diff --git a/CHANGELOG.md b/CHANGELOG.md
index d7b164c..a0213bd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -184,3 +184,7 @@ This works with the Terraform AWS provider 4.x, released 2022-02.
* 3.3.11 -- 2023-06-29
- remove comma in boc:safeguard tag, use space instead
+
+* 3.4.0 -- 2023-09-12
+ - public submodule
+ - new module to allow the use of public buckets (block_public_policy=false)
diff --git a/common/base_tags.tf b/common/base_tags.tf
index 602b87a..fc95412 100644
--- a/common/base_tags.tf
+++ b/common/base_tags.tf
@@ -1,5 +1,6 @@
locals {
base_tags = {
+ "boc:tf_module_name" = local._module_name
"boc:tf_module_version" = local._module_version
"boc:created_by" = "terraform"
}
diff --git a/common/kms.tf b/common/kms.tf
index fd8f3ce..aeafc40 100644
--- a/common/kms.tf
+++ b/common/kms.tf
@@ -16,7 +16,7 @@ locals {
# create a key and alias if not specified
#---
resource "aws_kms_key" "key" {
- count = var.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
+ count = local.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
description = "KMS CMK for S3 bucket ${local.name}"
enable_key_rotation = true
policy = data.aws_iam_policy_document.key_policy_combined.json
@@ -31,7 +31,7 @@ resource "aws_kms_key" "key" {
}
resource "aws_kms_alias" "key" {
- count = var.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
+ count = local.use_kms_encryption && var.kms_key_arn == null ? 1 : 0
name = "alias/${local.kms_key_name}"
target_key_id = var.kms_key_arn == null ? aws_kms_key.key[0].key_id : null
}
@@ -60,6 +60,6 @@ data "aws_iam_policy_document" "key_policy_combined" {
data "aws_iam_policy_document" "empty" {}
data "aws_kms_key" "incoming_key" {
- count = var.kms_key_arn == null ? 0 : (var.use_kms_encryption ? 1 : 0)
- key_id = var.use_kms_encryption ? var.kms_key_arn : null
+ count = var.kms_key_arn == null ? 0 : (local.use_kms_encryption ? 1 : 0)
+ key_id = local.use_kms_encryption ? var.kms_key_arn : null
}
diff --git a/common/outputs.kms.tf b/common/outputs.kms.tf
index c79d59d..65a51d4 100644
--- a/common/outputs.kms.tf
+++ b/common/outputs.kms.tf
@@ -3,16 +3,16 @@
#---
output "kms_key_id" {
description = "KMS Key ID. This is the created key id or the key id of kms_key_arn"
- value = var.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_key.key[0].id : data.aws_kms_key.incoming_key[0].id) : null
+ value = local.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_key.key[0].id : data.aws_kms_key.incoming_key[0].id) : null
}
output "kms_key_arn" {
description = "KMS Key ARN. This is the created key ARN or the key ARN of kms_key_arn"
- value = var.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_key.key[0].arn : data.aws_kms_key.incoming_key[0].arn) : null
+ value = local.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_key.key[0].arn : data.aws_kms_key.incoming_key[0].arn) : null
}
output "kms_key_alias" {
description = "KMS Key Alias name. If a kms_key_arn passed in, this will be null."
