From 07fd6d7acda60d7dd2249c80b345619708d5bece Mon Sep 17 00:00:00 2001 From: Chris Mackubin Date: Thu, 6 Feb 2020 23:56:22 -0500 Subject: [PATCH 1/3] Adding public access block --- .pre-commit-config.yaml | 4 +- README.md | 62 ++++++++++++++++++++----------- examples/complete/README.md | 11 ++++++ examples/s3-replication/README.md | 12 ++++++ main.tf | 10 +++++ repo-setup.md | 21 +++++++++++ variables.tf | 24 ++++++++++++ 7 files changed, 120 insertions(+), 24 deletions(-) create mode 100644 repo-setup.md diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9729b21e..d658b898 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,10 +1,10 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.21.0 + rev: v1.25.0 hooks: - id: terraform_fmt - id: terraform_docs - repo: git://github.com/pre-commit/pre-commit-hooks - rev: v2.4.0 + rev: v2.5.0 hooks: - id: check-merge-conflict diff --git a/README.md b/README.md index 0c94e019..83f7602f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,7 @@ # AWS S3 bucket Terraform module +[![GitHub Release](https://img.shields.io/github/v/release/bluesentry/tf-module.s3?style=plastic)](https://github.com/bluesentry/tf-module.s3/releases/latest) +![Terraform Compatibility](https://img.shields.io/badge/terraform-%3E%3D%200.12-blue?style=plastic) + Terraform module which creates S3 bucket on AWS with all (or almost all) features provided by Terraform AWS provider. @@ -6,6 +9,7 @@ This type of resources are supported: * [S3 Bucket](https://www.terraform.io/docs/providers/aws/r/s3_bucket.html) * [S3 Bucket Policy](https://www.terraform.io/docs/providers/aws/r/s3_bucket_policy.html) +* [S3 Bucket Public Access Block](https://www.terraform.io/docs/providers/aws/r/s3_bucket_public_access_block.html) These features of S3 bucket configurations are supported: @@ -23,6 +27,10 @@ These features of S3 bucket configurations are supported: Only Terraform 0.12 is supported. +## Module Development + +Please review the [repo-setup](repo-setup.md) documentation related to local environment setup before modifying this repo. + ## Usage ### Private bucket with versioning enabled @@ -77,30 +85,40 @@ module "s3_bucket" { * [Cross-Region Replication](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/s3-replication) - S3 bucket with Cross-Region Replication (CRR) enabled +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + ## Inputs | Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| acceleration\_status | (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. | string | `"null"` | no | -| acl | (Optional) The canned ACL to apply. Defaults to 'private'. | string | `"private"` | no | -| attach\_elb\_log\_delivery\_policy | Controls if S3 bucket should have ELB log delivery policy attached | bool | `"false"` | no | -| attach\_policy | Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy) | bool | `"false"` | no | -| bucket | (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. | string | `"null"` | no | -| bucket\_prefix | (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. | string | `"null"` | no | -| cors\_rule | Map containing a rule of Cross-Origin Resource Sharing. | any | `{}` | no | -| create\_bucket | Controls if S3 bucket should be created | bool | `"true"` | no | -| force\_destroy | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool | `"false"` | no | -| lifecycle\_rule | List of maps containing configuration of object lifecycle management. | any | `[]` | no | -| logging | Map containing access bucket logging configuration. | map(string) | `{}` | no | -| object\_lock\_configuration | Map containing S3 object locking configuration. | any | `{}` | no | -| policy | (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. | string | `"null"` | no | -| region | (Optional) If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee. | string | `"null"` | no | -| replication\_configuration | Map containing cross-region replication configuration. | any | `{}` | no | -| request\_payer | (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. | string | `"null"` | no | -| server\_side\_encryption\_configuration | Map containing server-side encryption configuration. | any | `{}` | no | -| tags | (Optional) A mapping of tags to assign to the bucket. | map(string) | `{}` | no | -| versioning | Map containing versioning configuration. | map(string) | `{}` | no | -| website | Map containing static web-site hosting or redirect configuration. | map(string) | `{}` | no | +|------|-------------|------|---------|:-----:| +| acceleration\_status | (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. | `string` | n/a | yes | +| acl | (Optional) The canned ACL to apply. Defaults to 'private'. | `string` | `"private"` | no | +| attach\_elb\_log\_delivery\_policy | Controls if S3 bucket should have ELB log delivery policy attached | `bool` | `false` | no | +| attach\_policy | Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy) | `bool` | `false` | no | +| block\_public\_acls | (Optional) Whether Amazon S3 should block public ACLs for this bucket. | `bool` | `false` | no | +| block\_public\_policy | (Optional) Whether Amazon S3 should block public bucket policies for this bucket. | `bool` | `false` | no | +| bucket | (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. | `string` | n/a | yes | +| bucket\_prefix | (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. | `string` | n/a | yes | +| cors\_rule | Map containing a rule of Cross-Origin Resource Sharing. | `any` | `{}` | no | +| create\_bucket | Controls if S3 bucket should be created | `bool` | `true` | no | +| force\_destroy | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no | +| ignore\_public\_acls | (Optional) Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | `false` | no | +| lifecycle\_rule | List of maps containing configuration of object lifecycle management. | `any` | `[]` | no | +| logging | Map containing access bucket logging configuration. | `map(string)` | `{}` | no | +| object\_lock\_configuration | Map containing S3 object locking configuration. | `any` | `{}` | no | +| policy | (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. | `string` | n/a | yes | +| region | (Optional) If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee. | `string` | n/a | yes | +| replication\_configuration | Map containing cross-region replication configuration. | `any` | `{}` | no | +| request\_payer | (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. | `string` | n/a | yes | +| restrict\_public\_buckets | (Optional) Whether Amazon S3 should restrict public bucket policies for this bucket. | `bool` | `false` | no | +| server\_side\_encryption\_configuration | Map containing server-side encryption configuration. | `any` | `{}` | no | +| tags | (Optional) A mapping of tags to assign to the bucket. | `map(string)` | `{}` | no | +| versioning | Map containing versioning configuration. | `map(string)` | `{}` | no | +| website | Map containing static web-site hosting or redirect configuration. | `map(string)` | `{}` | no | ## Outputs @@ -119,7 +137,7 @@ module "s3_bucket" { ## Authors -Module managed by [Anton Babenko](https://github.com/antonbabenko). +Module started from a fork of [terraform-aws-modules/terraform-aws-s3-bucket](terraform-aws-modules/terraform-aws-s3-bucket) by [Anton Babenko](https://github.com/antonbabenko). ## License diff --git a/examples/complete/README.md b/examples/complete/README.md index 417ea522..966dfe84 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -24,6 +24,17 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | +| random | n/a | + +## Inputs + +No input. + ## Outputs | Name | Description | diff --git a/examples/s3-replication/README.md b/examples/s3-replication/README.md index c4a10321..b95b6d10 100644 --- a/examples/s3-replication/README.md +++ b/examples/s3-replication/README.md @@ -17,6 +17,18 @@ $ terraform apply Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | +| aws.replica | n/a | +| random | n/a | + +## Inputs + +No input. + ## Outputs | Name | Description | diff --git a/main.tf b/main.tf index 4ea6f158..35a4befb 100644 --- a/main.tf +++ b/main.tf @@ -251,3 +251,13 @@ data "aws_iam_policy_document" "elb_log_delivery" { ] } } + +resource "aws_s3_bucket_public_access_block" "this" { + count = var.create_bucket && (var.block_public_acls || var.block_public_policy || var.ignore_public_acls || var.restrict_public_buckets) + + bucket = aws_s3_bucket.this[0].id + block_public_acls = var.block_public_acls + block_public_policy = var.block_public_policy + ignore_public_acls = var.ignore_public_acls + restrict_public_buckets = var.restrict_public_buckets +} diff --git a/repo-setup.md b/repo-setup.md new file mode 100644 index 00000000..b6ccde84 --- /dev/null +++ b/repo-setup.md @@ -0,0 +1,21 @@ +# Setup for developing on this repository + +This repo is utilizing git hooks and [pre-commit](https://pre-commit.com/) to run some checks and automate readme documentation prior to committing to git + +Install using homebrew: +```bash +brew install pre-commit gawk terraform-docs tflint +``` + +Install the git hook for you local environment to run the configured `pre-commit` actions automatically on `git commit` +```bash +pre-commit install +``` + +If you want to run all the pre-commit configured checks without doing a commit. +```bash +pre-commit run --all-files +``` + +### Firewall Note +If you are working from a location that restricts outgoing requests on non-standard ports. Note that pre-commit pulls dependent github repos via port `9418` diff --git a/variables.tf b/variables.tf index f659aa68..c46d2dbb 100644 --- a/variables.tf +++ b/variables.tf @@ -117,3 +117,27 @@ variable "object_lock_configuration" { type = any default = {} } + +variable "block_public_acls" { + description = "(Optional) Whether Amazon S3 should block public ACLs for this bucket." + type = bool + default = false +} + +variable "block_public_policy" { + description = "(Optional) Whether Amazon S3 should block public bucket policies for this bucket." + type = bool + default = false +} + +variable "ignore_public_acls" { + description = "(Optional) Whether Amazon S3 should ignore public ACLs for this bucket." + type = bool + default = false +} + +variable "restrict_public_buckets" { + description = "(Optional) Whether Amazon S3 should restrict public bucket policies for this bucket." + type = bool + default = false +} From 4b4fa561a00a302b046fdec595945ae65a8919b9 Mon Sep 17 00:00:00 2001 From: Chris Mackubin Date: Fri, 7 Feb 2020 00:11:54 -0500 Subject: [PATCH 2/3] removed previous changelog --- CHANGELOG.md | 68 ---------------------------------------------------- Makefile | 7 ------ 2 files changed, 75 deletions(-) delete mode 100644 CHANGELOG.md delete mode 100644 Makefile diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index 6d8e84c1..00000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,68 +0,0 @@ - -## [Unreleased] - - - - -## [v1.5.0] - 2020-01-07 - -- Fix kms_master_key_id to conform with terraform resource ([#5](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/issues/5)) - - - -## [v1.4.0] - 2019-11-22 - -- Updated CHANGELOG -- Fix for bucket policy count when value is not computed ([#12](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/issues/12)) - - - -## [v1.3.0] - 2019-11-22 - -- Updated CHANGELOG -- Updated example to show bucket policy usage - - - -## [v1.2.0] - 2019-11-21 - -- Updated CHANGELOG -- Output bucket id from s3_bucket_policy to make sure that policy is present before it can be used - - - -## [v1.1.0] - 2019-11-20 - -- Updated CHANGELOG -- Added support for S3 bucket policy (incl. ELB logs delivery policy) ([#10](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/issues/10)) - - - -## [v0.1.0] - 2019-08-29 - - - - -## [v1.0.0] - 2019-08-29 - -- Updated CHANGELOG -- Rewrite to match other modules, added all existing S3 features - - - -## v0.0.1 - 2019-07-21 - -- Updated CHANGELOG -- Minor formatting, cleanups, readme -- Initial release of this module ([#4](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/issues/4)) -- Initial commit - - -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v1.5.0...HEAD -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v1.4.0...v1.5.0 -[v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v1.3.0...v1.4.0 -[v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v1.2.0...v1.3.0 -[v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v1.1.0...v1.2.0 -[v1.1.0]: https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v0.1.0...v1.1.0 -[v0.1.0]: https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v1.0.0...v0.1.0 -[v1.0.0]: https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/compare/v0.0.1...v1.0.0 diff --git a/Makefile b/Makefile deleted file mode 100644 index 558dac5a..00000000 --- a/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -.PHONY: changelog release - -changelog: - git-chglog -o CHANGELOG.md --next-tag `semtag final -s minor -o` - -release: - semtag final -s minor From 5d4ab76684aa1649528a59c1efd7a2a4d6e9570d Mon Sep 17 00:00:00 2001 From: Chris Mackubin Date: Fri, 7 Feb 2020 10:19:11 -0500 Subject: [PATCH 3/3] left off condition --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 35a4befb..140afc9f 100644 --- a/main.tf +++ b/main.tf @@ -253,7 +253,7 @@ data "aws_iam_policy_document" "elb_log_delivery" { } resource "aws_s3_bucket_public_access_block" "this" { - count = var.create_bucket && (var.block_public_acls || var.block_public_policy || var.ignore_public_acls || var.restrict_public_buckets) + count = var.create_bucket && (var.block_public_acls || var.block_public_policy || var.ignore_public_acls || var.restrict_public_buckets) ? 1 : 0 bucket = aws_s3_bucket.this[0].id block_public_acls = var.block_public_acls