terraform-aws-s3-private-bucket

terraform-aws-s3-private-bucket copied to clipboard

Creates a private S3 bucket with good defaults:

• Private only objects
• Encryption
• Versioning
• Access logging
• Storage analytics

The following policy rules are set:

• Deny uploading public objects.
• Deny updating policy to allow public objects.

The following ACL rules are set:

• Retroactively remove public access granted through public ACLs
• Deny updating ACL to public

The following lifecycle rules are set:

• Incomplete multipart uploads are deleted after 14 days.
• Expired object delete markers are deleted.
• Noncurrent object versions transition to the Standard - Infrequent Access storage class after 30 days.
• Noncurrent object versions expire after 365 days.

Terraform Versions

Terraform 0.13 and newer. Pin module version to ~> 3.X. Submit pull-requests to master branch.

Terraform 0.12. Pin module version to ~> 2.X. Submit pull-requests to terraform012 branch.

Usage

module "aws-s3-bucket" {
  source         = "trussworks/s3-private-bucket/aws"
  bucket         = "my-bucket-name"
  logging_bucket = "my-aws-logs"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

Requirements

Providers

Modules

No modules.

Resources

Inputs

[
  {
    "expired_object_delete_marker": true
  }
]

[
  {
    "days": 30,
    "storage_class": "STANDARD_IA"
  }
]

Outputs

Upgrade Paths

Upgrading from 3.x.x to 4.x.x

Version 4.x.x enables the use of version 4 of the AWS provider. Terraform provided an upgrade path for this. To support the upgrade path, this module now includes the following additional resources:

• aws_s3_bucket_policy.private_bucket
• aws_s3_bucket_acl.private_bucket
• aws_s3_bucket_versioning.private_bucket
• aws_s3_bucket_lifecycle_configuration.private_bucket
• aws_s3_bucket_logging.private_bucket
• aws_s3_bucket_server_side_encryption_configuration.private_bucket
• aws_s3_bucket_cors_configuration.private_bucket

This module version removes the enable_versioning variable (boolean) and replaces it with the versioning_status variable (string). There are three possible values for this variable: Enabled, Disabled, and Suspended. If at one point versioning was enabled on your bucket, but has since been turned off, you will need to set versioning_status to Suspended rather than Disabled.

Additionally, this version of the module requires a minimum AWS provider version of 3.75, so that you can remain on the 3.x AWS provider while still gaining the ability to utilize the new S3 resources introduced in the 4.x AWS provider.

There are two general approaches to performing this upgrade:

1. Upgrade the module version and run terraform plan followed by terraform apply, which will create the new Terraform resources.
2. Perform terraform import commands, which accomplishes the same thing without running terraform apply. This is the more cautious route.

If you choose to take the route of running terraform import, you will need to perform the following imports. Replace example with the name you're using when calling this module and replace your-bucket-name-here with the name of your bucket (as opposed to an S3 bucket ARN). Also note the inclusion of ,private when importing the new aws_s3_bucket_acl Terraform resource; if you are setting the s3_bucket_acl input variable, use that value instead of private. If you have not configured a target bucket using the logging_bucket input variable, then you don't need to import the aws_s3_bucket_logging Terraform resource.

terraform import module.example.aws_s3_bucket_policy.private_bucket your-bucket-name-here
terraform import module.example.aws_s3_bucket_acl.private_bucket your-bucket-name-here,private
terraform import module.example.aws_s3_bucket_versioning.private_bucket your-bucket-name-here
terraform import module.example.aws_s3_bucket_lifecycle_configuration.private_bucket your-bucket-name-here
terraform import module.example.aws_s3_bucket_server_side_encryption_configuration.private_bucket your-bucket-name-here
terraform import module.example.aws_s3_bucket_cors_configuration.private_bucket your-bucket-name-here
# Optionally run these two commands if you have configured the logging_bucket input variable.
terraform import module.example.aws_s3_bucket_logging.private_bucket your-bucket-name-here
terraform state mv 'module.example.aws_s3_bucket_logging.private_bucket' 'module.example.aws_s3_bucket_logging.private_bucket[0]'

After this, you will need to run a terraform plan and terraform apply to apply some non-functional changes to lifecycle rule IDs.

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs

Testing

Terratest is being used for automated testing with this module. Tests in the test folder can be run locally by running the following command:

make test

Or with aws-vault:

AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test

CHANGELOG

This terraform module is undergoing an experiment where we keep a CHANGELOG for it. We're still trying to figure out how to automate this process and, for now, are manually running the command.

The changelog should be updated every time a new GitHub release is cut.

To do so, you should have a Github token with "repo" scope that can be loaded in as an environment variable. You can find more info here.

export CHANGELOG_GITHUB_TOKEN="«your-40-digit-github-token»"

The command to run on your terminal:

docker run --env CHANGELOG_GITHUB_TOKEN="$CHANGELOG_GITHUB_TOKEN" --rm -v "$(pwd)":/usr/local/src/your-app ferrarimarco/github-changelog-generator -u trussworks -p terraform-aws-s3-private-bucket