- value = var.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_alias.key[0].name : null) : null
+ value = local.use_kms_encryption ? (var.kms_key_arn == null ? aws_kms_alias.key[0].name : null) : null
}
diff --git a/common/resources.tf b/common/resources.tf
index 03f86ba..2359699 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -183,14 +183,15 @@ resource "aws_s3_bucket_policy" "policy" {
depends_on = [time_sleep.policy_delay]
}
-resource "aws_s3_bucket_public_access_block" "this" {
- bucket = aws_s3_bucket.this.id
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
- depends_on = [aws_s3_bucket_policy.policy]
-}
+## this is in its own file to be able to offer a public submodule
+## resource "aws_s3_bucket_public_access_block" "this" {
+## bucket = aws_s3_bucket.this.id
+## block_public_acls = true
+## block_public_policy = true
+## ignore_public_acls = true
+## restrict_public_buckets = true
+## depends_on = [aws_s3_bucket_policy.policy]
+## }
resource "time_sleep" "policy_delay" {
triggers = {
@@ -326,8 +327,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
rule {
apply_server_side_encryption_by_default {
# kms_master_key_id = aws_kms_key.key.arn
- kms_master_key_id = var.use_kms_encryption ? local.kms_key_arn : null
- sse_algorithm = var.use_kms_encryption ? "aws:kms" : "AES256"
+ kms_master_key_id = local.use_kms_encryption ? local.kms_key_arn : null
+ sse_algorithm = local.use_kms_encryption ? "aws:kms" : "AES256"
}
bucket_key_enabled = var.bucket_key_enabled
}
diff --git a/common/s3_public_block.tf b/common/s3_public_block.tf
new file mode 100644
index 0000000..262acde
--- /dev/null
+++ b/common/s3_public_block.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_bucket_public_access_block" "this" {
+ bucket = aws_s3_bucket.this.id
+ block_public_acls = true
+ block_public_policy = true
+ ignore_public_acls = true
+ restrict_public_buckets = true
+ depends_on = [aws_s3_bucket_policy.policy]
+}
diff --git a/common/version.tf b/common/version.tf
index a8f6e3f..174f530 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "3.3.11"
+ _module_version = "3.4.0"
}
diff --git a/kms_key/module_name.tf b/kms_key/module_name.tf
new file mode 100644
index 0000000..0e51b48
--- /dev/null
+++ b/kms_key/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "aws-s3/kms_key"
+}
diff --git a/public/README.md b/public/README.md
new file mode 100644
index 0000000..dc99fb7
--- /dev/null
+++ b/public/README.md
@@ -0,0 +1,192 @@
+# About aws-s3 :: public
+
+This submodule allows you to create a public S3 bucket using the standard prefixes and settings under the
+rare condition that a public bucket is approved for use.
+
+# Usage
+To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
+If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
+the [updating directions](updating-buckets.md).
+
+```hcl
+module "my-bucket" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//public?ref=3"
+
+ bucket_name = "my-public-bucket"
+ access_log_bucket = "my-logbucket"
+ # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+
+ ## optional
+ # kms_policy_document = data.aws_iam_policy_document.my-policy.json
+ # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+ # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
+ # name_include_account = true
+ # name_include_region = true
+ # name_include_region_compact = true
+ # name_enforce_region_compact = false
+}
+
+output "my-bucket-info" {
+ description = "S3 Standard Bucket Info"
+ value = {
+ arn = module.my-bucket.s3_bucket_arn
+ id = module.my-bucket.s3_bucket_id
+ }
+}
+```
+
+# Options
+## Options :: bucket\_key\_enabled
+This will set the bucket to use a `bucket_key` (see [docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)). It is
+now enabled by default. However, it cannot be changed through the module. If you need to turn it on for an existing bucket (with or without
+objects), you will need to set it through the console or API. Likewise, disabling it once set will have to happen through the console or API,
+and then you will want to set this flag to `false`. The reasoning behind this behavior is that existing objects will not use a bucket key. You
+have to copy each object in order to cause it to use the bucket key. Changing it would lead to the intended behavior (enabled) not actually working
+on existing objects.
+
+## Options :: name\_include\_account
+Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default
+is false.
+
+## Options :: name\_include\_region
+Use of this flag as true will include current region after the bucket name (name-REGION). Default
+is false. If used in conjunction with `name_include_account`, the region will be at the end.
+
+## Options :: name\_include\_region\_compact
+This flag determines if we compact the region to a shorter name, and use it if the name with the full
+region is longer than the maximum of 63 characters. It takes the first character of the full region
+name and uses that. For example, `us-gov-west-1` becomes `ugw1`. The default value is true.
+It is still possible to construct a name that is longer than 63 characters and get a failure, even with
+this shorter region value.
+
+## Options :: name\_enforce\_region\_compact
+This flag always compacts the region, no mater whehter the name is longer than 63 characters or not.
