From 40b90ffe6c00027aa5a5d43d2893e18a23ebeff4 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Thu, 17 Dec 2020 11:26:51 -0500
Subject: [PATCH] update descriptions, add metadata tags

---
 common/README.md    | 15 ++++++++-------
 common/resources.tf | 16 +++++++++++-----
 common/variables.tf | 20 +++++++++++++-------
 3 files changed, 32 insertions(+), 19 deletions(-)

diff --git a/common/README.md b/common/README.md
index f70625e..840487e 100644
--- a/common/README.md
+++ b/common/README.md
@@ -15,13 +15,14 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes |
 | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
-| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no |
-| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no |
-| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no |
-| bucket\_name | AWS Bucket Name | `string` | n/a | yes |
-| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time | `bool` | `false` | no |
-| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no |
-| tags | AWS Tags | `map(string)` | `{}` | no |
+| allowed\_cidr | List of allowed source IPs (NOT from within the VPC).  If empty, there will be no restrictions on source IP.  If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no |
+| allowed\_endpoints | List of allowed VPC endpoint IDs.  If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
+| bucket\_folders | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
+| bucket\_name | AWS Bucket Name.  Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
+| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| kms\_key\_id | AWS KMS Key ID (one per bucket).  This is currently ignored. | `string` | `""` | no |
+| metadata\_tags | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
+| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 
 ## Outputs
 
diff --git a/common/resources.tf b/common/resources.tf
index 941cea3..613aa98 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -39,6 +39,10 @@ locals {
   enforced_tags = merge(
     local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"]
   )
+  metadata_tags = merge(
+    var.metadata_tags,
+    { for k, v in local.enforced_tags : format("x-amzn-meta-%v", replace(k, "\\W", "_")) => v }
+  )
 }
 
 #---
@@ -178,21 +182,23 @@ resource "null_resource" "policy_delay" {
 }
 
 resource "aws_s3_bucket_object" "this_objects" {
-  bucket = aws_s3_bucket.this.id
-  count  = length(var.bucket_folders)
-  key    = format("%s/", element(var.bucket_folders, count.index))
-  source = "/dev/null"
+  for_each = toset(var.bucket_folders)
+  bucket   = aws_s3_bucket.this.id
+  key      = format("%s/", each.key)
+  source   = "/dev/null"
+  metadata = local.metadata_tags
 
   depends_on = [null_resource.policy_delay]
 }
 
 #---
 # create a key and alias if not specified
+# right now, this can't use an external key, it has to create one per bucket
 #---
 resource "aws_kms_key" "key" {
   description         = "KMS CMK for S3 bucket ${local.name}"
   enable_key_rotation = true
-  #policy              = data.aws_iam_policy_document.key.json
+  # policy              = data.aws_iam_policy_document.key.json
 
   tags = merge(
     local.base_tags,
diff --git a/common/variables.tf b/common/variables.tf
index 2dbfe44..687d447 100644
--- a/common/variables.tf
+++ b/common/variables.tf
@@ -1,22 +1,28 @@
 variable "bucket_name" {
-  description = "AWS Bucket Name"
+  description = "AWS Bucket Name.  Standard prefix will be applied here, do not include here."
   type        = string
 }
 
 variable "bucket_folders" {
-  description = "List of folders (keys) to create after creation of bucket"
+  description = "List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata_tags and data_safeguard labels."
   type        = list(string)
   default     = []
 }
 
 variable "kms_key_id" {
-  description = "AWS KMS Key ID (one per bucket)"
+  description = "AWS KMS Key ID (one per bucket).  This is currently ignored."
   type        = string
   default     = ""
 }
 
 variable "tags" {
-  description = "AWS Tags"
+  description = "AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data_safeguard field for such things."
+  type        = map(string)
+  default     = {}
+}
+
+variable "metadata_tags" {
+  description = "AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data_safeguard labels are applied, they will be incorporated on any bucket objects created."
   type        = map(string)
   default     = {}
 }
@@ -34,19 +40,19 @@ variable "access_log_bucket" {
 }
 
 variable "allowed_cidr" {
-  description = "List of allowed source IPs (NOT from within the VPC)"
+  description = "List of allowed source IPs (NOT from within the VPC).  If empty, there will be no restrictions on source IP.  If provided, you must also use allowed_endpoints for access within a VPC."
   type        = list(string)
   default     = []
 }
 
 variable "allowed_endpoints" {
-  description = "List of allowed VPC endpoint IDs"
+  description = "List of allowed VPC endpoint IDs.  If used, it will enable access to the bucket from the specific VPC endpoints."
   type        = list(string)
   default     = []
 }
 
 variable "force_destroy" {
-  description = "Sets force_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time"
+  description = "Sets force_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource."
   type        = bool
   default     = false
 }