Skip to content

Terraform module for terraform-aws-s3

License

Notifications You must be signed in to change notification settings

Datatamer/terraform-aws-s3

Repository files navigation

Tamr AWS S3 Terraform Module

This terraform module creates an encrypted S3 bucket and any associated IAM policies.

Examples

Basic

module "tamr-s3-eg" {
  source            = "git::https://github.com/Datatamer/terraform-aws-s3?ref=1.0.0"
  bucket_name       = "mybucket"
  read_only_paths   = ["path/to/ro-folder"]
  read_write_paths  = ["path/to/rw-folder", "path/to/another-rw-folder"]
}

Note aboutread_only_paths/read_write_paths:

  • Providing a path to a folder like in the example, ["path/to/folder"] permits actions (specified in read_only_actions/read_write_actions) on mybucket/path/to/folder and mybucket/path/to/folder/*.

Minimal

Smallest complete fully working example. This example might require extra resources to run the example.

S3 Bucket IAM Policy Submodule

Working example of using bucket-iam-policy submodule on an existing S3 bucket

Resources Created

This modules creates:

  • a s3 bucket
  • a s3 bucket policy to enforce AES256 server-side-encryption
  • read-only and/or read-write IAM policies
    • IAM policies created by this module are intended to be attached to service roles downstream. S3-related permissions intended for an instance profile should be configured entirely downstream.
    • If neither read_only_paths nor read_write_paths are provided, the module will default to creating a read-only IAM policy on the entire bucket
    • If you set read_write_paths to [""], the module will permit read_write_actions on the whole bucket

Requirements

Name Version
terraform >= 0.13
aws >= 3.36, !=4.0.0, !=4.1.0, !=4.2.0, !=4.3.0, !=4.4.0, !=4.5.0, !=4.6.0, !=4.7.0, !=4.8.0

Providers

No provider.

Inputs

Name Description Type Default Required
bucket_name Name of S3 bucket to create. string n/a yes
additional_tags [DEPRECATED: Use tags instead] Additional tags to be attached to the S3 bucket and associated resources. map(string) {} no
arn_partition The partition in which the resource is located. A partition is a group of AWS Regions.
Each AWS account is scoped to one partition.
The following are the supported partitions:
aws -AWS Regions
aws-cn - China Regions
aws-us-gov - AWS GovCloud (US) Regions
string "aws" no
force_destroy A boolean that indicates all objects (including any locked objects) should be deleted from the
bucket so that the bucket can be destroyed without error. These objects are not recoverable.
bool true no
read_only_actions List of actions that should be permitted by a read-only policy. list(string)
[
"s3:Get*",
"s3:List*"
]
no
read_only_paths List of paths/prefixes that should be attached to a read-only policy. Listed path(s) should omit the head bucket. list(string) [] no
read_write_actions List of actions that should be permitted by a read-write policy. list(string)
[
"s3:GetBucketLocation",
"s3:GetBucketCORS",
"s3:GetObjectVersionForReplication",
"s3:GetObject",
"s3:GetBucketTagging",
"s3:GetObjectVersion",
"s3:GetObjectTagging",
"s3:ListMultipartUploadParts",
"s3:ListBucketByTags",
"s3:ListBucket",
"s3:ListObjects",
"s3:ListObjectsV2",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutObjectTagging",
"s3:HeadBucket",
"s3:DeleteObject"
]
no
read_write_paths List of paths/prefixes that should be attached to a read-write policy. Listed path(s) should omit the head bucket. list(string) [] no
s3_bucket_logging The name of S3 bucket where to store server access logs. string "" no
tags A map of tags to add to all resources. Replaces additional_tags. map(string) {} no

Outputs

Name Description
bucket_name Name of S3 bucket created by encrypted-bucket module.
ro_policy_arn ARN assigned to read-only IAM policy created by iam-policy module.
rw_policy_arn ARN assigned to read-write IAM policy created by iam-policy module.

References

This repo is based on:

Development

Generating Docs

Run make terraform/docs to generate the section of docs around terraform inputs, outputs and requirements.

Checkstyles

Run make lint, this will run terraform fmt, in addition to a few other checks to detect whitespace issues. NOTE: this requires having docker working on the machine running the test

Releasing new versions

  • Update version contained in VERSION
  • Document changes in CHANGELOG.md
  • Create a tag in github for the commit associated with the version

License

Apache 2 Licensed. See LICENSE for full details.