+
+## Options :: object\_lock\_enable
+This is usable on bucket creation, and it will allow you to add external to this module an object lock
+configuration (aws\_s3\_object\_lock\_configuration). See the [Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html)
+and the [Terraform AWS Provider](https://registry.terraform.io/providers/hashicorp%20%20/aws/4.7.0/docs/resources/s3_bucket_object_lock_configuration) docs for
+more details. Setting this after bucket creation is possible but requires a support tickets, so you're better off doing it up front.
+
+# Outputs
+One output of note is the `s3_module_settings`. With this, you can get the settings used when calling the
+module, the original bucket name before prefix and suffixes, and other things. It is a map.
+
+```hcl
+output "s3_module_settings" {
+ description = "S3 module settings and values"
+ value = {
+ bucket_name = var.bucket_name
+ resulting_bucket_name = local.bucket_name
+ resulting_bucket_arn = aws_s3_bucket.this.arn
+ name_include_region = var.name_include_region
+ name_include_account = var.name_include_account
+ name_include_region_compact = var.name_include_region_compact
+ name_enforce_region_compact = var.name_enforce_region_compact
+ account_id = local.account_id
+ region = local.region
+ region_short = local.region_short
+ }
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [aws](#requirement\_aws) | >= 4.0 |
+| [null](#requirement\_null) | >= 3.1.0 |
+| [time](#requirement\_time) | >= 0.9.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 4.0 |
+| [null](#provider\_null) | >= 3.1.0 |
+| [template](#provider\_template) | n/a |
+| [time](#provider\_time) | >= 0.9.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_object.this_objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
+| [null_resource.name_too_long](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [time_sleep.acl_delay](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.policy_delay](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [template_file.policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [access\_log\_bucket](#input\_access\_log\_bucket) | Server Access Logging Bucket ID | `string` | n/a | yes |
+| [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
+| [allowed\_cidr](#input\_allowed\_cidr) | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no |
+| [allowed\_endpoints](#input\_allowed\_endpoints) | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no |
+| [block\_public\_acls](#input\_block\_public\_acls) | S3 Public block setting to block public ACLs | `bool` | n/a | yes |
+| [block\_public\_policy](#input\_block\_public\_policy) | S3 Public block setting to block public policy | `bool` | n/a | yes |
+| [bucket\_folders](#input\_bucket\_folders) | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no |
+| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `true` | no |
+| [bucket\_name](#input\_bucket\_name) | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes |
+| [bucket\_owner](#input\_bucket\_owner) | One of BucketOwnerPreferred, ObjectWriter, or BucketOwnerEnforced. See S3 Documentation for more information (default: BucketOwnerPreferred, requires bucket-owner-full-control option when uploading | `string` | `"BucketOwnerPreferred"` | no |
+| [bucket\_policy\_disabled](#input\_bucket\_policy\_disabled) | Flag to enable or disable the default bucket policy. This is used for where we need to create the bucket policy outside of the module to prevent cyclical setup | `bool` | `false` | no |
+| [bucket\_policy\_document](#input\_bucket\_policy\_document) | IAM Policy document describing additional policy to be attached to the bucket beyond the default | `string` | `""` | no |
+| [bucket\_policy\_document\_template](#input\_bucket\_policy\_document\_template) | IAM Policy document template describing additional policy to be attached to the bucket beyond the default. This is so we can inject the S3 Bucket ARN into a policy without a loop. Construct the policy with ${s3\_bucket\_arn} where you need it to be in a resource. This also supports ${s3\_bucket\_id} and ${kms\_key\_arn} | `string` | `null` | no |
+| [data\_safeguards](#input\_data\_safeguards) | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no |
+| [enable\_title26](#input\_enable\_title26) | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no |
