Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/wearetechnative/terraform-aws-s3

Standard S3 module that enforces KMS encryption. Use principal based policies to access this bucket if possible.
https://github.com/wearetechnative/terraform-aws-s3

Last synced: 3 months ago
JSON representation

Standard S3 module that enforces KMS encryption. Use principal based policies to access this bucket if possible.

Awesome Lists containing this project

README 

          
# Terraform AWS [S3] ![](https://img.shields.io/github/workflow/status/wearetechnative/terraform-aws-s3/tflint.yaml?branch=main&style=plastic)



Standard S3 module that enforces KMS encryption. Use principal based policies to access this bucket if possible.



Basically there are two workflows:

- Bucket is non-public: `var.name` and `var.kms_key_arn` are provided.

- Bucket is public: `var.name` and `var.kms_key_arn` are provided and `var.use_sse-s3_encryption_instead_of_sse-kms` is `true` along with `var.public_read_access` is also `true`.



Use `var.additional_tags` for any tagging purposes like backups.



You can externally attach resources such as aws_s3_bucket_cors_configuration & aws_s3_bucket_lifecycle_configuration as wrapping them only duplicates work and they cannot be generally applied.



Setting any other parameter other than the flows above is generally against best practices. Best practices involve:

- Always enable versioning.

- Always enable KMS encryption. We use CMK when possible or SSE-S3 if not.

- Disable ACLs completely.

- Enable full bucket protection (public access block).



This module also creates an SSM parameter called "/s3/${var.name}/id" to allow e.g. CICD systems to fetch the bucket name since bucket names are globally unique and we use the Terraform autogenerated prefix to do this. This makes the bucket name non-predictable but the SSM parameter solves this.



## How does it work



Basic flows are explained above. More complex flows are wrapped in our other modules that stem from AWS requirements and limitations. They involve more complex scenarios that are not explained here but are required from other module purposes.



See [./example] for examples on the replication setups.



## Providers



| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >=4.8.0 |



## Modules



| Name | Source | Version |

|------|--------|---------|

|  [replication\_source](#module\_replication\_source) | ./replication_source | n/a |

|  [replication\_target](#module\_replication\_target) | ./replication_target | n/a |



## Resources



| Name | Type |

|------|------|

| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |

| [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |

| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |

| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |

| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |

| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |

| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |

| [aws_ssm_parameter.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |

| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

| [aws_iam_policy_document.deny_obsolete_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.deny_unencrypted_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.deny_unencrypted_objectaccess](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.deny_unencrypted_sse](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.dummy_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.public_read_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [additional\_tags](#input\_additional\_tags) | Additional tags to be added to resources. | `map(string)` | `{}` | no |

|  [bucket\_policy\_addition](#input\_bucket\_policy\_addition) | Optional TF Object that converts to policy JSON with jsonencode() to append to current bucket policy which forbids non-encrypted uploads by default. Set an `` resource attribute to have it replaced by this module for you. | `any` | `null` | no |

|  [disable\_encryption\_enforcement](#input\_disable\_encryption\_enforcement) | Internal use only. Buckets get a standard policy that prevents un-encrypted uploads or encryption schemes that are not the default encryption. Some services cannot work (Athena CUR) with this policy enabled. | `bool` | `false` | no |

|  [enable\_acl](#input\_enable\_acl) | Internal use only. Enable ACL which is disabled by default. This is required in order to use the bucket for CloudFront S3 logging. | `bool` | `false` | no |

|  [enable\_public\_read\_access](#input\_enable\_public\_read\_access) | Enable public read access. | `bool` | `false` | no |

|  [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key to use for encrypting S3 bucket. | `string` | n/a | yes |

|  [lifecycle\_configuration](#input\_lifecycle\_configuration) | Object Lifecycle rules configuration. | 
map(object({
    status = string
    bucket_prefix = string
    transition = object({
      storage_class = string
      transition_days = number
    })
    expiration_days = number
    noncurrent_version_expiration = object({
        newer_noncurrent_versions = number
        noncurrent_days = number
    })
    noncurrent_version_transition = object({
        newer_noncurrent_versions = number
        noncurrent_days = number
        storage_class = string
    })
  }))
 | `{}` | no |

|  [name](#input\_name) | Prefix name for S3 bucket. | `string` | n/a | yes |

|  [source\_replication\_configuration](#input\_source\_replication\_configuration) | Replication configuration using this bucket as source. The key of the map is used for naming. Use output.replication\_target\_bucket\_arguments from any source buckets you want to replicate to in order to fill this argument if available. | 
map(object({
    destination_bucket_arn  = string
    destination_aws_account = string
    destination_kms_key_arn = string
  }))
 | `{}` | no |

|  [target\_replication\_configuration](#input\_target\_replication\_configuration) | Replication configuration using this bucket as target. The key of the map is used for naming. Use output.replication\_source\_bucket\_arguments from any source buckets you want to replicate to in order to fill this argument if available. | 
map(object({
    source_role_arn = string
  }))
 | `{}` | no |

|  [use\_fixed\_name](#input\_use\_fixed\_name) | Dont generate suffix after var.name to support already created S3 buckets. Not recommended to use this as this makes the S3 module non-portable. | `bool` | `false` | no |

|  [use\_sse-s3\_encryption\_instead\_of\_sse-kms](#input\_use\_sse-s3\_encryption\_instead\_of\_sse-kms) | Internal use only unless var.enable\_public\_read\_access is true. Enforce SSE-S3 encryption instead of SSE-KMS. This is required if external services only support SSE-S3. This is also a requirement for public buckets. | `bool` | `false` | no |



## Outputs



| Name | Description |

|------|-------------|

|  [kms\_key\_arn](#output\_kms\_key\_arn) | n/a |

|  [replication\_source\_bucket\_arguments](#output\_replication\_source\_bucket\_arguments) | n/a |

|  [replication\_target\_bucket\_arguments](#output\_replication\_target\_bucket\_arguments) | n/a |

|  [s3\_arn](#output\_s3\_arn) | n/a |

|  [s3\_bucket\_name](#output\_s3\_bucket\_name) | n/a |

|  [s3\_name\_parameter\_arn](#output\_s3\_name\_parameter\_arn) | n/a |

|  [website\_regional\_domain](#output\_website\_regional\_domain) | regional is better than global since global has redirects and is being deprecated |