From acf6a52593ce9f34b173bb5dd05ec2666c2e98e6 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 14 Sep 2020 08:44:57 -0400 Subject: [PATCH 01/46] update variables --- variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/variables.tf b/variables.tf index eadf97f..7ea57bb 100644 --- a/variables.tf +++ b/variables.tf @@ -26,3 +26,9 @@ variable "access_log_bucket_prefix" { type = string default = "s3" } + +variable "access_log_bucket" { + description = "Server Access Logging Bucket ID" + type = string + # default = null +} From 4029f0c43a5bc588de47d4e0cf12c1696b926b77 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 14 Sep 2020 08:52:11 -0400 Subject: [PATCH 02/46] add-main-to-branch --- main.tf.bak | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 main.tf.bak diff --git a/main.tf.bak b/main.tf.bak new file mode 100644 index 0000000..9d2fa45 --- /dev/null +++ b/main.tf.bak @@ -0,0 +1,103 @@ +/* = About = + * = Usage = + * module "mybucket" { + * source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git" + * + * bucket_name = "myt26bucket" + * } + * + */ + +locals { + enforced_tags = { + "boc:safeguard" = "title26" + } +} + +#--- +# s3 bucket +#--- +resource "aws_s3_bucket" "this" { + bucket = var.bucket_name + acl = "private" + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = var.kms_key_id + sse_algorithm = "aws:kms" + } + } + } + + versioning { + enabled = true + } + + logging { + target_bucket = var.access_log_bucket + target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) + } + + lifecycle { + prevent_destroy = true + } + + tags = merge( + var.tags, + local.enforced_tags, + map("Name", var.bucket_name) + ) +} + +data "aws_iam_policy_document" "this" { + statement { + sid = "DenyIncorrectEncryptionHeader" + effect = "Deny" + actions = ["s3:PutObject"] + principals { + type = "AWS" + identifiers = ["*"] + } + resources = ["${aws_s3_bucket.this.arn}/*"] + condition { + test = "StringNotEquals" + variable = "s3:x-amz-server-side-encryption" + values = ["aws:kms"] + } + } + statement { + sid = "DenyUnEncryptedObjectUploads" + effect = "Deny" + actions = ["s3:PutObject"] + principals { + type = "AWS" + identifiers = ["*"] + } + resources = ["${aws_s3_bucket.this.arn}/*"] + condition { + test = "Null" + variable = "s3:x-amz-server-side-encryption" + values = ["true"] + } + } +} + +resource "null_resource" "s3_create_wait" { + triggers = { + bucket = aws_s3_bucket.this.id + } + provisioner "local-exec" { + when = create + command = "sleep 120" + } +} + +resource "aws_s3_bucket_object" "this_objects" { + bucket = aws_s3_bucket.this.id + count = length(var.bucket_folders) + key = format("%s/", element(var.bucket_folders, count.index)) + source = "/dev/null" + + depends_on = [null_resource.s3_create_wait] +} From 92da7861fb34a3ab50b4cfa5583486c88708e8a1 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 14 Sep 2020 09:15:22 -0400 Subject: [PATCH 03/46] prevent_destroy=false --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9d2fa45..6d47206 100644 --- a/main.tf +++ b/main.tf @@ -40,7 +40,8 @@ resource "aws_s3_bucket" "this" { } lifecycle { - prevent_destroy = true + #prevent_destroy = true + prevent_destroy = false } tags = merge( From 5c7b7fa89ffeaf3c4580156cb3a9b0f67b78ab95 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 14 Sep 2020 09:20:21 -0400 Subject: [PATCH 04/46] disable versioning --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 6d47206..167cc59 100644 --- a/main.tf +++ b/main.tf @@ -31,7 +31,8 @@ resource "aws_s3_bucket" "this" { } versioning { - enabled = true + #enabled = true + enabled = false } logging { From eefc2cea2e6f687093506c8449f1ee8877eff16a Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 14 Sep 2020 10:00:00 -0400 Subject: [PATCH 05/46] force_destroy=true --- main.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 167cc59..88709e7 100644 --- a/main.tf +++ b/main.tf @@ -21,6 +21,8 @@ resource "aws_s3_bucket" "this" { bucket = var.bucket_name acl = "private" + force_destroy = true + server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { @@ -31,8 +33,8 @@ resource "aws_s3_bucket" "this" { } versioning { - #enabled = true - enabled = false + enabled = true + #enabled = false } logging { From 7ad2accb7d474d45e168db2f521179a1220471c7 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 14 Sep 2020 10:05:23 -0400 Subject: [PATCH 06/46] remove-Prevent_destroy --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index 88709e7..1ffc52b 100644 --- a/main.tf +++ b/main.tf @@ -44,7 +44,6 @@ resource "aws_s3_bucket" "this" { lifecycle { #prevent_destroy = true - prevent_destroy = false } tags = merge( From 60bc56cf831af6e648a0b5fa98910c999985c73a Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 14 Sep 2020 10:12:21 -0400 Subject: [PATCH 07/46] disable-main --- main.tf.bak | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/main.tf.bak b/main.tf.bak index 9d2fa45..1ffc52b 100644 --- a/main.tf.bak +++ b/main.tf.bak @@ -21,6 +21,8 @@ resource "aws_s3_bucket" "this" { bucket = var.bucket_name acl = "private" + force_destroy = true + server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { @@ -32,6 +34,7 @@ resource "aws_s3_bucket" "this" { versioning { enabled = true + #enabled = false } logging { @@ -40,7 +43,7 @@ resource "aws_s3_bucket" "this" { } lifecycle { - prevent_destroy = true + #prevent_destroy = true } tags = merge( From 6100615c8146b7af97bd1a1eaf260a3b37d35cec Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 14 Sep 2020 10:17:40 -0400 Subject: [PATCH 08/46] new_main --- main.tf | 107 +------------------------------------------------------- 