-
Notifications
You must be signed in to change notification settings - Fork 16
/
aws-s3-bucket.yml
246 lines (246 loc) · 9.53 KB
/
aws-s3-bucket.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
# Copyright 2020 Pivotal Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http:#www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
version: 1
name: csb-aws-s3-bucket
id: ffe28d48-c235-4e07-9c51-ddff5699e48c
description: CSB AWS S3 Bucket
display_name: CSB AWS S3 Bucket
image_url: file://service-images/csb.png
documentation_url: https://docs.vmware.com/en/Cloud-Service-Broker-for-VMware-Tanzu/index.html
provider_display_name: VMware
support_url: https://aws.amazon.com/s3/
tags: [aws, s3]
plan_updateable: true
provision:
user_inputs:
- field_name: bucket_name
type: string
details: Name of bucket
default: csb-${request.instance_id}
plan_updateable: true
prohibit_update: true
- field_name: acl
type: string
details: S3 bucket ACL (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl)
default: null
nullable: true
prohibit_update: true
enum:
private: private
public-read: public-read
public-read-write: public-read-write
aws-exec-read: aws-exec-read
authenticated-read: authenticated-read
bucket-owner-read: bucket-owner-read
bucket-owner-full-control: bucket-owner-full-control
log-delivery-write: log-delivery-write
- field_name: enable_versioning
type: boolean
details: Enable bucket versioning
default: false
- field_name: region
type: string
details: The region of AWS.
default: us-west-2
constraints:
examples:
- us-west-2
- eu-west-1
pattern: ^[a-z][a-z0-9-]+$
prohibit_update: true
- field_name: boc_object_ownership
type: string
details: S3 Bucket Ownership Controls (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html)
prohibit_update: true
enum:
BucketOwnerPreferred: BucketOwnerPreferred
ObjectWriter: ObjectWriter
BucketOwnerEnforced: BucketOwnerEnforced
default: BucketOwnerEnforced
- field_name: aws_access_key_id
type: string
details: AWS access key
default: ${config("aws.access_key_id")}
- field_name: aws_secret_access_key
type: string
details: AWS secret key
default: ${config("aws.secret_access_key")}
- field_name: pab_block_public_acls
type: boolean
details: Whether Amazon S3 should block public ACLs for the bucket (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html).
default: false
- field_name: pab_block_public_policy
type: boolean
details: Whether Amazon S3 should block public bucket policies for the bucket.
default: false
- field_name: pab_ignore_public_acls
type: boolean
details: Whether Amazon S3 should ignore public ACLs for the bucket.
default: false
- field_name: pab_restrict_public_buckets
type: boolean
details: Whether Amazon S3 should restrict public bucket policies for the bucket.
default: false
- field_name: sse_default_kms_key_id
type: string
nullable: true
details: The AWS KMS key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sse_default_algorithm` as `aws:kms`.
default: null
- field_name: sse_extra_kms_key_ids
type: string
nullable: true
details: A comma-separated list of AWS KMS key IDs used for the SSE-KMS decryption. This can only be used when you set the value of `sse_default_algorithm` as `aws:kms`.
default: null
- field_name: sse_default_algorithm
type: string
nullable: true
details: The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms`. (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html)
default: null
- field_name: sse_bucket_key_enabled
type: boolean
details: Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html).
default: false
- field_name: ol_enabled
type: boolean
details: Whether or not to store objects using a write-once-read-many (WORM) model using Amazon S3 Object Lock. (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html).
default: false
prohibit_update: true
- field_name: ol_configuration_default_retention_enabled
type: boolean
nullable: true
default: null
details: |
Whether this bucket has an Object Lock `configuration` enabled
To enable Object Lock for a new bucket, see `ol_enabled`
- field_name: ol_configuration_default_retention_mode
type: string
nullable: true
default: null
details: |
The default retention mode for objects placed in the bucket.
