AWS S3 Terraform Module

Description

This module creates an S3 bucket with a bucket policy, versioning enabled, logging enabled, and a bucket lifecycle policy configured.

FedRAMP Compliance: Moderate, High

Dependencies

• kms keys from ACE-AWS-Account

Resource List

• S3 bucket
• S3 bucket IAM policies

Deployment Steps

This module can be called as outlined below.

• Change directories to the reponame directory.
• From the terraform/aws/reponame directory run terraform init.
• Run terraform plan to review the resources being created.
• If everything looks correct in the plan output, run terraform apply.

Usage

Include example for how to call the module below with generic variables

provider "aws" {
  features {}
}

module "s3_bucket" {
  source = "github.com/Coalfire-CF/terraform-aws-s3"

  name   = "s3-bucket-name"
  enable_lifecycle_configuration_rules = true
  #  lifecycle_configuration_rules = [
  #    {
  #      id      = string
  #      prefix  = optional(string, null)
  #      enabled = bool
  #      tags    = optional(map(string), null)
  #
  #      enable_glacier_transition            = optional(bool, true)
  #      enable_deeparchive_transition        = optional(bool, false)
  #      enable_standard_ia_transition        = optional(bool, false)
  #      enable_current_object_expiration     = optional(bool, true)
  #      enable_noncurrent_version_expiration = optional(bool, true)
  #
  #      abort_incomplete_multipart_upload_days         = optional(number, null)
  #      noncurrent_version_glacier_transition_days     = optional(number, null)
  #      noncurrent_version_deeparchive_transition_days = optional(number, null)
  #      noncurrent_version_expiration_days             = optional(number, null)
  #
  #      standard_transition_days    = optional(number, null)
  #      glacier_transition_days     = optional(number, null)
  #      deeparchive_transition_days = optional(number, null)
  #      expiration_days             = optional(number, null)
  #    }
  #  ]
  enable_kms                    = true
  enable_server_side_encryption = true
  kms_master_key_id             = var.kms_master_key_id
}

Requirements

Name	Version
terraform	>=1.5.0
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

No modules.

Resources

Name	Type
aws_s3_bucket.s3_default	resource
aws_s3_bucket_accelerate_configuration.example	resource
aws_s3_bucket_cors_configuration.example	resource
aws_s3_bucket_lifecycle_configuration.default	resource
aws_s3_bucket_logging.example	resource
aws_s3_bucket_object_lock_configuration.example	resource
aws_s3_bucket_ownership_controls.this	resource
aws_s3_bucket_policy.s3_default	resource
aws_s3_bucket_public_access_block.this	resource
aws_s3_bucket_request_payment_configuration.example	resource
aws_s3_bucket_server_side_encryption_configuration.example	resource
aws_s3_bucket_versioning.example	resource
aws_s3_bucket_website_configuration.example	resource