+| [force\_destroy](#input\_force\_destroy) | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no |
+| [ignore\_public\_acls](#input\_ignore\_public\_acls) | S3 Public block setting to ignore public ACLs | `bool` | n/a | yes |
+| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no |
+| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS Key ARN, a key created external to this module call. | `string` | `null` | no |
+| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no |
+| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
+| [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
+| [multi\_region](#input\_multi\_region) | Flag to enable or disable the use of a multi-region KMS key (default=false) | `bool` | `false` | no |
+| [name\_enforce\_region\_compact](#input\_name\_enforce\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name\_include\_region. | `bool` | `false` | no |
+| [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no |
+| [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no |
+| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name\_include\_region. | `bool` | `true` | no |
+| [object\_lock\_enabled](#input\_object\_lock\_enabled) | Flag to enable object lock. This can only be set on bucket creation. See AWS documentation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html | `bool` | `false` | no |
+| [override\_prefixes](#input\_override\_prefixes) | Map of strings to override prefixes such as s3 and kms. Recommended ONLY for advanced useage (say, for inf* things) | `map(string)` | `{}` | no |
+| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
+| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | S3 Public block setting to restrict public buckets | `bool` | n/a | yes |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access. Enforced to FALSE for public buckets | `bool` | `false` | no |
+| [versioning](#input\_versioning) | Flag to enable ot disable bucket versioning. This may be used for the standard submodule, but it is ignored for title26 (enforced to be enabled) | `bool` | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [kms\_key\_alias](#output\_kms\_key\_alias) | KMS Key Alias name. If a kms\_key\_arn passed in, this will be null. |
+| [kms\_key\_arn](#output\_kms\_key\_arn) | KMS Key ARN. This is the created key ARN or the key ARN of kms\_key\_arn |
+| [kms\_key\_id](#output\_kms\_key\_id) | KMS Key ID. This is the created key id or the key id of kms\_key\_arn |
+| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | Created S3 Bucket ARN |
+| [s3\_bucket\_id](#output\_s3\_bucket\_id) | Created S3 Bucket ID |
+| [s3\_module\_settings](#output\_s3\_module\_settings) | S3 module settings and values |
+| [s3\_requested\_bucket\_name](#output\_s3\_requested\_bucket\_name) | Requested S3 Bucket Name before prefix and other settings |
diff --git a/public/base_settings.tf b/public/base_settings.tf
new file mode 120000
index 0000000..396784e
--- /dev/null
+++ b/public/base_settings.tf
@@ -0,0 +1 @@
+../common/base_settings.tf
\ No newline at end of file
diff --git a/public/base_tags.tf b/public/base_tags.tf
new file mode 120000
index 0000000..91c15aa
--- /dev/null
+++ b/public/base_tags.tf
@@ -0,0 +1 @@
+../common/base_tags.tf
\ No newline at end of file
diff --git a/public/data.tf b/public/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/public/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/public/defaults.tf b/public/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/public/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/public/kms.tf b/public/kms.tf
new file mode 120000
index 0000000..b0b3f29
--- /dev/null
+++ b/public/kms.tf
@@ -0,0 +1 @@
+../common/kms.tf
\ No newline at end of file
diff --git a/public/main.tf b/public/main.tf
new file mode 100644
index 0000000..dfb2b8e
--- /dev/null
+++ b/public/main.tf
@@ -0,0 +1,99 @@
+/*
+* # About aws-s3 :: public
+*
+* This submodule allows you to create a public S3 bucket using the standard prefixes and settings under the
+* rare condition that a public bucket is approved for use.
+*
+* # Usage
+* To use the new refactored module with the AWS provider v4.x, use `?ref=tf-upgrade` (formerly `?ref=3`), otherwise leave this part off.
+* If you are converting an older version of the module to the new AWS provider with `?ref=tf-upgrade`, please follow
+* the [updating directions](updating-buckets.md).