1 file changed, 1 insertion(+), 106 deletions(-) diff --git a/main.tf b/main.tf index 1ffc52b..4c3cbda 100644 --- a/main.tf +++ b/main.tf @@ -1,106 +1 @@ -/* = About = - * = Usage = - * module "mybucket" { - * source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git" - * - * bucket_name = "myt26bucket" - * } - * - */ - -locals { - enforced_tags = { - "boc:safeguard" = "title26" - } -} - -#--- -# s3 bucket -#--- -resource "aws_s3_bucket" "this" { - bucket = var.bucket_name - acl = "private" - - force_destroy = true - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = var.kms_key_id - sse_algorithm = "aws:kms" - } - } - } - - versioning { - enabled = true - #enabled = false - } - - logging { - target_bucket = var.access_log_bucket - target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) - } - - lifecycle { - #prevent_destroy = true - } - - tags = merge( - var.tags, - local.enforced_tags, - map("Name", var.bucket_name) - ) -} - -data "aws_iam_policy_document" "this" { - statement { - sid = "DenyIncorrectEncryptionHeader" - effect = "Deny" - actions = ["s3:PutObject"] - principals { - type = "AWS" - identifiers = ["*"] - } - resources = ["${aws_s3_bucket.this.arn}/*"] - condition { - test = "StringNotEquals" - variable = "s3:x-amz-server-side-encryption" - values = ["aws:kms"] - } - } - statement { - sid = "DenyUnEncryptedObjectUploads" - effect = "Deny" - actions = ["s3:PutObject"] - principals { - type = "AWS" - identifiers = ["*"] - } - resources = ["${aws_s3_bucket.this.arn}/*"] - condition { - test = "Null" - variable = "s3:x-amz-server-side-encryption" - values = ["true"] - } - } -} - -resource "null_resource" "s3_create_wait" { - triggers = { - bucket = aws_s3_bucket.this.id - } - provisioner "local-exec" { - when = create - command = "sleep 120" - } -} - -resource "aws_s3_bucket_object" "this_objects" { - bucket = aws_s3_bucket.this.id - count = length(var.bucket_folders) - key = format("%s/", element(var.bucket_folders, count.index)) - source = "/dev/null" - - depends_on = [null_resource.s3_create_wait] -} +# temporary main.tf to test tf-destroy From 74a119b82c108443aac76c83f2c2e9771feedc6d Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 14 Sep 2020 10:23:22 -0400 Subject: [PATCH 09/46] add tag --- main.tf | 108 +++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 107 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 4c3cbda..d4a8b60 100644 --- a/main.tf +++ b/main.tf @@ -1 +1,107 @@ -# temporary main.tf to test tf-destroy +/* = About = + * = Usage = + * module "mybucket" { + * source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git" + * + * bucket_name = "myt26bucket" + * } + * + */ + +locals { + enforced_tags = { + "boc:safeguard" = "title26" + "test:tag" = "code" + } +} + +#--- +# s3 bucket +#--- +resource "aws_s3_bucket" "this" { + bucket = var.bucket_name + acl = "private" + + force_destroy = true + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = var.kms_key_id + sse_algorithm = "aws:kms" + } + } + } + + versioning { + enabled = true + #enabled = false + } + + logging { + target_bucket = var.access_log_bucket + target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) + } + + lifecycle { + #prevent_destroy = true + } + + tags = merge( + var.tags, + local.enforced_tags, + map("Name", var.bucket_name) + ) +} + +data "aws_iam_policy_document" "this" { + statement { + sid = "DenyIncorrectEncryptionHeader" + effect = "Deny" + actions = ["s3:PutObject"] + principals { + type = "AWS" + identifiers = ["*"] + } + resources = ["${aws_s3_bucket.this.arn}/*"] + condition { + test = "StringNotEquals" + variable = "s3:x-amz-server-side-encryption" + values = ["aws:kms"] + } + } + statement { + sid = "DenyUnEncryptedObjectUploads" + effect = "Deny" + actions = ["s3:PutObject"] + principals { + type = "AWS" + identifiers = ["*"] + } + resources = ["${aws_s3_bucket.this.arn}/*"] + condition { + test = "Null" + variable = "s3:x-amz-server-side-encryption" + values = ["true"] + } + } +} + +resource "null_resource" "s3_create_wait" { + triggers = { + bucket = aws_s3_bucket.this.id + } + provisioner "local-exec" { + when = create + command = "sleep 120" + } +} + +resource "aws_s3_bucket_object" "this_objects" { + bucket = aws_s3_bucket.this.id + count = length(var.bucket_folders) + key = format("%s/", element(var.bucket_folders, count.index)) + source = "/dev/null" + + depends_on = [null_resource.s3_create_wait] +} From bae2f55e2f3a41ca9676aa357a84c67776be4608 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Mon, 14 Sep 2020 11:57:39 -0400 Subject: [PATCH 10/46] update logging prefix --- main.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index d4a8b60..7acef01 100644 --- a/main.tf +++ b/main.tf @@ -38,10 +38,15 @@ resource "aws_s3_bucket" "this" { #enabled = false } + #logging { + # target_bucket = var.access_log_bucket + # target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) + #} + logging { target_bucket = var.access_log_bucket - target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) - } + target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.bucket_name) + } lifecycle { #prevent_destroy = true From 4c4d67c8decfd146e6d7a0c845d11f84638e1353 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 15 Sep 2020 08:05:13 -0400 Subject: [PATCH 11/46] fix access_log prefix --- main.tf | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/main.tf b/main.tf index 7acef01..208cf7e 100644 --- a/main.tf +++ b/main.tf @@ -11,7 +11,6 @@ locals { enforced_tags = { "boc:safeguard" = "title26" - "test:tag" = "code" } } @@ -38,18 +37,13 @@ resource "aws_s3_bucket" "this" { #enabled = false } - #logging { - # target_bucket = var.access_log_bucket - # target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) - #} - logging { target_bucket = var.access_log_bucket target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.bucket_name) } lifecycle { - #prevent_destroy = true + prevent_destroy = true } tags = merge( @@ -98,7 +92,7 @@ resource "null_resource" "s3_create_wait" { } provisioner "local-exec" { when = create - command = "sleep 120" + command = "sleep 180" } } From f8ea902efc06273924323e949fd80e19f260ded1 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 15 Sep 2020 08:25:12 -0400 Subject: [PATCH 12/46] attach bucket policy --- main.