enforce kms encryption off for public

terraform-modules · Sep 12, 2023 · f2766d2 · f2766d2
1 parent ea74986
commit f2766d2
Show file tree

Hide file tree

Showing 38 changed files with 447 additions and 24 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -184,3 +184,7 @@ This works with the Terraform AWS provider 4.x, released 2022-02.
 
 * 3.3.11 -- 2023-06-29
   - remove comma in boc:safeguard tag, use space instead
+
+* 3.4.0 -- 2023-09-12
+  - public submodule
+    - new module to allow the use of public buckets (block_public_policy=false)
diff --git a/common/base_tags.tf b/common/base_tags.tf
@@ -1,5 +1,6 @@
 locals {
   base_tags = {
+    "boc:tf_module_name"    = local._module_name
     "boc:tf_module_version" = local._module_version
     "boc:created_by"        = "terraform"
   }

diff --git a/common/kms.tf b/common/kms.tf
@@ -16,7 +16,7 @@ locals {
 # create a key and alias if not specified
 #---
 resource "aws_kms_key" "key" {
-  count               = var.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
+  count               = local.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
   description         = "KMS CMK for S3 bucket ${local.name}"
   enable_key_rotation = true
   policy              = data.aws_iam_policy_document.key_policy_combined.json
@@ -31,7 +31,7 @@ resource "aws_kms_key" "key" {
 }
 
 resource "aws_kms_alias" "key" {
-  count         = var.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
+  count         = local.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
   name          = "alias/${local.kms_key_name}"
   target_key_id = var.kms_key_arn == null ? aws_kms_key.key[0].key_id : null
 }
@@ -60,6 +60,6 @@ data "aws_iam_policy_document" "key_policy_combined" {
 data "aws_iam_policy_document" "empty" {}
 
 data "aws_kms_key" "incoming_key" {
-  count  = var.kms_key_arn == null ? 0 : (var.use_kms_encryption ? 1 : 0)
-  key_id = var.use_kms_encryption ? var.kms_key_arn : null
+  count  = var.kms_key_arn == null ? 0 : (local.use_kms_encryption ? 1 : 0)
+  key_id = local.use_kms_encryption ? var.kms_key_arn : null
 }
diff --git a/common/outputs.kms.tf b/common/outputs.kms.tf
@@ -3,16 +3,16 @@
 #---
 output "kms_key_id" {
   description = "KMS Key ID. This is the created key id or the key id of kms_key_arn"
-  value       = var.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_key.key[0].id : data.aws_kms_key.incoming_key[0].id) : null
+  value       = local.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_key.key[0].id : data.aws_kms_key.incoming_key[0].id) : null
 }
 
 output "kms_key_arn" {
   description = "KMS Key ARN. This is the created key ARN or the key ARN of kms_key_arn"
-  value       = var.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_key.key[0].arn : data.aws_kms_key.incoming_key[0].arn) : null
+  value       = local.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_key.key[0].arn : data.aws_kms_key.incoming_key[0].arn) : null
 }
 
 output "kms_key_alias" {
   description = "KMS Key Alias name.  If a kms_key_arn passed in, this will be null."
-  value       = var.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_alias.key[0].name : null) : null
+  value       = local.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_alias.key[0].name : null) : null
 }
 
diff --git a/common/resources.tf b/common/resources.tf
@@ -183,14 +183,15 @@ resource "aws_s3_bucket_policy" "policy" {
   depends_on = [time_sleep.policy_delay]
 }
 
-resource "aws_s3_bucket_public_access_block" "this" {
-  bucket                  = aws_s3_bucket.this.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-  depends_on              = [aws_s3_bucket_policy.policy]
-}
+## this is in its own file to be able to offer a public submodule
+## resource "aws_s3_bucket_public_access_block" "this" {
+##   bucket                  = aws_s3_bucket.this.id
+##   block_public_acls       = true
+##   block_public_policy     = true
+##   ignore_public_acls      = true
+##   restrict_public_buckets = true
+##   depends_on              = [aws_s3_bucket_policy.policy]
+## }
 
 resource "time_sleep" "policy_delay" {
   triggers = {
@@ -326,8 +327,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
   rule {
     apply_server_side_encryption_by_default {
       #        kms_master_key_id = aws_kms_key.key.arn
-      kms_master_key_id = var.use_kms_encryption ? local.kms_key_arn : null
-      sse_algorithm     = var.use_kms_encryption ? "aws:kms" : "AES256"
+      kms_master_key_id = local.use_kms_encryption ? local.kms_key_arn : null
+      sse_algorithm     = local.use_kms_encryption ? "aws:kms" : "AES256"
     }
     bucket_key_enabled = var.bucket_key_enabled
   }

diff --git a/common/s3_public_block.tf b/common/s3_public_block.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_bucket_public_access_block" "this" {
+  bucket                  = aws_s3_bucket.this.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  depends_on              = [aws_s3_bucket_policy.policy]
+}
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "3.3.11"
+  _module_version = "3.4.0"
 }
diff --git a/kms_key/module_name.tf b/kms_key/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+  _module_name = "aws-s3/kms_key"
+}