fix

terraform-modules · Sep 12, 2023 · 3728d78 · 3728d78
1 parent f2766d2
commit 3728d78
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 14 deletions.
diff --git a/public/README.md b/public/README.md
@@ -1,7 +1,8 @@
 # About aws-s3 :: public
 
 This submodule allows you to create a public S3 bucket using the standard prefixes and settings under the
-rare condition that a public bucket is approved for use.  
+rare condition that a public bucket is approved for use.  It sets `bucket_public_policy` to false, and forces the use of
+SS3-S3 encryption.
 
 # Usage
 To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
@@ -14,10 +15,8 @@ module "my-bucket" {
 
   bucket_name       = "my-public-bucket"
   access_log_bucket = "my-logbucket"
-  # kms_admin_roles   = [ aws_iam_role.cloud-admin.arn ]
 
   ## optional
-  # kms_policy_document = data.aws_iam_policy_document.my-policy.json
   # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
   # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
   # name_include_account   = true
@@ -148,8 +147,8 @@ No modules.
 | <a name="input_access_log_bucket_prefix"></a> [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
 | <a name="input_allowed_cidr"></a> [allowed\_cidr](#input\_allowed\_cidr) | List of allowed source IPs (NOT from within the VPC).  If empty, there will be no restrictions on source IP.  If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no |
 | <a name="input_allowed_endpoints"></a> [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs.  If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
-| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | S3 Public block setting to block public ACLs | `bool` | n/a | yes |
-| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | S3 Public block setting to block public policy | `bool` | n/a | yes |
+| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | S3 Public block setting to block public ACLs | `bool` | `true` | no |
+| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | S3 Public block setting to block public policy | `bool` | `false` | no |
 | <a name="input_bucket_folders"></a> [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
 | <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `true` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | AWS Bucket Name.  Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
@@ -160,7 +159,7 @@ No modules.
 | <a name="input_data_safeguards"></a> [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
 | <a name="input_enable_title26"></a> [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
-| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | S3 Public block setting to ignore public ACLs | `bool` | n/a | yes |
+| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | S3 Public block setting to ignore public ACLs | `bool` | `true` | no |
 | <a name="input_kms_admin_roles"></a> [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key.  The root user is included by default. | `list(string)` | `[]` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket).  This is currently ignored (and deprecated). | `string` | `null` | no |
@@ -174,7 +173,7 @@ No modules.
 | <a name="input_object_lock_enabled"></a> [object\_lock\_enabled](#input\_object\_lock\_enabled) | Flag to enable object lock. This can only be set on bucket creation. See AWS documentation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html | `bool` | `false` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Map of strings to override prefixes such as s3 and kms. Recommended ONLY for advanced useage (say, for inf* things) | `map(string)` | `{}` | no |
 | <a name="input_require_explicit_encryption"></a> [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header.  Should not normally be needed. | `bool` | `false` | no |
-| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | S3 Public block setting to restrict public buckets | `bool` | n/a | yes |
+| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | S3 Public block setting to restrict public buckets | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_use_kms_encryption"></a> [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access.  Enforced to FALSE for public buckets | `bool` | `false` | no |
 | <a name="input_versioning"></a> [versioning](#input\_versioning) | Flag to enable ot disable bucket versioning.  This may be used for the standard submodule, but it is ignored for title26 (enforced to be enabled) | `bool` | `false` | no |

diff --git a/public/main.tf b/public/main.tf
@@ -2,7 +2,8 @@
 * # About aws-s3 :: public
 * 
 * This submodule allows you to create a public S3 bucket using the standard prefixes and settings under the
-* rare condition that a public bucket is approved for use.  
+* rare condition that a public bucket is approved for use.  It sets `bucket_public_policy` to false, and forces the use of
+* SS3-S3 encryption.
 * 
 * # Usage 
 * To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
@@ -15,10 +16,8 @@
 * 
 *   bucket_name       = "my-public-bucket"
 *   access_log_bucket = "my-logbucket"
-*   # kms_admin_roles   = [ aws_iam_role.cloud-admin.arn ]
 * 
 *   ## optional
-*   # kms_policy_document = data.aws_iam_policy_document.my-policy.json
 *   # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
 *   # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
 *   # name_include_account   = true

diff --git a/public/variables.s3_public_block.tf b/public/variables.s3_public_block.tf
@@ -1,24 +1,24 @@
 variable "block_public_acls" {
   description = "S3 Public block setting to block public ACLs"
   type        = bool
-  defualt     = true
+  default     = true
 }
 
 variable "block_public_policy" {
   description = "S3 Public block setting to block public policy"
   type        = bool
-  defualt     = false
+  default     = false
 }
 
 variable "ignore_public_acls" {
   description = "S3 Public block setting to ignore public ACLs"
   type        = bool
-  defualt     = true
+  default     = true
 }
 
 variable "restrict_public_buckets" {
   description = "S3 Public block setting to restrict public buckets"
   type        = bool
-  defualt     = true
+  default     = true
 }