Aws t26 s3

README.md

@@ -1,9 +1,14 @@
-= Usage =  
-module "mybucket" {  
+# About aws-t26-s3
+
+# Usage
+
+```hcl
+module "mybucket" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git"
 
-  bucket\_name = "myt26bucket"
+  bucket_name = "myt26bucket"
 }
+```
 
 ## Requirements
 
@@ -20,6 +25,7 @@ No requirements.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes |
 | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no |
 | bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no |
 | bucket\_name | AWS Bucket Name | `string` | n/a | yes |

main.tf

@@ -1,17 +1,36 @@
-/* = About =
- * = Usage =
- * module "mybucket" {
- *   source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git"
- *
- *   bucket_name = "myt26bucket"
- * }
- * 
- */
+/* 
+* # About aws-t26-s3
+* 
+* # Usage 
+*
+* ```hcl
+* module "mybucket" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git"
+*
+*   bucket_name = "myt26bucket"
+* }
+* ```
+* 
+*/
 
 locals {
   enforced_tags = {
     "boc:safeguard" = "title26"
   }
+  #account_id = data.aws_caller_identity.current.account_id
+  #aws_region = data.aws_region.current.name
+  #partition  = data.aws_arn.current.partition
+  #name       = (var.name != "" && var.name != null) ? var.name : format("k-kms-%v-%v", var.bucket_name, local.aws_region)
+  name = var.bucket_name
+
+  # kms_key_arn_exists = var.kms_key_arn != "" && var.kms_key_arn != null
+  kms_key_arn  = aws_kms_key.key.arn
+  kms_key_name = format("%s%s", local._prefixes["kms"], var.bucket_name)
+
+  base_tags = {
+    # "boc:tf_module_version" = var._module_version
+    "boc:created_by" = "terraform"
+  }
 }
 
 #---
@@ -24,8 +43,10 @@ resource "aws_s3_bucket" "this" {
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
-        kms_master_key_id = var.kms_key_id
-        sse_algorithm     = "aws:kms"
+        kms_master_key_id = aws_kms_key.key.key_id
+        #kms_master_key_id = var.kms_key_id
+        #kms_master_key_id = "k-kms-", var.bucket_name
+        sse_algorithm = "aws:kms"
       }
     }
   }
@@ -36,11 +57,11 @@ resource "aws_s3_bucket" "this" {
 
   logging {
     target_bucket = var.access_log_bucket
-    target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.access_log_bucket)
+    target_prefix = format("%s/%s/", var.access_log_bucket_prefix, var.bucket_name)
   }
 
   lifecycle {
-    prevent_destroy = true
+    prevent_destroy = false
   }
 
   tags = merge(
@@ -81,9 +102,42 @@ data "aws_iam_policy_document" "this" {
       values   = ["true"]
     }
   }
+  statement {
+    sid     = "enforceSSL"
+    effect  = "Deny"
+    actions = ["s3:*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
-resource "null_resource" "s3_create_wait" {
+#---
+# apply policy to bucket and public access block policy to bucket
+#---
+resource "aws_s3_bucket_policy" "policy" {
+  bucket     = aws_s3_bucket.this.bucket
+  policy     = data.aws_iam_policy_document.this.json
+  depends_on = [null_resource.policy_delay]
+}
+
+resource "aws_s3_bucket_public_access_block" "this" {
+  bucket                  = aws_s3_bucket.this.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  depends_on              = [aws_s3_bucket_policy.policy]
+}
+
+resource "null_resource" "policy_delay" {
   triggers = {
     bucket = aws_s3_bucket.this.id
   }
@@ -99,5 +153,25 @@ resource "aws_s3_bucket_object" "this_objects" {
   key    = format("%s/", element(var.bucket_folders, count.index))
   source = "/dev/null"
 
-  depends_on = [null_resource.s3_create_wait]
+  depends_on = [null_resource.policy_delay]
+}
+
+#---
+# create a key and alias if not specified
+#---
+resource "aws_kms_key" "key" {
+  description         = "KMS CMK for S3 bucket ${local.name}"
+  enable_key_rotation = true
+  #policy              = data.aws_iam_policy_document.key.json
+
+  tags = merge(
+    local.base_tags,
+    { "Name" = local.kms_key_name },
+    var.tags
+  )
+}
+
+resource "aws_kms_alias" "key" {
+  name          = "alias/${local.kms_key_name}"
+  target_key_id = aws_kms_key.key.key_id
 }

prefixes.tf

@@ -0,0 +1,12 @@
+locals {
+  _prefixes = {
+    "efs"            = "v-efs-"
+    "s3"             = "v-s3-"
+    "ebs"            = "v-ebs-"
+    "kms"            = "k-kms-"
+    "role"           = "r-"
+    "policy"         = "p-"
+    "security-group" = ""
+    #    "security-group" = "sg-"
+  }
+}

variables.tf

@@ -26,3 +26,9 @@ variable "access_log_bucket_prefix" {
   type        = string
   default     = "s3"
 }
+
+variable "access_log_bucket" {
+  description = "Server Access Logging Bucket ID"
+  type        = string
+  #  default     = null
+}