{"id":21202482,"url":"https://github.com/infrablocks/terraform-aws-encrypted-bucket","last_synced_at":"2025-07-10T06:32:57.935Z","repository":{"id":24187621,"uuid":"100830440","full_name":"infrablocks/terraform-aws-encrypted-bucket","owner":"infrablocks","description":"A terraform module for creating an encrypted bucket in S3","archived":false,"fork":false,"pushed_at":"2024-10-28T11:04:41.000Z","size":610,"stargazers_count":5,"open_issues_count":2,"forks_count":8,"subscribers_count":10,"default_branch":"main","last_synced_at":"2024-10-28T14:24:13.988Z","etag":null,"topics":["aws","aws-s3","infrastructure","s3-bucket","terraform","terraform-modules"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/infrablocks.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-20T01:12:01.000Z","updated_at":"2024-10-28T11:03:20.000Z","dependencies_parsed_at":"2023-02-18T05:45:50.288Z","dependency_job_id":"844442c4-0c87-4bfc-8d8f-6994e2ecfc46","html_url":"https://github.com/infrablocks/terraform-aws-encrypted-bucket","commit_stats":null,"previous_names":[],"tags_count":85,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infrablocks%2Fterraform-aws-encrypted-bucket","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infrablocks%2Fterraform-aws-encrypted-bucket/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infrablocks%2Fterraform-aws-encrypted-bucket/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/infrablocks%2Fterraform-aws-encrypted-bucket/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/infrablocks","download_url":"https://codeload.github.com/infrablocks/terraform-aws-encrypted-bucket/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225622825,"owners_count":17498170,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-s3","infrastructure","s3-bucket","terraform","terraform-modules"],"created_at":"2024-11-20T20:16:07.337Z","updated_at":"2024-11-20T20:16:08.459Z","avatar_url":"https://github.com/infrablocks.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"Terraform AWS Encrypted Bucket\n==============================\n\n\u003ca href=\"https://go-atomic.io/\"\nstyle=\"display: block; padding: 5px;\"\u003e\n\u003cimg\nsrc=\"https://github.com/infrablocks/terraform-aws-encrypted-bucket/raw/main/docs/images/atomic-logo-monochrome-2.png\"\nalt=\"Atomic Logo\"\nstyle=\"width: 220px\"\u003e\n\u003c/a\u003e\n\nBuilt with ❤️ by [Atomic](https://go-atomic.io/)\n\n---\n\nA Terraform module for building an encrypted bucket in AWS S3.\n\n![Build Status](https://img.shields.io/circleci/build/github/infrablocks/terraform-aws-encrypted-bucket)\n![License](https://img.shields.io/github/license/infrablocks/terraform-aws-encrypted-bucket)\n![Release](https://img.shields.io/github/v/tag/infrablocks/terraform-aws-encrypted-bucket?label=release)\n\nUsage\n-----\n\nTo use the module, include something like the following in your Terraform\nconfiguration:\n\n```hcl-terraform\nmodule \"encrypted_bucket\" {\n  source = \"git@github.com:infrablocks/terraform-aws-encrypted-bucket.git//src\"\n\n  bucket_name = \"my-organisations-encrypted-bucket\"\n}\n```\n\nSee the\n[Terraform registry entry](https://registry.terraform.io/modules/infrablocks/encrypted-bucket/aws/latest)\nfor more details.\n\n### Inputs\n\n| Name                                                        | Description                                                                                                                           |  Default  | Required |\n|-------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|:---------:|:--------:|\n| bucket_name                                                 | The name to use for the encrypted S3 bucket.                                                                                          |     -     |   yes    |\n| source_policy_document                                      | A source policy document for the bucket, additional statements to enable encryption will be added to the policy.                      |    \"\"     |    no    |\n| acl                                                         | The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.                              | \"private\" |    no    |\n| tags                                                        | A map of additional tags to set on the bucket                                                                                         |    {}     |    no    |\n| kms_key_arn                                                 | If provided, \"aws:kms\" encryption will be enforced using the KMS key with the provided ARN. By default, \"AES-256\" encryption is used. |    \"\"     |    no    |\n| access_log_bucket_name                                      | The name of the bucket to use for access logging, required when enable_access_logging is \"yes\".                                       |    \"\"     |    no    |\n| access_log_object_key_prefix                                | The key prefix to use for log objects for access logging.                                                                             |    \"\"     |    no    |\n| public_access_block                                         | An object of public access block settings to apply to the bucket                                                                      | see below |    no    |\n| public_access_block.block_public_acls                       | Whether to block public ACLs                                                                                                          |   false   |    no    |\n| public_access_block.block_public_policy                     | Whether to block public bucket policies                                                                                               |   false   |    no    |\n| public_access_block.ignore_public_acls                      | Whether to ignore public ACLs                                                                                                         |   false   |    no    |\n| public_access_block.restrict_public_buckets                 | Whether to restrict public buckets                                                                                                    |   false   |    no    |\n| enable_mfa_delete                                           | Whether or not to enable MFA delete on the bucket.                                                                                    |   false   |    no    |\n| enable_versioning                                           | Whether or not to enable versioning on the bucket.                                                                                    |   true    |    no    |\n| enable_access_logging                                       | Whether or not to enable access logging on the bucket.                                                                                |   false   |    no    |\n| enable_bucket_key                                           | Whether or not to use an Amazon [S3 Bucket Key](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html) for SSE-KMS..  |   false   |    no    |\n| enable_object_lock                                          | Whether or not to enable object lock on the bucket.                                                                                   |   false   |    no    |\n| object_lock_configuration                                   | The configuration for the object lock.                                                                                                |   null    |    no    |\n| cors_rules                                                  | The cors rules to be applied to the bucket                                                                                            |   null    |    no    |\n| allow_destroy_when_objects_present                          | Whether or not to allow the bucket to be destroyed if it still contains objects.                                                      |   false   |    no    |\n| include_deny_unencrypted_inflight_operations_statement      | Whether or not to include a bucket policy statement to deny unencrypted inflight operations.                                          |   true    |    no    |\n| include_deny_encryption_using_incorrect_algorithm_statement | Whether or not to include a bucket policy statement to deny encryption using the incorrect algorithm.                                 |   true    |    no    |\n| include_deny_encryption_using_incorrect_key_statement       | Whether or not to include a bucket policy statement to deny encryption using the incorrect key.                                       |   true    |    no    |\n\nBy default, a bucket policy that enforces encrypted inflight operations,\nencryption using the correct algorithm, and encryption using the correct key is\napplied to the bucket.\n\nIn the case that further statements need to be applied, a\n`source_policy_document` can be provided and the additional statements will be\nadded to this policy before being attached to the bucket\n\nThe provided `tags` map, when present will be merged with a compulsory tags map\ncontaining a `Name` tag equal to the bucket name.\n\n### Outputs\n\n| Name        | Description                    |\n|-------------|--------------------------------|\n| bucket_name | The name of the created bucket |\n| bucket_arn  | The ARN of the created bucket  |\n\n### Compatibility\n\nThis module is compatible with Terraform versions greater than or equal to\nTerraform 1.0.