S3 Object Lock provides several retention modes. These retention modes apply different levels of protection to the objects.
To read about retention mode see https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-retention-modes.
To read about admitted retention modes see the valid values in the `Mode` section https://docs.aws.amazon.com/AmazonS3/latest/API/API_DefaultRetention.html.
The property `ol_configuration_default_retention_days` or `ol_configuration_default_retention_years` is required if this property is set.
To enable Object Lock for a new bucket, see the `ol_enabled`.
- field_name: ol_configuration_default_retention_days
type: number
nullable: true
default: null
details: |
The default fixed number of days of retention for objects placed in the bucket.
Optional property, but required if `ol_configuration_default_retention_years` is not specified.
`ol_configuration_default_retention_mode` is required if this property is set.
To enable Object Lock for a new bucket, see `ol_enabled`.
- field_name: ol_configuration_default_retention_years
type: number
nullable: true
default: null
details: |
The default fixed number of years of retention for objects placed in the bucket.
Optional property, but required if `ol_configuration_default_retention_days` is not specified.
`ol_configuration_default_retention_mode` is required if this property is set.
To enable Object Lock for a new bucket, see `ol_enabled`.
- field_name: require_tls
type: boolean
default: false
details: |
Whether this bucket explicitly denies access to HTTP requests, in other words, the bucket only accepts
requests sent through HTTPS if enabled.
- field_name: allowed_aws_vpc_id
type: string
details: |
The ID of a pre-created VPC. When specified, the S3 bucket policy will only allow access from the specified VPC.
E.g: `vpc-01362976bd10dc099`.
For this feature to function correctly, a VPC endpoint must be properly configured.
For more information on VPC endpoints, visit https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
default: ""
computed_inputs:
- name: labels
default: ${json.marshal(request.default_labels)}
overwrite: true
type: object
template_refs:
main: terraform/s3/provision/main.tf
outputs: terraform/s3/provision/outputs.tf
provider: terraform/s3/provision/provider.tf
versions: terraform/s3/provision/versions.tf
variables: terraform/s3/provision/variables.tf
data: terraform/s3/provision/data.tf
outputs:
- field_name: arn
type: string
details: Bucket ARN
- field_name: bucket_domain_name
type: string
details: The FQDN for the bucket
- field_name: region
type: string
details: AWS region for the bucket
- field_name: bucket_name
type: string
details: Name of created bucket
- field_name: sse_all_kms_key_ids
type: string
details: The default and extra AWS KMS key IDs used for SSE-KMS encryption and decryption.
- field_name: allowed_aws_vpc_id
type: string
details: The ID of a pre-created VPC. When specified, the S3 bucket policy will only allow access from the specified VPC.
bind:
plan_inputs: []
user_inputs:
- field_name: aws_access_key_id
type: string
details: AWS access key
default: ${config("aws.access_key_id")}
- field_name: aws_secret_access_key
type: string
details: AWS secret key
default: ${config("aws.secret_access_key")}
computed_inputs:
- name: arn
default: ${instance.details["arn"]}
overwrite: true
type: string
- name: region
default: ${instance.details["region"]}
overwrite: true
type: string
- name: user_name
default: csb-${request.binding_id}
overwrite: true
type: string
- name: sse_all_kms_key_ids
default: ${instance.details["sse_all_kms_key_ids"]}
overwrite: true
type: string
- name: allowed_aws_vpc_id
default: ${instance.details["allowed_aws_vpc_id"]}
overwrite: true
type: string
template_refs:
data: terraform/s3/bind/data.tf
main: terraform/s3/bind/main.tf
outputs: terraform/s3/bind/outputs.tf
provider: terraform/s3/bind/provider.tf
versions: terraform/s3/bind/versions.tf
variables: terraform/s3/bind/variables.tf
outputs:
- field_name: access_key_id
type: string
details: AWS access key
- field_name: secret_access_key
type: string
details: AWS secret access key