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/main.tf b/main.tf index 208cf7e..8e53c57 100644 --- a/main.tf +++ b/main.tf @@ -86,6 +86,14 @@ data "aws_iam_policy_document" "this" { } } +########## +# attach bucket policy +########## +resource "aws_s3_bucket_policy" "this" { + bucket = aws_s3_bucket.this.bucket + policy = data.aws_iam_policy_document.this.json +} + resource "null_resource" "s3_create_wait" { triggers = { bucket = aws_s3_bucket.this.id From 350db34082884afc5a9322b2a7435763b9e4efde Mon Sep 17 00:00:00 2001 From: Fabian Omenankiti Date: Mon, 21 Sep 2020 13:07:41 -0400 Subject: [PATCH 13/46] Added KMS CMK key --- main.tf | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 9d2fa45..be80ec7 100644 --- a/main.tf +++ b/main.tf @@ -93,7 +93,7 @@ resource "null_resource" "s3_create_wait" { } } -resource "aws_s3_bucket_object" "this_objects" { +riesource "aws_s3_bucket_object" "this_objects" { bucket = aws_s3_bucket.this.id count = length(var.bucket_folders) key = format("%s/", element(var.bucket_folders, count.index)) @@ -101,3 +101,24 @@ resource "aws_s3_bucket_object" "this_objects" { depends_on = [null_resource.s3_create_wait] } + +#------------------------------------------------------------------------- +# EFS KMS KEY +#------------------------------------------------------------------------- +resource "aws_kms_key" "key" { + count = local.kms_key_arn_exists ? 0 : 1 + description = "KMS CMK for title26_s3 ${local.name}" + enable_key_rotation = true + + tags = merge( + local.base_tags, + { "Name" = local.kms_key_name }, + var.tags + ) +} + +resource "aws_kms_alias" "key" { + count = local.kms_key_arn_exists ? 0 : 1 + name = "alias/${local.kms_key_name}" + target_key_id = (aws_kms_key.key.*)[0].key_id +} From a96c00dc2f41ee00dcbbe90898cda897c6be96f4 Mon Sep 17 00:00:00 2001 From: Fabian Omenankiti Date: Tue, 22 Sep 2020 11:51:38 -0400 Subject: [PATCH 14/46] Modified KMS CMK key and local file --- locals.tf | 7 +++++++ main.tf | 8 +++----- 2 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 locals.tf diff --git a/locals.tf b/locals.tf new file mode 100644 index 0000000..b7a5353 --- /dev/null +++ b/locals.tf @@ -0,0 +1,7 @@ +locals { + region = var.region + + s3_bucket_names = formatlist("v-s3-%v", var.s3_bucket_names) + key_name = format("k-kms-%v", local.app_name) +} + diff --git a/main.tf b/main.tf index be80ec7..a789d99 100644 --- a/main.tf +++ b/main.tf @@ -93,7 +93,7 @@ resource "null_resource" "s3_create_wait" { } } -riesource "aws_s3_bucket_object" "this_objects" { +resource "aws_s3_bucket_object" "this_objects" { bucket = aws_s3_bucket.this.id count = length(var.bucket_folders) key = format("%s/", element(var.bucket_folders, count.index)) @@ -103,10 +103,9 @@ riesource "aws_s3_bucket_object" "this_objects" { } #------------------------------------------------------------------------- -# EFS KMS KEY +# EFS KMS KEY AND ALIAS #------------------------------------------------------------------------- resource "aws_kms_key" "key" { - count = local.kms_key_arn_exists ? 0 : 1 description = "KMS CMK for title26_s3 ${local.name}" enable_key_rotation = true @@ -118,7 +117,6 @@ resource "aws_kms_key" "key" { } resource "aws_kms_alias" "key" { - count = local.kms_key_arn_exists ? 0 : 1 name = "alias/${local.kms_key_name}" - target_key_id = (aws_kms_key.key.*)[0].key_id + target_key_id = aws_kms_key.key.key_id } From 17bc30dcbb3d6db016102ff614386ae862e0a3c9 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 13:43:15 -0400 Subject: [PATCH 15/46] add create kms key --- main.tf | 52 +++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 15 deletions(-) diff --git a/main.tf b/main.tf index 1bfd1f6..82cb4cf 100644 --- a/main.tf +++ b/main.tf @@ -12,6 +12,19 @@ locals { enforced_tags = { "boc:safeguard" = "title26" } + account_id = data.aws_caller_identity.current.account_id + aws_region = data.aws_region.current.name + partition = data.aws_arn.current.partition + name = (var.name != "" && var.name != null) ? var.name : format("inf-objectlogging-%v-%v", local.account_id, local.aws_region) + + # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null + kms_key_arn = aws_kms_key.key.arn + kms_key_name = format("%s%s", local._prefixes["kms"], local.name) + + base_tags = { + "boc:tf_module_version" = var._module_version + "boc:created_by" = "terraform" + } } #--- @@ -21,8 +34,6 @@ resource "aws_s3_bucket" "this" { bucket = var.bucket_name acl = "private" - force_destroy = true - server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { @@ -34,13 +45,12 @@ resource "aws_s3_bucket" "this" { versioning { enabled = true - #enabled = false } logging { target_bucket = var.access_log_bucket - target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.bucket_name) - } + target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) + } lifecycle { prevent_destroy = true @@ -86,21 +96,13 @@ data "aws_iam_policy_document" "this" { } } -########## -# attach