\n\n### Required Permissions\n\n* s3:CreateBucket\n* s3:ListBucket\n* s3:GetBucketCORS\n* s3:GetBucketVersioning\n* s3:GetAccelerateConfiguration\n* s3:GetBucketRequestPayment\n* s3:GetBucketLogging\n* s3:GetLifecycleConfiguration\n* s3:GetReplicationConfiguration\n* s3:GetBucketLocation\n* s3:GetBucketTagging\n* s3:PutBucketTagging\n* s3:PutBucketVersioning\n* s3:PutBucketPolicy\n* s3:PutBucketAcl\n* s3:DeleteBucketPolicy\n* s3:DeleteBucket\n\nIf public access block settings are specified\n\n* s3:GetBucketPolicyStatus\n* s3:GetBucketPublicAccessBlock\n* s3:PutBucketPublicAccessBlock\n\nDevelopment\n-----------\n\n### Machine Requirements\n\nIn order for the build to run correctly, a few tools will need to be installed \non your development machine:\n\n* Ruby (3.1.1)\n* Bundler\n* git\n* git-crypt\n* gnupg\n* direnv\n* aws-vault\n\n#### Mac OS X Setup\n\nInstalling the required tools is best managed by [homebrew](http://brew.sh).\n\nTo install homebrew:\n\n```\nruby -e \"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)\"\n```\n\nThen, to install the required tools:\n\n```\n# ruby\nbrew install rbenv\nbrew install ruby-build\necho 'eval \"$(rbenv init - bash)\"' \u003e\u003e ~/.bash_profile\necho 'eval \"$(rbenv init - zsh)\"' \u003e\u003e ~/.zshrc\neval \"$(rbenv init -)\"\nrbenv install 3.1.1\nrbenv rehash\nrbenv local 3.1.1\ngem install bundler\n\n# git, git-crypt, gnupg\nbrew install git\nbrew install git-crypt\nbrew install gnupg\n\n# aws-vault\nbrew cask install\n\n# direnv\nbrew install direnv\necho \"$(direnv hook bash)\" \u003e\u003e ~/.bash_profile\necho \"$(direnv hook zsh)\" \u003e\u003e ~/.zshrc\neval \"$(direnv hook $SHELL)\"\n\ndirenv allow \u003crepository-directory\u003e\n```\n\n### Running the build\n\nRunning the build requires an AWS account and AWS credentials. You are free to \nconfigure credentials however you like as long as an access key ID and secret\naccess key are available. These instructions utilise \n[aws-vault](https://github.com/99designs/aws-vault) which makes credential\nmanagement easy and secure.\n\nTo provision module infrastructure, run tests and then destroy that \ninfrastructure, execute:\n\n```bash\naws-vault exec \u003cprofile\u003e -- ./go\n```\n\nTo provision the module prerequisites:\n\n```bash\naws-vault exec \u003cprofile\u003e -- ./go deployment:prerequisites:provision[\u003cdeployment_identifier\u003e]\n```\n\nTo provision the module contents:\n\n```bash\naws-vault exec \u003cprofile\u003e -- ./go deployment:root:provision[\u003cdeployment_identifier\u003e]\n```\n\nTo destroy the module contents:\n\n```bash\naws-vault exec \u003cprofile\u003e -- ./go deployment:root:destroy[\u003cdeployment_identifier\u003e]\n```\n\nTo destroy the module prerequisites:\n\n```bash\naws-vault exec \u003cprofile\u003e -- ./go deployment:prerequisites:destroy[\u003cdeployment_identifier\u003e]\n```\n\nConfiguration parameters can be overridden via environment variables:\n\n```bash\nDEPLOYMENT_IDENTIFIER=testing aws-vault exec \u003cprofile\u003e -- ./go\n```\n\nWhen a deployment identifier is provided via an environment variable, \ninfrastructure will not be destroyed at the end of test execution. This can\nbe useful during development to avoid lengthy provision and destroy cycles.\n\nBy default, providers will be downloaded for each terraform execution. To\ncache providers between calls:\n\n```bash\nTF_PLUGIN_CACHE_DIR=\"$HOME/.terraform.d/plugin-cache\" aws-vault exec \u003cprofile\u003e -- ./go\n```\n\n### Common Tasks\n\n#### Generating an SSH key pair\n\nTo generate an SSH key pair:\n\n```\nssh-keygen -m PEM -t rsa -b 4096 -C integration-test@example.com -N '' -f config/secrets/keys/bastion/ssh\n```\n\n#### Generating a self-signed certificate\n\nTo generate a self signed certificate:\n```\nopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365\n```\n\nTo decrypt the resulting key:\n\n```\nopenssl rsa -in key.pem -out ssl.key\n```\n\n#### Managing CircleCI keys\n\nTo encrypt a GPG key for use by CircleCI:\n\n```bash\nopenssl aes-256-cbc \\\n  -e \\\n  -md sha1 \\\n  -in ./config/secrets/ci/gpg.private \\\n  -out ./.circleci/gpg.private.enc \\\n  -k \"\u003cpassphrase\u003e\"\n```\n\nTo check decryption is working correctly:\n\n```bash\nopenssl aes-256-cbc \\\n  -d \\\n  -md sha1 \\\n  -in ./.circleci/gpg.private.enc \\\n  -k \"\u003cpassphrase\u003e\"\n```\n\nContributing\n------------\n\nBug reports and pull requests are welcome on GitHub at\nhttps://github.com/infrablocks/terraform-aws-encrypted-bucket. This project is\nintended to be a safe, welcoming space for collaboration, and contributors are\nexpected to adhere to\nthe [Contributor Covenant](http://contributor-covenant.org) code of conduct.\n\nLicense\n-------\n\nThe library is available as open source under the terms of the \n[MIT License](http://opensource.org/licenses/MIT).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfrablocks%2Fterraform-aws-encrypted-bucket","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finfrablocks%2Fterraform-aws-encrypted-bucket","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfrablocks%2Fterraform-aws-encrypted-bucket/lists"}