module "image" {
source = "git@github.com:oozou/terraform-aws-s3.git?ref=<version>"
prefix = "oozou"
environment = "devops"
bucket_name = "image"
versioning_enabled = true
force_s3_destroy = true
is_enable_s3_hardening_policy = true
is_create_consumer_readonly_policy = true
object_ownership = "BucketOwnerEnforced"
tags = { "Workspace" = "xxx-yyy-zzz" }
}
data "aws_iam_policy_document" "cloudfront_log" {
statement {
sid = "Allow CloudFront to use the key to deliver logs"
effect = "Allow"
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = ["*"]
principals {
identifiers = ["delivery.logs.amazonaws.com"]
type = "Service"
}
}
}
module "cdn_log" {
source = "git@github.com:oozou/terraform-aws-s3.git?ref=<version>"
prefix = "oozou"
environment = "devops"
bucket_name = "cloudfront-log"
versioning_enabled = true
force_s3_destroy = true
is_enable_s3_hardening_policy = false
is_create_consumer_readonly_policy = false
consumer_policy_actions = { ReadWrite = ["s3:*"] }
additional_kms_key_policies = [data.aws_iam_policy_document.cloudfront_log.json]
object_ownership = "BucketOwnerEnforced"
tags = { "Workspace" = "xxx-yyy-zzz" }
}
module "server_log" {
source = "git@github.com:oozou/terraform-aws-s3.git?ref=<version>"
prefix = "book"
environment = "devops"
bucket_name = "server-log"
versioning_enabled = false
force_s3_destroy = true
is_enable_s3_hardening_policy = false
is_create_consumer_readonly_policy = true
object_ownership = "BucketOwnerEnforced"
bucket_mode = "log"
is_use_kms_managed_key = false
source_s3_server_logs = {
image_bucket = {
bucket_name = module.image.bucket_name
bucket_prefix = "image-bucket/" # Auto append /
}
static_bucket = {
bucket_name = module.cdn_log.bucket_name
bucket_prefix = "cdn-log/" # Optional /
}
}
tags = { "Workspace" = "xxx-yyy-zzz" }
}
Name | Version |
---|---|
terraform | >= 1.0.0 |
aws | >= 5.0.0 |
random | >= 3.1.0 |
Name | Version |
---|---|
aws | 5.3.0 |
random | 3.5.1 |
Name | Source | Version |
---|---|---|
bucket_kms_key | oozou/kms-key/aws | 2.0.1 |
Name | Type |
---|---|
aws_iam_policy.consumers | resource |
aws_iam_policy.consumers_readonly | resource |
aws_s3_bucket.this | resource |
aws_s3_bucket_acl.this | resource |
aws_s3_bucket_cors_configuration.this | resource |
aws_s3_bucket_lifecycle_configuration.this | resource |
aws_s3_bucket_logging.this | resource |
aws_s3_bucket_object_lock_configuration.this | resource |
aws_s3_bucket_ownership_controls.this | resource |
aws_s3_bucket_policy.this | resource |
aws_s3_bucket_public_access_block.this | resource |
aws_s3_bucket_server_side_encryption_configuration.this | resource |
aws_s3_bucket_versioning.this | resource |
aws_s3_object.this | resource |
random_string.random_suffix | resource |
aws_caller_identity.main | data source |
aws_iam_policy_document.combined_policy | data source |
aws_iam_policy_document.consumers | data source |
aws_iam_policy_document.consumers_readonly | data source |
aws_iam_policy_document.hardening | data source |
aws_iam_policy_document.target_bucket_policy | data source |
aws_region.active | data source |
aws_s3_bucket.source_bucket | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_bucket_polices | Additional IAM policies block, input as data source or json. Ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document. Bucket Policy Statements can be overriden by the statement with the same sid from the latest policy. | list(string) |
[] |
no |
additional_kms_key_policies | Additional IAM policies block, input as data source. Ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document | list(string) |
[] |
no |
bucket_mode | Define the bucket mode for s3 valida values are default and log | string |
"default" |
no |
bucket_name | The name of the bucket | string |
n/a | yes |
centralize_hub | centralize bucket in hub (will add account id to bucket name) | bool |
true |
no |
consumer_policy_actions | Map of multiple S3 consumer policies to be applied to bucket e.g. {EC2Read = [s3:GetObject, s3:ListBucket], FirehoseWrite =[s3:PutObjectAcl]} | map(list(string)) |
{} |
no |
cors_rule | List of core rules to apply to S3 bucket. | list(object({ |
[] |
no |
environment | To manage a resources with tags | string |
n/a | yes |
expected_bucket_owner | The account ID of the expected bucket owner | string |
null |
no |
folder_names | List of folder names to be created in the S3 bucket. Will create .keep file in each folder. Sub-folders are also supported, use S3 standard forward slash as folder separator | list(string) |
[] |
no |
force_s3_destroy | Force destruction of the S3 bucket when the stack is deleted | string |
false |
no |
is_control_object_ownership | Whether to provides a resource to manage S3 Bucket Ownership Controls. | bool |
true |
no |
is_create_consumer_readonly_policy | Whether to create consumer readonly policy, policy contents: {Bucket Readonly = [s3:ListBucket,s3:GetObject*] | bool |
false |
no |
is_enable_s3_hardening_policy | Whether to create S3 with hardening policy | bool |
true |
no |
is_ignore_exist_object | Whether to provides a resource to manage S3 Bucket Ownership Controls. | bool |
false |
no |
is_use_kms_managed_key | Whether to use kms managed key for server-side encryption. If false sse-s3 managed key will be used. | bool |
true |
no |
kms_key_arn | ARN of the KMS Key to use for object encryption. By default, S3 component will create KMS key and associate it with S3. Use only in restricted cases when custom kms policy is needed and you want to bring your KMS. | map(string) |
{} |
no |
lifecycle_rules | List of lifecycle rules to transition the data. Leave empty to disable this feature. storage_class can be STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, or DEEP_ARCHIVE | any |
[] |
no |
object_lock_rule | Enable Object Lock rule configuration. Default is disabled. If days is set, please set years to null and if years is set, please set days to null. Valid values for mode are GOVERNANCE and COMPLIANCE. | object({ |
null |
no |
object_ownership | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. | string |
"BucketOwnerEnforced" |
no |
prefix | The prefix name of customer to be displayed in AWS console and resource | string |
n/a | yes |
source_s3_server_logs | Source log configuration to enable sending log to this bucket | map(map(any)) |
{} |
no |
tags | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys. | map(string) |
{} |
no |
versioning_enabled | Should versioning be enabled? (true/false) | bool |
false |
no |
Name | Description |
---|---|
bucket_arn | S3 Bucket ARN |
bucket_domain_name | S3 Bucket Domain Name |
bucket_id | S3 Bucket Id |
bucket_kms_key_arn | S3 Bucket KMS Key ARN |
bucket_kms_key_id | S3 Bucket KMS Key ID |
bucket_name | S3 Bucket Name |
consumer_policies | S3 Bucket Consumer Policies name and ARN map |
consumer_readonly_policy | S3 Bucket Consumer Readonly Policy name and ARN map |