bucket policy -########## -resource "aws_s3_bucket_policy" "this" { - bucket = aws_s3_bucket.this.bucket - policy = data.aws_iam_policy_document.this.json -} - resource "null_resource" "s3_create_wait" { triggers = { bucket = aws_s3_bucket.this.id } provisioner "local-exec" { when = create - command = "sleep 180" + command = "sleep 120" } } @@ -116,9 +118,24 @@ resource "aws_s3_bucket_object" "this_objects" { #------------------------------------------------------------------------- # EFS KMS KEY AND ALIAS #------------------------------------------------------------------------- +#resource "aws_kms_key" "key" { +# description = "KMS CMK for title26_s3 ${local.name}" +# enable_key_rotation = true + +# tags = merge( +# local.base_tags, +# { "Name" = local.kms_key_name }, +# var.tags +# ) +#} + +#--- +# create a key and alias if not specified +#--- resource "aws_kms_key" "key" { - description = "KMS CMK for title26_s3 ${local.name}" + description = "KMS CMK for Cloudtrail and S3 bucket ${local.name}" enable_key_rotation = true + policy = data.aws_iam_policy_document.key.json tags = merge( local.base_tags, @@ -131,3 +148,8 @@ resource "aws_kms_alias" "key" { name = "alias/${local.kms_key_name}" target_key_id = aws_kms_key.key.key_id } + +resource "aws_kms_alias" "key" { + name = "alias/${local.kms_key_name}" + target_key_id = aws_kms_key.key.key_id +} From 0f68a2c6d438530b563f72a64abfbbbb797dd26e Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 13:52:24 -0400 Subject: [PATCH 16/46] remove deuplicate key alias --- main.tf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/main.tf b/main.tf index 82cb4cf..d078cb4 100644 --- a/main.tf +++ b/main.tf @@ -15,7 +15,7 @@ locals { account_id = data.aws_caller_identity.current.account_id aws_region = data.aws_region.current.name partition = data.aws_arn.current.partition - name = (var.name != "" && var.name != null) ? var.name : format("inf-objectlogging-%v-%v", local.account_id, local.aws_region) + #name = (var.name != "" && var.name != null) ? var.name : format("inf-objectlogging-%v-%v", local.account_id, local.aws_region) # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null kms_key_arn = aws_kms_key.key.arn @@ -149,7 +149,3 @@ resource "aws_kms_alias" "key" { target_key_id = aws_kms_key.key.key_id } -resource "aws_kms_alias" "key" { - name = "alias/${local.kms_key_name}" - target_key_id = aws_kms_key.key.key_id -} From fd25974a614a5e15462a6343e52b15a2bf7dc47c Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 13:58:19 -0400 Subject: [PATCH 17/46] fix key name --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index d078cb4..ed44733 100644 --- a/main.tf +++ b/main.tf @@ -15,7 +15,7 @@ locals { account_id = data.aws_caller_identity.current.account_id aws_region = data.aws_region.current.name partition = data.aws_arn.current.partition - #name = (var.name != "" && var.name != null) ? var.name : format("inf-objectlogging-%v-%v", local.account_id, local.aws_region) + name = (var.name != "" && var.name != null) ? var.name : format("k-kms-%v-%v", var.bucket_name, local.aws_region) # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null kms_key_arn = aws_kms_key.key.arn From ff8bb314abeb6423e0d74f49920ce48623fb9278 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 14:32:18 -0400 Subject: [PATCH 18/46] bucket_name --- main.tf | 5 +++-- prefixes.tf | 12 ++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 prefixes.tf diff --git a/main.tf b/main.tf index ed44733..a8e0b4a 100644 --- a/main.tf +++ b/main.tf @@ -15,11 +15,12 @@ locals { account_id = data.aws_caller_identity.current.account_id aws_region = data.aws_region.current.name partition = data.aws_arn.current.partition - name = (var.name != "" && var.name != null) ? var.name : format("k-kms-%v-%v", var.bucket_name, local.aws_region) + #name = (var.name != "" && var.name != null) ? var.name : format("k-kms-%v-%v", var.bucket_name, local.aws_region) + name = var.bucket_name # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null kms_key_arn = aws_kms_key.key.arn - kms_key_name = format("%s%s", local._prefixes["kms"], local.name) + kms_key_name = format("%s%s", local._prefixes["kms"], var.bucket_name) base_tags = { "boc:tf_module_version" = var._module_version diff --git a/prefixes.tf b/prefixes.tf new file mode 100644 index 0000000..fafcbde --- /dev/null +++ b/prefixes.tf @@ -0,0 +1,12 @@ +locals { + _prefixes = { + "efs" = "v-efs-" + "s3" = "v-s3-" + "ebs" = "v-ebs-" + "kms" = "k-kms-" + "role" = "r-" + "policy" = "p-" + "security-group" = "" + # "security-group" = "sg-" + } +} From 10824aa9318d135aeda49ceeeef94ff3e75264f5 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 14:38:36 -0400 Subject: [PATCH 19/46] prefixes --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index a8e0b4a..68ef5f9 100644 --- a/main.tf +++ b/main.tf @@ -14,7 +14,7 @@ locals { } account_id = data.aws_caller_identity.current.account_id aws_region = data.aws_region.current.name - partition = data.aws_arn.current.partition + #partition = data.aws_arn.current.partition #name = (var.name != "" && var.name != null) ? var.name : format("k-kms-%v-%v", var.bucket_name, local.aws_region) name = var.bucket_name @@ -23,7 +23,7 @@ locals { kms_key_name = format("%s%s", local._prefixes["kms"], var.bucket_name) base_tags = { - "boc:tf_module_version" = var._module_version + # "boc:tf_module_version" = var._module_version "boc:created_by" = "terraform" } } From 094fbeec71f4d84d378240c7e3087cfc5b7e8c69 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 14:41:39 -0400 Subject: [PATCH 20/46] key policy --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 