+*
+* ```hcl
+* module "my-bucket" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//public?ref=3"
+*
+* bucket_name = "my-public-bucket"
+* access_log_bucket = "my-logbucket"
+* # kms_admin_roles = [ aws_iam_role.cloud-admin.arn ]
+*
+* ## optional
+* # kms_policy_document = data.aws_iam_policy_document.my-policy.json
+* # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+* # bucket_policy_document_template = data.aws_iam_policy_document.my-bucketpolicy-template.json
+* # name_include_account = true
+* # name_include_region = true
+* # name_include_region_compact = true
+* # name_enforce_region_compact = false
+* }
+*
+* output "my-bucket-info" {
+* description = "S3 Standard Bucket Info"
+* value = {
+* arn = module.my-bucket.s3_bucket_arn
+* id = module.my-bucket.s3_bucket_id
+* }
+* }
+* ```
+*
+* # Options
+* ## Options :: bucket_key_enabled
+* This will set the bucket to use a `bucket_key` (see [docs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)). It is
+* now enabled by default. However, it cannot be changed through the module. If you need to turn it on for an existing bucket (with or without
+* objects), you will need to set it through the console or API. Likewise, disabling it once set will have to happen through the console or API,
+* and then you will want to set this flag to `false`. The reasoning behind this behavior is that existing objects will not use a bucket key. You
+* have to copy each object in order to cause it to use the bucket key. Changing it would lead to the intended behavior (enabled) not actually working
+* on existing objects.
+*
+* ## Options :: name_include_account
+* Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default
+* is false.
+*
+* ## Options :: name_include_region
+* Use of this flag as true will include current region after the bucket name (name-REGION). Default
+* is false. If used in conjunction with `name_include_account`, the region will be at the end.
+*
+* ## Options :: name_include_region_compact
+* This flag determines if we compact the region to a shorter name, and use it if the name with the full
+* region is longer than the maximum of 63 characters. It takes the first character of the full region
+* name and uses that. For example, `us-gov-west-1` becomes `ugw1`. The default value is true.
+* It is still possible to construct a name that is longer than 63 characters and get a failure, even with
+* this shorter region value.
+*
+* ## Options :: name_enforce_region_compact
+* This flag always compacts the region, no mater whehter the name is longer than 63 characters or not.
+*
+* ## Options :: object_lock_enable
+* This is usable on bucket creation, and it will allow you to add external to this module an object lock
+* configuration (aws_s3_object_lock_configuration). See the [Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html)
+* and the [Terraform AWS Provider](https://registry.terraform.io/providers/hashicorp%20%20/aws/4.7.0/docs/resources/s3_bucket_object_lock_configuration) docs for
+* more details. Setting this after bucket creation is possible but requires a support tickets, so you're better off doing it up front.
+*
+* # Outputs
+* One output of note is the `s3_module_settings`. With this, you can get the settings used when calling the
+* module, the original bucket name before prefix and suffixes, and other things. It is a map.
+*
+* ```hcl
+* output "s3_module_settings" {
+* description = "S3 module settings and values"
+* value = {
+* bucket_name = var.bucket_name
+* resulting_bucket_name = local.bucket_name
+* resulting_bucket_arn = aws_s3_bucket.this.arn
+* name_include_region = var.name_include_region
+* name_include_account = var.name_include_account
+* name_include_region_compact = var.name_include_region_compact
+* name_enforce_region_compact = var.name_enforce_region_compact
+* account_id = local.account_id
+* region = local.region
+* region_short = local.region_short
+* }
+* }
+* ```
+*/
+
+locals {
+ enable_title26 = false
+ versioning = var.versioning
+ use_kms_encryption = false
+}
diff --git a/public/module_name.tf b/public/module_name.tf
new file mode 100644
index 0000000..3a8f498
--- /dev/null
+++ b/public/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "aws-s3/public"
+}
diff --git a/public/outputs.kms.tf b/public/outputs.kms.tf
new file mode 120000
index 0000000..74a8d7b
--- /dev/null
+++ b/public/outputs.kms.tf
@@ -0,0 +1 @@
+../common/outputs.kms.tf
\ No newline at end of file
diff --git a/public/outputs.s3.tf b/public/outputs.s3.tf
new file mode 120000
index 0000000..594685a
--- /dev/null
+++ b/public/outputs.s3.tf
@@ -0,0 +1 @@
+../common/outputs.s3.tf
\ No newline at end of file
diff --git a/public/prefixes.tf b/public/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/public/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/public/resources.tf b/public/resources.tf
