Initial commit

Author: snemetz

.gitignore

@@ -0,0 +1,3 @@
+.terraform*
+!terraform.tfstate*
+terraform.*

README.md

@@ -0,0 +1,40 @@
+AWS S3 Terraform Module
+=====================
+
+Create AWS S3 bucket and set policy
+
+Usage:
+------
+
+    module "s3" {
+      source       = "../tf_s3"
+      name         = "apps"
+      environment  = "dev01"
+    }
+
+
+## Inputs
+
+| Name | Description | Default | Required |
+|------|-------------|:-----:|:-----:|
+| environment | Environment (ex: dev, qa, stage, prod) | - | yes |
+| name | Name | - | yes |
+| namespaced | Namespace all resources (prefixed with the environment)? | `true` | no |
+| principal | principal | - | yes |
+| tags | A map of tags to add to all resources | `<map>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| s3_bucket_arn | AWS S3 Bucket ARN |
+| s3_bucket_domain_name | AWS S3 Bucket Domain Name |
+| s3_bucket_hosted_zone_id | AWS S3 Bucket Hosted Zone ID |
+| s3_bucket_id | AWS S3 Bucket ID |
+| s3_bucket_name | AWS S3 Bucket Name |
+| s3_bucket_region | AWS S3 Bucket Region |
+
+
+### Resource Graph
+
+![Terraform Graph](graph.png)

files/policy_s3_bucket.json

@@ -0,0 +1,55 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "Enable put/update/delete objects",
+      "Effect": "Allow",
+      "Principal": {"AWS": ${jsonencode(split(",", principal))}},
+      "Action": [
+      "s3:DeleteObject",
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:ReplicateObject",
+      "s3:RestoreObject",
+      "s3:PutObjectAcl"
+    ],
+    "Resource": "arn:aws:s3:::${name}/*"
+    },
+    {
+      "Sid": "Enable list bucket",
+      "Effect": "Allow",
+      "Principal": {"AWS": ${jsonencode(split(",", principal))}},
+    "Action": [
+    "s3:ListBucket"
+    ],
+    "Resource": "arn:aws:s3:::${name}"
+    },
+    {
+      "Sid": "Prevent put objects without a kms key encryption",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": [
+        "s3:PutObject",
+        "s3:ReplicateObject"
+      ],
+      "Resource": "arn:aws:s3:::${name}/*",
+      "Condition": {
+        "StringNotEquals": {
+          "s3:x-amz-server-side-encryption": "aws:kms"
+        }
+      }
+    },
+    {
+      "Sid": "Prevent creating objects that bucket owner (ourselves) that cannot access",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "s3:PutObject",
+      "Resource": "arn:aws:s3:::${name}/*",
+      "Condition": {
+        "StringNotEquals": {
+          "s3:x-amz-acl": "bucket-owner-full-control"
+        }
+      }
+    }
+  ]
+}

graph.dot

@@ -0,0 +1,27 @@
+digraph {
+	compound = "true"
+	newrank = "true"
+	subgraph "root" {
+		"[root] aws_s3_bucket.bucket" [label = "aws_s3_bucket.bucket", shape = "box"]
+		"[root] provider.aws" [label = "provider.aws", shape = "diamond"]
+		"[root] aws_s3_bucket.bucket" -> "[root] provider.aws"
+		"[root] aws_s3_bucket.bucket" -> "[root] var.environment"
+		"[root] aws_s3_bucket.bucket" -> "[root] var.name"
+		"[root] aws_s3_bucket.bucket" -> "[root] var.namespaced"
+		"[root] aws_s3_bucket.bucket" -> "[root] var.tags"
+		"[root] output.s3_bucket_arn" -> "[root] aws_s3_bucket.bucket"
+		"[root] output.s3_bucket_domain_name" -> "[root] aws_s3_bucket.bucket"
+		"[root] output.s3_bucket_hosted_zone_id" -> "[root] aws_s3_bucket.bucket"
+		"[root] output.s3_bucket_id" -> "[root] aws_s3_bucket.bucket"
+		"[root] output.s3_bucket_name" -> "[root] aws_s3_bucket.bucket"
+		"[root] output.s3_bucket_region" -> "[root] aws_s3_bucket.bucket"
+		"[root] root" -> "[root] output.s3_bucket_arn"
+		"[root] root" -> "[root] output.s3_bucket_domain_name"
+		"[root] root" -> "[root] output.s3_bucket_hosted_zone_id"
+		"[root] root" -> "[root] output.s3_bucket_id"
+		"[root] root" -> "[root] output.s3_bucket_name"
+		"[root] root" -> "[root] output.s3_bucket_region"
+		"[root] root" -> "[root] var.principal"
+	}
+}
+

