OpenTofu Module: s3-compliance

This OpenTofu module simplifies the creation and management of AWS S3 buckets by enforcing data classification standards and organizational security policies. This opinionated module aims to help teams deploy and configure S3 storage with consistent, compliant settings, ensuring secure and scalable storage infrastructure. The compliance settings are embedded in the module (s3-compliance.tf). You may view these settings by checking the module's output compliance_standards. The default data classifications in the module's compliance settings are public, internal and compliance. You may customize these settings (e.g., rename the data classifications or add more data classifications) by forking this repo and then modifying the embedded s3-compliance.tf.

Key Features

This module provides a solution for managing AWS S3 buckets with a focus on compliance, security, and lifecycle management. Below are the salient features of this module:

• Dynamic S3 Bucket Configuration: Automatically configures S3 buckets based on user-defined settings and compliance requirements.

• Data Classification Support: Validates and applies data classification settings to S3 buckets, ensuring compliance with organizational policies.

• Public Access Management: Configures public access settings for S3 buckets, allowing for fine-grained control over public access based on compliance requirements.

• Versioning and Object Locking: Supports enabling versioning and object locking for S3 buckets, ensuring data immutability and compliance with retention policies.

• Server-Side Encryption: Configures server-side encryption for S3 buckets using AWS KMS, enhancing data security and audit.

• Lifecycle Management: Supports lifecycle rules for both versioned and unversioned buckets, automating transitions to different storage classes and managing expiration of objects.

• Centralized Logging: Supports a centralized S3 bucket for logging CloudTrail events related to S3 data access, ensuring auditability and compliance.

• Customizable Tags: Supports tagging of S3 buckets for better resource management and compliance tracking.

• Consistent Names: Leverages the label terraform module to provision resources with a standardized nomenclature.

• Error Handling and Validation: Includes validation checks to ensure that configurations adhere to compliance standards, preventing misconfigurations.

Requirements

Name	Version
terraform	~> 1.0, >= 1.8
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

Name	Source	Version
storage_s3_bucket_label	git::https://github.com/cloudposse/terraform-null-label.git	488ab91e34a24a86957e397d9f7262ec5925586a
storage_s3_logging_label	git::https://github.com/cloudposse/terraform-null-label.git	488ab91e34a24a86957e397d9f7262ec5925586a

Resources

Name	Type
aws_cloudtrail.s3_data_events	resource
aws_s3_bucket.centralized_logs	resource
aws_s3_bucket.this	resource
aws_s3_bucket_lifecycle_configuration.centralized_logs	resource
aws_s3_bucket_lifecycle_configuration.unversioned	resource
aws_s3_bucket_lifecycle_configuration.versioned	resource
aws_s3_bucket_object_lock_configuration.centralized_logs	resource
aws_s3_bucket_object_lock_configuration.this	resource
aws_s3_bucket_policy.centralized_logs	resource
aws_s3_bucket_policy.this	resource
aws_s3_bucket_policy.tls_access_policy	resource
aws_s3_bucket_public_access_block.centralized_logs	resource
aws_s3_bucket_public_access_block.this	resource
aws_s3_bucket_server_side_encryption_configuration.centralized_logs	resource
aws_s3_bucket_server_side_encryption_configuration.this	resource
aws_s3_bucket_versioning.centralized_logs_versioning	resource
aws_s3_bucket_versioning.this	resource
aws_caller_identity.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
app_id	The universally unique application ID for the service. Only alphanumeric characters are valid, with a string length from 3 to 8 characters.	string	"appid"	no
environment	A valid Infrastructure Environment	string	"poc"	no
global_tags	A map of global tags to apply to all resources.	map(string)	{}	no
org	A name or abbreviation for the Organization. Only alphanumeric characters and hyphens are valid, with a string length from 3 to 8 characters.	string	"acme-it"	no
s3_buckets	List of S3 bucket configurations.	list(object({ # Basic configuration name = string data_classification = string # Defaults are "public", "internal" and "compliance" public_access_enabled = optional(bool) versioning_enabled = optional(bool) logging_enabled = optional(bool) tags = optional(map(string), {}) # Encryption settings kms_master_key_id = optional(string, null) # Use S3-managed keys by default compliance_standard = optional(string, null) # e.g., "PCI-DSS", "HIPAA", "ISO27001" # Object Lock settings object_lock = optional(object({ mode = optional(string, null) # "GOVERNANCE" or "COMPLIANCE" retention_days = optional(number, null) # Number of days to retain objects in locked state }), null) # Lifecycle configuration lifecycle_transitions = optional(object({ intelligent_tiering_days = optional(number, null) glacier_ir_days = optional(number, null) glacier_fr_days = optional(number, null) glacier_da_days = optional(number, null) }), null) expiration_days = optional(number, null) # Expiration after the latest transition }))	n/a	yes
s3_logs	Global settings for S3 CloudTrail logs	object({ retention_days = optional(number) versioning_enabled = optional(bool) immutability_enabled = optional(bool) })	{ "immutability_enabled": false, "retention_days": 30, "versioning_enabled": false }	no

Outputs

Name	Description
bucket_arns	Map of bucket names to their ARNs
bucket_data_classifications	Map of bucket names to their data classifications
bucket_domain_names	Map of bucket names to their domain names
bucket_ids	Map of bucket names to their IDs
bucket_regional_domain_names	Map of bucket names to their regional domain names
compliance_standards	Default security compliance standards for S3 buckets, configured in the module
data_classifications	List of available data classifications in the module