Inputs

Name	Description	Type	Default	Required
acceleration_status	Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended	bool	false	no
attach_deny_insecure_transport_policy	Controls if S3 bucket should have deny non-SSL transport policy attached	bool	false	no
attach_elb_log_delivery_policy	Controls if S3 bucket should have ELB log delivery policy attached	bool	false	no
attach_lb_log_delivery_policy	Controls if S3 bucket should have ALB/NLB log delivery policy attached	bool	false	no
attach_policy	Controls if S3 bucket should have bucket policy attached (set to true to use value of policy as bucket policy)	bool	false	no
attach_public_policy	Controls if a user defined public bucket policy will be attached (set to false to allow upstream to apply defaults to the bucket)	bool	true	no
attach_require_latest_tls_policy	Controls if S3 bucket should require the latest version of TLS	bool	false	no
aws_iam_policy_document	The text of the policy. Although this is a bucket policy rather than an IAM policy, the aws_iam_policy_document data source may be used, so long as it specifies a principal. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. Note: Bucket policies are limited to 20 KB in size.	string	""	no
block_public_acls	Whether Amazon S3 should block public ACLs for this bucket.	bool	false	no
block_public_policy	Whether Amazon S3 should block public bucket policies for this bucket.	bool	false	no
bucket_policy	Conditionally create S3 bucket policy.	bool	false	no
control_object_ownership	Whether to manage S3 Bucket Ownership Controls on this bucket.	bool	false	no
cors_rule	CORS Configuration specification for this bucket	list(object({ allowed_headers = list(string) allowed_methods = list(string) allowed_origins = list(string) expose_headers = list(string) max_age_seconds = number }))	null	no
create_bucket	Conditionally create S3 bucket.	bool	true	no
enable_kms	Enable KMS key for enable_server_side_encryption	bool	true	no
enable_lifecycle_configuration_rules	enable or disable lifecycle_configuration_rules	bool	true	no
enable_server_side_encryption	Enable enable_server_side_encryption	bool	true	no
error_document	he name of the error document for the website	string	"error.html"	no
force_destroy	A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable.	bool	false	no
ignore_public_acls	Whether Amazon S3 should ignore public ACLs for this bucket.	bool	false	no
index_document	The name of the index document for the website	string	"index.html"	no
kms_master_key_id	The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms.	string	null	no
lifecycle_configuration_rules	A list of lifecycle rules	list(object({ id = string prefix = optional(string, null) enabled = bool tags = optional(map(string), null) enable_glacier_transition = optional(bool, true) enable_deeparchive_transition = optional(bool, false) enable_standard_ia_transition = optional(bool, false) enable_current_object_expiration = optional(bool, true) enable_noncurrent_version_expiration = optional(bool, true) abort_incomplete_multipart_upload_days = optional(number, null) noncurrent_version_glacier_transition_days = optional(number, null) noncurrent_version_deeparchive_transition_days = optional(number, null) noncurrent_version_expiration_days = optional(number, null) standard_transition_days = optional(number, null) glacier_transition_days = optional(number, null) deeparchive_transition_days = optional(number, null) expiration_days = optional(number, null) }))	[ { "abort_incomplete_multipart_upload_days": 1, "enable_current_object_expiration": true, "enable_glacier_transition": true, "enable_noncurrent_version_expiration": true, "enabled": true, "expiration_days": 365, "glacier_transition_days": 90, "id": "default", "noncurrent_version_expiration_days": 365, "noncurrent_version_glacier_transition_days": 90 } ]	no
logging	Logging Object to enable and disable logging	bool	false	no
name	Name of S3 bucket	string	n/a	yes
object_lock_configuration	With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.	object({ mode = string #Valid values are GOVERNANCE and COMPLIANCE. days = number years = number })	null	no
object_ownership	Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL.	string	"ObjectWriter"	no
redirect	The redirect behavior for every request to this bucket's website endpoint	string	"documents/"	no
request_payer	Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer	bool	false	no
restrict_public_buckets	Whether Amazon S3 should restrict public bucket policies for this bucket.	bool	false	no
routing_rule	List of rules that define when a redirect is applied and the redirect behavior	string	"docs/"	no
sse_algorithm	The server-side encryption algorithm to use. Valid values are AES256 and aws:kms.	string	"AES256"	no
tags	Additional tags (e.g. map(BusinessUnit,XYZ).	map(any)	{}	no
target_bucket	The bucket where you want Amazon S3 to store server access logs.	string	""	no
target_prefix	A prefix for all log object keys.	string	""	no
versioning	Enable Versioning of S3.	bool	true	no
website_config_enable	enable or disable aws_s3_bucket_website_configuration	bool	false	no

Outputs

Name	Description
arn	The ARN of the s3 bucket.
bucket_domain_name	The Domain of the s3 bucket.
id	The ID of the s3 bucket.

Contributing

Relative or absolute link to contributing.md

License

Coalfire Pages

Absolute link to any relevant Coalfire Pages

Copyright

Copyright © 2023 Coalfire Systems Inc.