graph.png

@@ -0,0 +1,48 @@
+/**
+ * AWS S3 Terraform Module
+ * =====================
+ *
+ * Create AWS S3 bucket and set policy
+ *
+ * Usage:
+ * ------
+ *
+ *     module "s3" {
+ *       source       = "../tf_s3"
+ *       name         = "apps"
+ *       environment  = "dev01"
+ *     }
+**/
+
+# TODO: Allow pass policy via variable. Default empty policy. If can be done, otherwise 2 modules
+# create s3 bucket and set policy
+resource "aws_s3_bucket" "bucket" {
+  #bucket = "dmp-rpns-${var.s3_env_map[var.env]}"
+  # TODO: Setup namespaced condition
+  bucket = "${format("%s-%s", var.environment, var.name)}"
+  acl = "private"
+  versioning {
+    enabled = true
+  }
+  tags = "${ merge(
+    var.tags,
+    map("Name", var.namespaced ?
+     format("%s-%s-s3-bucket", var.environment, var.name) :
+     format("%s-s3-bucket", var.name) ),
+    map("Environment", var.environment),
+    map("Terraform", "true") )}"
+}
+/*
+data "template_file" "policy_s3_bucket" {
+  template = "${file("${path.module}/files/policy_s3_bucket.json")}"
+  vars = {
+    name  = "${aws_s3_bucket.bucket.bucket}"
+    principal = "${var.principal}"
+  }
+}
+
+resource "aws_s3_bucket_policy" "bucket_policy" {
+  bucket = "${aws_s3_bucket.bucket.id}"
+  policy = "${data.template_file.policy_s3_bucket.rendered}"
+}
+*/

main.tf

@@ -0,0 +1,25 @@
+// AWS S3 Bucket Name
+output "s3_bucket_name" {
+  value = "${aws_s3_bucket.bucket.id}"
+}
+
+// AWS S3 Bucket ARN
+output "s3_bucket_arn" {
+  value = "${aws_s3_bucket.bucket.arn}"
+}
+// AWS S3 Bucket Domain Name
+output "s3_bucket_domain_name" {
+  value = "${aws_s3_bucket.bucket.bucket_domain_name}"
+}
+// AWS S3 Bucket Region
+output "s3_bucket_region" {
+  value = "${aws_s3_bucket.bucket.region}"
+}
+// AWS S3 Bucket ID
+output "s3_bucket_id" {
+  value = "${aws_s3_bucket.bucket.id}"
+}
+// AWS S3 Bucket Hosted Zone ID
+output "s3_bucket_hosted_zone_id" {
+  value = "${aws_s3_bucket.bucket.hosted_zone_id}"
+}

outputs.tf

@@ -0,0 +1,23 @@
+
+// Standard Variables
+
+variable "name" {
+  description = "Name"
+}
+variable "environment" {
+  description = "Environment (ex: dev, qa, stage, prod)"
+}
+variable "namespaced" {
+  description = "Namespace all resources (prefixed with the environment)?"
+  default     = true
+}
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  default     = {}
+}
+
+// Module specific Variables
+
+variable "principal" {
+  description = "principal"
+}