new file mode 120000
index 0000000..6dd8c84
--- /dev/null
+++ b/public/resources.tf
@@ -0,0 +1 @@
+../common/resources.tf
\ No newline at end of file
diff --git a/public/s3_public_block.tf b/public/s3_public_block.tf
new file mode 100644
index 0000000..74b354f
--- /dev/null
+++ b/public/s3_public_block.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_bucket_public_access_block" "this" {
+ bucket = aws_s3_bucket.this.id
+ block_public_acls = var.block_public_acls
+ block_public_policy = var.block_public_policy
+ ignore_public_acls = var.ignore_public_acls
+ restrict_public_buckets = var.restrict_public_buckets
+ depends_on = [aws_s3_bucket_policy.policy]
+}
diff --git a/public/safeguard_variables.tf b/public/safeguard_variables.tf
new file mode 100644
index 0000000..a934cfc
--- /dev/null
+++ b/public/safeguard_variables.tf
@@ -0,0 +1,14 @@
+/*
+* Valid values include: title13, title26, title42, pii, title5
+*/
+variable "data_safeguards" {
+ description = "Selected available safeguards which apply to the data in the bucket"
+ type = list(string)
+ default = []
+}
+
+variable "enable_title26" {
+ description = "Flag to enable bucket with Title 26 (FTI) settings"
+ type = bool
+ default = false
+}
diff --git a/public/updating-buckets.md b/public/updating-buckets.md
new file mode 120000
index 0000000..65e8981
--- /dev/null
+++ b/public/updating-buckets.md
@@ -0,0 +1 @@
+../bin/README.md
\ No newline at end of file
diff --git a/public/variables.common.tf b/public/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/public/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/public/variables.kms.tf b/public/variables.kms.tf
new file mode 100644
index 0000000..602fee3
--- /dev/null
+++ b/public/variables.kms.tf
@@ -0,0 +1,35 @@
+variable "kms_key_id" {
+ description = "AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated)."
+ type = string
+ default = null
+}
+
+variable "kms_key_arn" {
+ description = "AWS KMS Key ARN, a key created external to this module call."
+ type = string
+ default = null
+}
+
+variable "kms_policy_document" {
+ description = "AWS KMS Key Policy Document JSON, merged with admin policy document"
+ type = string
+ default = ""
+}
+
+variable "kms_admin_roles" {
+ description = "AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default."
+ type = list(string)
+ default = []
+}
+
+variable "use_kms_encryption" {
+ description = "Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access. Enforced to FALSE for public buckets"
+ type = bool
+ default = false
+}
+
+variable "multi_region" {
+ description = "Flag to enable or disable the use of a multi-region KMS key (default=false)"
+ type = bool
+ default = false
+}
diff --git a/public/variables.override_prefixes.tf b/public/variables.override_prefixes.tf
new file mode 120000
index 0000000..3cf8ceb
--- /dev/null
+++ b/public/variables.override_prefixes.tf
@@ -0,0 +1 @@
+../common//variables.override_prefixes.tf
\ No newline at end of file
diff --git a/public/variables.s3.tf b/public/variables.s3.tf
new file mode 120000
index 0000000..49213df
--- /dev/null
+++ b/public/variables.s3.tf
@@ -0,0 +1 @@
+../common/variables.s3.tf
\ No newline at end of file
diff --git a/public/variables.s3_public_block.tf b/public/variables.s3_public_block.tf
new file mode 100644
index 0000000..373ede1
--- /dev/null
+++ b/public/variables.s3_public_block.tf
@@ -0,0 +1,24 @@
+variable "block_public_acls" {
+ description = "S3 Public block setting to block public ACLs"
+ type = bool
+ defualt = true
+}
+
+variable "block_public_policy" {
+ description = "S3 Public block setting to block public policy"
+ type = bool
+ defualt = false
+}
+
+variable "ignore_public_acls" {
+ description = "S3 Public block setting to ignore public ACLs"
+ type = bool
+ defualt = true
+}
+
+variable "restrict_public_buckets" {
+ description = "S3 Public block setting to restrict public buckets"
+ type = bool
+ defualt = true
+}
+
diff --git a/public/version.tf b/public/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/public/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/public/versions.tf b/public/versions.tf
new file mode 120000
index 0000000..41bb22f
--- /dev/null
+++ b/public/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
\ No newline at end of file
diff --git a/standard/README.md b/standard/README.md
index fa4c1aa..76c0f43 100644
--- a/standard/README.md
+++ b/standard/README.md
@@ -166,6 +166,7 @@ output "s3_module_settings" {
|------|---------|
| [aws](#requirement\_aws) | >= 4.0 |
| [null](#requirement\_null) | >= 3.1.0 |
+| [time](#requirement\_time) | >= 0.9.0 |
## Providers
@@ -174,6 +175,7 @@ output "s3_module_settings" {
| [aws](#provider\_aws) | >= 4.0 |
| [null](#provider\_null) | >= 3.1.0 |
| [template](#provider\_template) | n/a |
+| [time](#provider\_time) | >= 0.9.0 |
## Modules
@@ -195,7 +197,8 @@ No modules.
| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [aws_s3_object.this_objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
| [null_resource.name_too_long](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [time_sleep.acl_delay](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.policy_delay](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/standard/main.tf b/standard/main.tf
index 3bcb382..e60e744 100644
--- a/standard/main.tf
+++ b/standard/main.tf
@@ -163,6 +163,7 @@
*/
locals {
- enable_title26 = var.enable_title26 ? true : false
- versioning = var.versioning
+ enable_title26 = var.enable_title26 ? true : false
+ versioning = var.versioning
+ use_kms_encryption = var.use_kms_encryption
}
diff --git a/standard/module_name.tf b/standard/module_name.tf
new file mode 100644
index 0000000..2d8c4c3
--- /dev/null
+++ b/standard/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "aws-s3/standard"
+}
diff --git a/standard/s3_public_block.tf b/standard/s3_public_block.tf
new file mode 120000
index 0000000..c1d489b
--- /dev/null
+++ b/standard/s3_public_block.tf
@@ -0,0 +1 @@
+../common/s3_public_block.tf
\ No newline at end of file
diff --git a/title26/README.md b/title26/README.md
index 04f3083..32446ee 100644
--- a/title26/README.md
+++ b/title26/README.md
@@ -163,6 +163,7 @@ output "s3_module_settings" {
|------|---------|
| [aws](#requirement\_aws) | >= 4.0 |
| [null](#requirement\_null) | >= 3.1.0 |
+| [time](#requirement\_time) | >= 0.9.0 |
## Providers
@@ -171,6 +172,7 @@ output "s3_module_settings" {
| [aws](#provider\_aws) | >= 4.0 |
| [null](#provider\_null) | >= 3.1.0 |
| [template](#provider\_template) | n/a |
+| [time](#provider\_time) | >= 0.9.0 |
## Modules
@@ -192,7 +194,8 @@ No modules.
| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [aws_s3_object.this_objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
| [null_resource.name_too_long](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [time_sleep.acl_delay](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.policy_delay](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.bucket_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/title26/main.tf b/title26/main.tf
index f1415af..2426f47 100644
--- a/title26/main.tf
+++ b/title26/main.tf
@@ -160,6 +160,7 @@
*/
locals {
- enable_title26 = true
- versioning = true
+ enable_title26 = true
+ versioning = true
+ use_kms_encryption = var.use_kms_encryption
}
diff --git a/title26/module_name.tf b/title26/module_name.tf
new file mode 100644
index 0000000..ee83d63
--- /dev/null
+++ b/title26/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+ _module_name = "aws-s3/title26"
+}
diff --git a/title26/s3_public_block.tf b/title26/s3_public_block.tf
new file mode 120000
index 0000000..c1d489b
--- /dev/null
+++ b/title26/s3_public_block.tf
@@ -0,0 +1 @@
+../common/s3_public_block.tf
\ No newline at end of file