68ef5f9..ddb60b3 100644 --- a/main.tf +++ b/main.tf @@ -13,7 +13,7 @@ locals { "boc:safeguard" = "title26" } account_id = data.aws_caller_identity.current.account_id - aws_region = data.aws_region.current.name + #aws_region = data.aws_region.current.name #partition = data.aws_arn.current.partition #name = (var.name != "" && var.name != null) ? var.name : format("k-kms-%v-%v", var.bucket_name, local.aws_region) name = var.bucket_name @@ -136,7 +136,7 @@ resource "aws_s3_bucket_object" "this_objects" { resource "aws_kms_key" "key" { description = "KMS CMK for Cloudtrail and S3 bucket ${local.name}" enable_key_rotation = true - policy = data.aws_iam_policy_document.key.json + #policy = data.aws_iam_policy_document.key.json tags = merge( local.base_tags, From ab1b7ced3c998a7e55555f01a2b1961332692d1d Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 14:46:15 -0400 Subject: [PATCH 21/46] locals --- locals.tf | 2 +- main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/locals.tf b/locals.tf index b7a5353..0206eca 100644 --- a/locals.tf +++ b/locals.tf @@ -2,6 +2,6 @@ locals { region = var.region s3_bucket_names = formatlist("v-s3-%v", var.s3_bucket_names) - key_name = format("k-kms-%v", local.app_name) + #key_name = format("k-kms-%v", local.app_name) } diff --git a/main.tf b/main.tf index ddb60b3..7dfb283 100644 --- a/main.tf +++ b/main.tf @@ -12,7 +12,7 @@ locals { enforced_tags = { "boc:safeguard" = "title26" } - account_id = data.aws_caller_identity.current.account_id + #account_id = data.aws_caller_identity.current.account_id #aws_region = data.aws_region.current.name #partition = data.aws_arn.current.partition #name = (var.name != "" && var.name != null) ? var.name : format("k-kms-%v-%v", var.bucket_name, local.aws_region) From 2b549839a111fa11be8a51bb861b327c247caa1d Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 14:48:17 -0400 Subject: [PATCH 22/46] locals2 --- locals.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/locals.tf b/locals.tf index 0206eca..fe89b5b 100644 --- a/locals.tf +++ b/locals.tf @@ -1,7 +1,7 @@ locals { - region = var.region + #region = var.region - s3_bucket_names = formatlist("v-s3-%v", var.s3_bucket_names) + #s3_bucket_names = formatlist("v-s3-%v", var.s3_bucket_names) #key_name = format("k-kms-%v", local.app_name) } From 7b618ad111f681785f8421da4334601733c6f5bc Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 15:06:06 -0400 Subject: [PATCH 23/46] key-id --- main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 7dfb283..fd2203c 100644 --- a/main.tf +++ b/main.tf @@ -38,7 +38,9 @@ resource "aws_s3_bucket" "this" { server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { - kms_master_key_id = var.kms_key_id + kms_master_key_id = aws_kms_key.key.key_id + #kms_master_key_id = var.kms_key_id + #kms_master_key_id = "k-kms-", var.bucket_name sse_algorithm = "aws:kms" } } From d68bb704ad716939c2ae6f844b1e4e006d837909 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 15:08:12 -0400 Subject: [PATCH 24/46] key-id2 --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index fd2203c..052091d 100644 --- a/main.tf +++ b/main.tf @@ -38,8 +38,8 @@ resource "aws_s3_bucket" "this" { server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { - kms_master_key_id = aws_kms_key.key.key_id - #kms_master_key_id = var.kms_key_id + #kms_master_key_id = aws_kms_key.key.key_id + kms_master_key_id = var.kms_key_id #kms_master_key_id = "k-kms-", var.bucket_name sse_algorithm = "aws:kms" } From 6c2f0699a28502909568c386d27481c9fa4d802e Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 15:13:03 -0400 Subject: [PATCH 25/46] key-id3 --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 052091d..fd2203c 100644 --- a/main.tf +++ b/main.tf @@ -38,8 +38,8 @@ resource "aws_s3_bucket" "this" { server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { - #kms_master_key_id = aws_kms_key.key.key_id - kms_master_key_id = var.kms_key_id + kms_master_key_id = aws_kms_key.key.key_id + #kms_master_key_id = var.kms_key_id #kms_master_key_id = "k-kms-", var.bucket_name sse_algorithm = "aws:kms" } From b84d6395497185e88996127d910ec9e8598ee3a6 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Tue, 22 Sep 2020 15:14:51 -0400 Subject: [PATCH 26/46] destroy true --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index fd2203c..1a1d833 100644 --- a/main.tf +++ b/main.tf @@ -56,7 +56,7 @@ resource "aws_s3_bucket" "this" { } lifecycle { - prevent_destroy = true + prevent_destroy = false } tags = merge( From de678d7a7fdcd7cd1e4153d0f97ac621b603b0f6 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 08:48:27 -0400 Subject: [PATCH 27/46] add bucket policy --- main.tf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/main.tf b/main.tf index 1a1d833..485daaa 100644 --- a/main.tf +++ b/main.tf @@ -99,6 +99,23 @@ data "aws_iam_policy_document" "this" { } } +#--- +# apply policy to bucket and public access block policy to bucket +#--- +resource "aws_s3_bucket_policy" "policy" { + bucket = aws_s3_bucket.this.bucket + policy = data.aws_iam_policy_document.this.json + depends_on = [null_resource.policy_delay] +} + +resource "aws_s3_bucket_public_access_block" "this" { + bucket = aws_s3_bucket.this.