Skip to content

Instantly share code, notes, and snippets.

@exequielrafaela
Last active October 6, 2020 15:34
Show Gist options
  • Save exequielrafaela/fada3e6f37b25aaccfe93fe78b12da8c to your computer and use it in GitHub Desktop.
Save exequielrafaela/fada3e6f37b25aaccfe93fe78b12da8c to your computer and use it in GitHub Desktop.
AWS S3 Secure Multipurpose Storage Bucket
#
## Examples
# - Complete | https://github.com/binbashar/terraform-aws-s3-bucket/tree/master/examples/complete
# - Replication | https://github.com/binbashar/terraform-aws-s3-bucket/tree/master/examples/s3-replication
#
#=============================#
# Module Instanciation #
#=============================#
module "s3_bucket" {
source = "github.com/binbashar/terraform-aws-s3-bucket.git?ref=v1.13.0"
bucket = local.bucket_name
acl = "private"
force_destroy = true
attach_policy = true
policy = data.aws_iam_policy_document.bucket_policy.json
versioning = {
enabled = true
}
logging = {
target_bucket = module.log_bucket.this_s3_bucket_id
target_prefix = "log/"
}
lifecycle_rule = [
{
id = "log"
enabled = true
prefix = "log/"
tags = {
rule = "log"
autoclean = "true"
}
transition = [
{
days = 30
storage_class = "ONEZONE_IA"
}, {
days = 60
storage_class = "GLACIER"
}
]
expiration = {
days = 365
}
noncurrent_version_expiration = {
days = 90
}
},
{
id = "log1"
enabled = true
prefix = "log1/"
abort_incomplete_multipart_upload_days = 7
noncurrent_version_transition = [
{
days = 30
storage_class = "STANDARD_IA"
},
{
days = 60
storage_class = "ONEZONE_IA"
},
{
days = 90
storage_class = "GLACIER"
},
]
noncurrent_version_expiration = {
days = 365
}
},
]
server_side_encryption_configuration = {
rule = {
apply_server_side_encryption_by_default = {
kms_master_key_id = data.terraform_remote_state.security_keys.outputs.aws_kms_key_arn
sse_algorithm = "aws:kms"
}
}
}
object_lock_configuration = {
object_lock_enabled = "Enabled"
rule = {
default_retention = {
mode = "COMPLIANCE"
years = 5
}
}
}
# S3 bucket-level Public Access Block configuration
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
tags = local.tags
}
#=============================#
# Data sources #
#=============================#
data "terraform_remote_state" "security_keys" {
backend = "s3"
config = {
region = var.region
profile = var.profile
bucket = var.bucket
key = "${var.environment}/security-keys/terraform.tfstate"
}
}
#==================================================#
# data.aws_iam_policy_document.bucket_policy.json #
#==================================================#
# {
# "Version": "2012-10-17",
# "Id": "Policy1464968545158",
# "Statement": [
# {
# "Sid": "Stmt1464968483619",
# "Effect": "Allow",
# "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/user-name" },
# "Action": "s3:PutObject",
# "Resource": [
# "arn:aws:s3:::my-bucket/my-folder/my-file.csv",
# "arn:aws:s3:::my-bucket/my-folder/my-file.txt"
# ]
# }
# ]
# }
#
## Conside using a Condition for restriction if necessary
# "Condition": {
# "StringLike": {
# "s3:prefix": "folder2/file.csv"
# }
#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment