Skip to content

Commit

Permalink
add more docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed May 11, 2021
1 parent 0dff47e commit 3271d5f
Show file tree
Hide file tree
Showing 4 changed files with 76 additions and 0 deletions.
23 changes: 23 additions & 0 deletions standard/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,26 @@ module "mybucket" {
bucket_name = "mynormalbucket"
access_log_bucket = "mylogbucket"
kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
## optional
# kms_policy_document = data.aws_iam_policy_document.mypolicy.json
}
data "aws_iam_policy_document" "mypolicy" {
statement { }
}
```

This automaticaly creates an AWS KMS key used just for this bucket.

It will set a key usage/management policy by default with the `root` account, along with any other
roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.

If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be
to provide variables granting read and write access to the key.

## Requirements

No requirements.
Expand All @@ -45,7 +60,13 @@ No modules.
| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

## Inputs

Expand All @@ -60,7 +81,9 @@ No modules.
| <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
| <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
| <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no |
| <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
| <a name="input_metadata_tags"></a> [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
| <a name="input_require_explicit_encryption"></a> [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
Expand Down
15 changes: 15 additions & 0 deletions standard/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,25 @@
*
* bucket_name = "mynormalbucket"
* access_log_bucket = "mylogbucket"
* kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
*
* ## optional
* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
* }
*
* data "aws_iam_policy_document" "mypolicy" {
* statement { }
* }
* ```
*
* This automaticaly creates an AWS KMS key used just for this bucket.
*
* It will set a key usage/management policy by default with the `root` account, along with any other
* roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.
*
* If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
* such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be
* to provide variables granting read and write access to the key.
*/

locals {
Expand Down
23 changes: 23 additions & 0 deletions title26/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,14 @@ module "mybucket" {
bucket_name = "myt26bucket"
access_log_bucket = "mylogbucket"
# enable_title26 = true
kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
## optional
# kms_policy_document = data.aws_iam_policy_document.mypolicy.json
}
data "aws_iam_policy_document" "mypolicy" {
statement { }
}
```

Expand All @@ -24,6 +32,13 @@ to make a comma separated list.

This automaticaly creates an AWS KMS key used just for this bucket.

It will set a key usage/management policy by default with the `root` account, along with any other
roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.

If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be
to provide variables granting read and write access to the key.

## Requirements

No requirements.
Expand All @@ -50,7 +65,13 @@ No modules.
| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

## Inputs

Expand All @@ -65,7 +86,9 @@ No modules.
| <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | <pre>[<br> "title26"<br>]</pre> | no |
| <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no |
| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
| <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no |
| <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
| <a name="input_metadata_tags"></a> [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
| <a name="input_require_explicit_encryption"></a> [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
Expand Down
15 changes: 15 additions & 0 deletions title26/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,14 @@
* bucket_name = "myt26bucket"
* access_log_bucket = "mylogbucket"
* # enable_title26 = true
* kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
*
* ## optional
* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
* }
*
* data "aws_iam_policy_document" "mypolicy" {
* statement { }
* }
* ```
*
Expand All @@ -24,6 +32,13 @@
* to make a comma separated list.
*
* This automaticaly creates an AWS KMS key used just for this bucket.
*
* It will set a key usage/management policy by default with the `root` account, along with any other
* roles in the variable `kms_admin_roles` list. This is **full** access to the KMS key.
*
* If `kms_policy_document` is provided it needs to be a valid IAM policy as would apply to key usage,
* such as read access (decrypt) or write access (encrypt, re-encrypt). A later enhancement may be
* to provide variables granting read and write access to the key.
*/

locals {
Expand Down

0 comments on commit 3271d5f

Please sign in to comment.