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + resource "null_resource" "s3_create_wait" { triggers = { bucket = aws_s3_bucket.this.id From 873e16cb5f9cd7460a371a435f9ca417261836b0 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 08:52:48 -0400 Subject: [PATCH 28/46] remove delay --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 485daaa..b0aa5fb 100644 --- a/main.tf +++ b/main.tf @@ -105,7 +105,7 @@ data "aws_iam_policy_document" "this" { resource "aws_s3_bucket_policy" "policy" { bucket = aws_s3_bucket.this.bucket policy = data.aws_iam_policy_document.this.json - depends_on = [null_resource.policy_delay] +# depends_on = [null_resource.policy_delay] } resource "aws_s3_bucket_public_access_block" "this" { From 61bc94d5641581e62bfe7cc78ce1f5ab69168470 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 09:31:23 -0400 Subject: [PATCH 29/46] add ssl enforcement policy --- main.tf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/main.tf b/main.tf index b0aa5fb..7ed8c87 100644 --- a/main.tf +++ b/main.tf @@ -97,6 +97,18 @@ data "aws_iam_policy_document" "this" { values = ["true"] } } + statement { + sid = "enforceSSL" + effe = "Deny" + principals = "*", + actions = "s3:*", + resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"] + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + } } #--- From 70aa3c62fbff6f1a5fe0ff7fd5dffef42bdb64fe Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 09:32:42 -0400 Subject: [PATCH 30/46] add ssl enforcement policy2 --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 7ed8c87..161d7ce 100644 --- a/main.tf +++ b/main.tf @@ -100,8 +100,8 @@ data "aws_iam_policy_document" "this" { statement { sid = "enforceSSL" effe = "Deny" - principals = "*", - actions = "s3:*", + principals = "*" + actions = "s3:*" resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"] condition { test = "Bool" From 712b61d35c47afc2240e61aec6ad3883d12d78f1 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 11:07:51 -0400 Subject: [PATCH 31/46] fix logging prefix --- main.tf | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/main.tf b/main.tf index 161d7ce..bca66e1 100644 --- a/main.tf +++ b/main.tf @@ -52,7 +52,8 @@ resource "aws_s3_bucket" "this" { logging { target_bucket = var.access_log_bucket - target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) + target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.bucket_name) + #target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) } lifecycle { @@ -99,9 +100,11 @@ data "aws_iam_policy_document" "this" { } statement { sid = "enforceSSL" - effe = "Deny" - principals = "*" - actions = "s3:*" + effect = "Deny" + actions = ["s3:*"] + principals { + type = "AWS" + identifiers = ["*"] resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"] condition { test = "Bool" @@ -180,4 +183,4 @@ resource "aws_kms_alias" "key" { name = "alias/${local.kms_key_name}" target_key_id = aws_kms_key.key.key_id } - +} From 5ab18c20364e22260a5ec8c68970b61cdd1e3e78 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 11:31:53 -0400 Subject: [PATCH 32/46] fix statement --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index bca66e1..4381c3d 100644 --- a/main.tf +++ b/main.tf @@ -105,6 +105,7 @@ data "aws_iam_policy_document" "this" { principals { type = "AWS" identifiers = ["*"] + } resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"] condition { test = "Bool" @@ -112,7 +113,7 @@ data "aws_iam_policy_document" "this" { values = ["false"] } } -} + #--- # apply policy to bucket and public access block policy to bucket From 8aba073ef83b84bd112f2c5483be186b1451eccc Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 11:36:45 -0400 Subject: [PATCH 33/46] fix kms key description --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 4381c3d..4c5ba29 100644 --- a/main.tf +++ b/main.tf @@ -169,7 +169,7 @@ resource "aws_s3_bucket_object" "this_objects" { # create a key and alias if not specified #--- resource "aws_kms_key" "key" { - description = "KMS CMK for Cloudtrail and S3 bucket ${local.name}" + description = "KMS CMK for S3 bucket ${local.name}" enable_key_rotation = true #policy = data.aws_iam_policy_document.key.json From 394d221bac4535f396d3bad39f0eee219b161923 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 24 Sep 2020 14:48:39 -0400 Subject: [PATCH 34/46] fix brackets --- README.md | 1 + main.tf | 37 ++++++++++++++++++------------------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 44b1485..9f78a83 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | | bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | | bucket\_name | AWS Bucket Name | `string` | n/a | yes | diff --git a/main.tf b/main.tf index 4c5ba29..b932d39 100644 --- a/main.tf +++ b/main.tf @@ -16,15 +16,15 @@ locals { #aws_region = data.aws_region.current.name #partition = data.aws_arn.current.partition #name = (var.name != "" && var.name != null) ? var.name : format("k-kms-%v-%v", var.bucket_name, local.aws_region) - name = var.bucket_name + name = var.bucket_name # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null kms_key_arn = aws_kms_key.key.arn kms_key_name = format("%s%s", local._prefixes["kms"], var.bucket_name) base_tags = { - # "boc:tf_module_version" = var._module_version - "boc:created_by" = "terraform" + # "boc:tf_module_version" = var._module_version + "boc:created_by" = "terraform" } } @@ -41,7 +41,7 @@ resource "aws_s3_bucket" "this" { kms_master_key_id = aws_kms_key.key.key_id #kms_master_key_id = var.kms_key_id #kms_master_key_id = "k-kms-", var.bucket_name - sse_algorithm = "aws:kms" + sse_algorithm = "aws:kms" } } } @@ -98,30 +98,30 @@ data "aws_iam_policy_document" "this" { values = ["true"] } } - statement { - sid = "enforceSSL" - effect = "Deny" - actions = ["s3:*"] + statement { + sid = "enforceSSL" + effect = "Deny" + actions = ["s3:*"] principals { - type = "AWS" - identifiers = ["*"] + type = "AWS" + identifiers = ["*"] } - resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"] + resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"] condition { - test = "Bool" - variable = "aws:SecureTransport" - values = ["false"] + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] } } - +} #--- # apply policy to bucket and public access block policy to bucket #--- resource "aws_s3_bucket_policy" "policy" { - bucket = aws_s3_bucket.this.bucket - policy = data.aws_iam_policy_document.this.json -# depends_on = [null_resource.policy_delay] + bucket = aws_s3_bucket.this.bucket + policy = data.aws_iam_policy_document.this.json + # depends_on = [null_resource.policy_delay] } resource "aws_s3_bucket_public_access_block" "this" { @@ -184,4 +184,3 @@ resource "aws_kms_alias" "key" { name = "alias/${local.kms_key_name}" target_key_id = aws_kms_key.key.key_id } -} From 64c0fc3d9d987a14e0e633e5a85ee6ceacbbcff5 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 24 Sep 2020 14:49:59 -0400 Subject: [PATCH 35/46] update doc --- README.md | 11 ++++++++--- main.tf | 23 ++++++++++++++--------- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 9f78a83..cb0b720 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,14 @@ -= Usage = -module "mybucket" { +# About aws-t26-s3 + +# Usage + +```hcl +module "mybucket" { source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git" - bucket\_name = "myt26bucket" + bucket_name = "myt26bucket" } +``` ## Requirements diff --git a/main.tf b/main.tf index b932d39..a879817 100644 --- a/main.tf +++ b/main.tf @@ -1,12 +1,17 @@ -/* = About = - * = Usage = - * module "mybucket" { - * source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git" - * - * bucket_name = "myt26bucket" - * } - * - */ +/* +* # About aws-t26-s3 +* +* # Usage +* +* ```hcl +* module "mybucket" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git" +* +* bucket_name = "myt26bucket" +* } +* ``` +* +*/ locals { enforced_tags = { From e3009dc63f9f9d4dc09fa4ccdbfb3f0375189664 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 15:05:56 -0400 Subject: [PATCH 36/46] add policy delay --- main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/main.tf b/main.tf index a879817..24b9d11 100644 --- a/main.tf +++ b/main.tf @@ -58,7 +58,6 @@ resource "aws_s3_bucket" "this" { logging { target_bucket = var.access_log_bucket target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.bucket_name) - #target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) } lifecycle { @@ -126,7 +125,7 @@ data "aws_iam_policy_document" "this" { resource "aws_s3_bucket_policy" "policy" { bucket = aws_s3_bucket.this.bucket policy = data.aws_iam_policy_document.this.json - # depends_on = [null_resource.policy_delay] + depends_on = [null_resource.policy_delay] } resource "aws_s3_bucket_public_access_block" "this" { From 49f36d77b0ab1ebd1cf6f93a05eafb9ae2122351 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 15:08:58 -0400 Subject: [PATCH 37/46] fix policy --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 24b9d11..e88e25f 100644 --- a/main.tf +++ b/main.tf @@ -122,7 +122,7 @@ data "aws_iam_policy_document" "this" { #--- # apply policy to bucket and public access block policy to bucket #--- -resource "aws_s3_bucket_policy" "policy" { +resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.bucket policy = data.aws_iam_policy_document.this.json depends_on = [null_resource.policy_delay] From ad4058ea899f46da4b14ed95fd98249d9be467d8 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 15:18:38 -0400 Subject: [PATCH 38/46] remove delay --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index e88e25f..c07f7ee 100644 --- a/main.tf +++ b/main.tf @@ -122,10 +122,10 @@ data "aws_iam_policy_document" "this" { #--- # apply policy to bucket and public access block policy to bucket #--- -resource "aws_s3_bucket_policy" "this" { +resource "aws_s3_bucket_policy" "policy" { bucket = aws_s3_bucket.this.bucket policy = data.aws_iam_policy_document.this.json - depends_on = [null_resource.policy_delay] + #depends_on = [null_resource.policy_delay] } resource "aws_s3_bucket_public_access_block" "this" { From 9fea093cb19395faf7e81675119fdd7b1fecf02c Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 15:25:22 -0400 Subject: [PATCH 39/46] fix delay --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index c07f7ee..1d72a8e 100644 --- a/main.tf +++ b/main.tf @@ -125,7 +125,7 @@ data "aws_iam_policy_document" "this" { resource "aws_s3_bucket_policy" "policy" { bucket = aws_s3_bucket.this.bucket policy = data.aws_iam_policy_document.this.json - #depends_on = [null_resource.policy_delay] + depends_on = [null_resource.policy_delay] } resource "aws_s3_bucket_public_access_block" "this" { @@ -136,7 +136,7 @@ resource "aws_s3_bucket_public_access_block" "this" { restrict_public_buckets = true } -resource "null_resource" "s3_create_wait" { +resource "null_resource" "policy_delay" { triggers = { bucket = aws_s3_bucket.this.id } From c606874f8045e8a5b02a57bb6f5ddc5461d936fb Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 24 Sep 2020 15:27:29 -0400 Subject: [PATCH 40/46] fix delay2 --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 1d72a8e..1c9505e 100644 --- a/main.tf +++ b/main.tf @@ -152,7 +152,7 @@ resource "aws_s3_bucket_object" "this_objects" { key = format("%s/", element(var.bucket_folders, count.index)) source = "/dev/null" - depends_on = [null_resource.s3_create_wait] + depends_on = [null_resource.policy_delay] } #------------------------------------------------------------------------- From cd0a1232190af65376e888ef6809abb7d5041ee3 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Fri, 25 Sep 2020 11:49:06 -0400 Subject: [PATCH 41/46] add delay on block access --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 1c9505e..8ec6cc1 100644 --- a/main.tf +++ b/main.tf @@ -134,6 +134,7 @@ resource "aws_s3_bucket_public_access_block" "this" { block_public_policy = true ignore_public_acls = true restrict_public_buckets = true + depends = [aws_s3_bucket_policy.policy ] } resource "null_resource" "policy_delay" { From 454e4979108415d8e58da1efa7da0cacd936bb0d Mon Sep 17 00:00:00 2001 From: ashle001 Date: Fri, 25 Sep 2020 11:51:09 -0400 Subject: [PATCH 42/46] add delay on block access --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 8ec6cc1..8acf12a 100644 --- a/main.tf +++ b/main.tf @@ -134,7 +134,7 @@ resource "aws_s3_bucket_public_access_block" "this" { block_public_policy = true ignore_public_acls = true restrict_public_buckets = true - depends = [aws_s3_bucket_policy.policy ] + depends_on = [aws_s3_bucket_policy.policy ] } resource "null_resource" "policy_delay" { From bd146f90f66a7ab9fe7575eedd50758913576808 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 1 Oct 2020 14:46:33 -0400 Subject: [PATCH 43/46] remove old kms block --- main.tf | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/main.tf b/main.tf index 8acf12a..174fc1a 100644 --- a/main.tf +++ b/main.tf @@ -156,20 +156,6 @@ resource "aws_s3_bucket_object" "this_objects" { depends_on = [null_resource.policy_delay] } -#------------------------------------------------------------------------- -# EFS KMS KEY AND ALIAS -#------------------------------------------------------------------------- -#resource "aws_kms_key" "key" { -# description = "KMS CMK for title26_s3 ${local.name}" -# enable_key_rotation = true - -# tags = merge( -# local.base_tags, -# { "Name" = local.kms_key_name }, -# var.tags -# ) -#} - #--- # create a key and alias if not specified #--- From 93bd3e8cc351f1beb80b4fd2860121a790455c16 Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 1 Oct 2020 15:00:00 -0400 Subject: [PATCH 44/46] remove main.tf.bak --- main.tf.bak | 106 ---------------------------------------------------- 1 file changed, 106 deletions(-) delete mode 100644 main.tf.bak diff --git a/main.tf.bak b/main.tf.bak deleted file mode 100644 index 1ffc52b..0000000 --- a/main.tf.bak +++ /dev/null @@ -1,106 +0,0 @@ -/* = About = - * = Usage = - * module "mybucket" { - * source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git" - * - * bucket_name = "myt26bucket" - * } - * - */ - -locals { - enforced_tags = { - "boc:safeguard" = "title26" - } -} - -#--- -# s3 bucket -#--- -resource "aws_s3_bucket" "this" { - bucket = var.bucket_name - acl = "private" - - force_destroy = true - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = var.kms_key_id - sse_algorithm = "aws:kms" - } - } - } - - versioning { - enabled = true - #enabled = false - } - - logging { - target_bucket = var.access_log_bucket - target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket) - } - - lifecycle { - #prevent_destroy = true - } - - tags = merge( - var.tags, - local.enforced_tags, - map("Name", var.bucket_name) - ) -} - -data "aws_iam_policy_document" "this" { - statement { - sid = "DenyIncorrectEncryptionHeader" - effect = "Deny" - actions = ["s3:PutObject"] - principals { - type = "AWS" - identifiers = ["*"] - } - resources = ["${aws_s3_bucket.this.arn}/*"] - condition { - test = "StringNotEquals" - variable = "s3:x-amz-server-side-encryption" - values = ["aws:kms"] - } - } - statement { - sid = "DenyUnEncryptedObjectUploads" - effect = "Deny" - actions = ["s3:PutObject"] - principals { - type = "AWS" - identifiers = ["*"] - } - resources = ["${aws_s3_bucket.this.arn}/*"] - condition { - test = "Null" - variable = "s3:x-amz-server-side-encryption" - values = ["true"] - } - } -} - -resource "null_resource" "s3_create_wait" { - triggers = { - bucket = aws_s3_bucket.this.id - } - provisioner "local-exec" { - when = create - command = "sleep 120" - } -} - -resource "aws_s3_bucket_object" "this_objects" { - bucket = aws_s3_bucket.this.id - count = length(var.bucket_folders) - key = format("%s/", element(var.bucket_folders, count.index)) - source = "/dev/null" - - depends_on = [null_resource.s3_create_wait] -} From 7ce53221c8ef35f8b489da24dd02ddc2ac1a136c Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 1 Oct 2020 15:12:46 -0400 Subject: [PATCH 45/46] run pre-commit --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 174fc1a..3d50a9b 100644 --- a/main.tf +++ b/main.tf @@ -123,8 +123,8 @@ data "aws_iam_policy_document" "this" { # apply policy to bucket and public access block policy to bucket #--- resource "aws_s3_bucket_policy" "policy" { - bucket = aws_s3_bucket.this.bucket - policy = data.aws_iam_policy_document.this.json + bucket = aws_s3_bucket.this.bucket + policy = data.aws_iam_policy_document.this.json depends_on = [null_resource.policy_delay] } @@ -134,7 +134,7 @@ resource "aws_s3_bucket_public_access_block" "this" { block_public_policy = true ignore_public_acls = true restrict_public_buckets = true - depends_on = [aws_s3_bucket_policy.policy ] + depends_on = [aws_s3_bucket_policy.policy] } resource "null_resource" "policy_delay" { From a356b49cc94565f43f56491b1e38a1238d938bfb Mon Sep 17 00:00:00 2001 From: ashle001 Date: Thu, 1 Oct 2020 15:13:12 -0400 Subject: [PATCH 46/46] remove locals.tf --- locals.tf | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 locals.tf diff --git a/locals.tf b/locals.tf deleted file mode 100644 index fe89b5b..0000000 --- a/locals.tf +++ /dev/null @@ -1,7 +0,0 @@ -locals { - #region = var.region - - #s3_bucket_names = formatlist("v-s3-%v", var.s3_bucket_names) - #key_name = format("k-kms-%v", local.app_name) -} -