This terraform module creates an encrypted S3 bucket and any associated IAM policies.
module "tamr-s3-eg" {
source = "git::https://github.com/Datatamer/terraform-aws-s3?ref=1.0.0"
bucket_name = "mybucket"
read_only_paths = ["path/to/ro-folder"]
read_write_paths = ["path/to/rw-folder", "path/to/another-rw-folder"]
}
Note aboutread_only_paths/read_write_paths:
- Providing a path to a folder like in the example,
["path/to/folder"]permits actions (specified inread_only_actions/read_write_actions) onmybucket/path/to/folderandmybucket/path/to/folder/*.
Smallest complete fully working example. This example might require extra resources to run the example.
Working example of using bucket-iam-policy submodule on an existing S3 bucket
This modules creates:
- a s3 bucket
- a s3 bucket policy to enforce AES256 server-side-encryption
- read-only and/or read-write IAM policies
- IAM policies created by this module are intended to be attached to service roles downstream. S3-related permissions intended for an instance profile should be configured entirely downstream.
- If neither
read_only_pathsnorread_write_pathsare provided, the module will default to creating a read-only IAM policy on the entire bucket - If you set
read_write_pathsto[""], the module will permitread_write_actionson the whole bucket
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 3.36, !=4.0.0, !=4.1.0, !=4.2.0, !=4.3.0, !=4.4.0, !=4.5.0, !=4.6.0, !=4.7.0, !=4.8.0 |
No provider.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| bucket_name | Name of S3 bucket to create. | string |
n/a | yes |
| additional_tags | [DEPRECATED: Use tags instead] Additional tags to be attached to the S3 bucket and associated resources. |
map(string) |
{} |
no |
| arn_partition | The partition in which the resource is located. A partition is a group of AWS Regions. Each AWS account is scoped to one partition. The following are the supported partitions: aws -AWS Regions aws-cn - China Regions aws-us-gov - AWS GovCloud (US) Regions |
string |
"aws" |
no |
| force_destroy | A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. |
bool |
true |
no |
| read_only_actions | List of actions that should be permitted by a read-only policy. | list(string) |
[ |
no |
| read_only_paths | List of paths/prefixes that should be attached to a read-only policy. Listed path(s) should omit the head bucket. | list(string) |
[] |
no |
| read_write_actions | List of actions that should be permitted by a read-write policy. | list(string) |
[ |
no |
| read_write_paths | List of paths/prefixes that should be attached to a read-write policy. Listed path(s) should omit the head bucket. |
list(string) |
[] |
no |
| s3_bucket_logging | The name of S3 bucket where to store server access logs. | string |
"" |
no |
| tags | A map of tags to add to all resources. Replaces additional_tags. |
map(string) |
{} |
no |
| Name | Description |
|---|---|
| bucket_name | Name of S3 bucket created by encrypted-bucket module. |
| ro_policy_arn | ARN assigned to read-only IAM policy created by iam-policy module. |
| rw_policy_arn | ARN assigned to read-write IAM policy created by iam-policy module. |
This repo is based on:
Run make terraform/docs to generate the section of docs around terraform inputs, outputs and requirements.
Run make lint, this will run terraform fmt, in addition to a few other checks to detect whitespace issues.
NOTE: this requires having docker working on the machine running the test
- Update version contained in
VERSION - Document changes in
CHANGELOG.md - Create a tag in github for the commit associated with the version
Apache 2 Licensed. See LICENSE for full details.