # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ] +* * ## optional -* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json -* # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json +* # kms_policy_document = data.aws_iam_policy_document.my-policy.json +* # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json +* } +* +* output "my-bucket-info" { +* description = "S3 Standard Bucket Info" +* value = { +* arn = module.my-bucket.s3_bucket_arn +* id = module.my-bucket.s3_bucket_id +* } * } * ``` * @@ -89,3 +97,5 @@ locals { enable_title26 = var.enable_title26 ? true : false versioning = false } + + From 1ce2092b02f87c93914d55d73b7e0a44367c123b Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 17 Nov 2021 14:02:35 -0500 Subject: [PATCH 16/16] update --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3057c0e..1309a51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,5 +44,5 @@ Provides standard and t26 S3 bucket construction. - update documenation to include sample policy and policy document * v2.3.0 -- 20211117 - - allow kms_key_arn to be created externally - - prep submodule kms_key to be able to handle that + - add submodule kms_key to be able to create a key, and then use it for later bucket + - allow kms_key_arn to passed in for standard and title26 buckets