diff --git a/README.md b/README.md index 18a0f25..6060e66 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@
-We eat, drink, sleep and most importantly love **DevOps**. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure. +We eat, drink, sleep and most importantly love **DevOps**. We are working towards stratergies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure. This module is basically combination of [Terraform open source](https://www.terraform.io/) and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself. @@ -72,7 +72,7 @@ Here are some examples of how you can use this module in your inventory structur ### Basic Bucket ```hcl module "s3_bucket" { - source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.4" + source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.5" name = "secure-bucket" region = "eu-west-1" application = "clouddrove" @@ -86,22 +86,38 @@ module "s3_bucket" { ### Encryption Bucket ```hcl module "s3_bucket" { - source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.4" - name = "encryption-bucket" - region = "eu-west-1" - application = "clouddrove" - environment = "test" - label_order = ["environment", "application", "name"] - versioning = true - acl = "private" - encryption_enabled = true - sse_algorithm = "AES256" + source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.5" + name = "encryption-bucket" + region = "eu-west-1" + application = "clouddrove" + environment = "test" + label_order = ["environment", "application", "name"] + versioning = true + acl = "private" + bucket_encryption_enabled = true + sse_algorithm = "AES256" +} +### Logging-Encryption Bucket +```hcl +module "s3_bucket" { + source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.5" + name = "logging-encryption-bucket" + region = "eu-west-1" + application = "clouddrove" + environment = "test" + label_order = ["environment", "application", "name"] + versioning = true + acl = "private" + bucket_logging_encryption_enabled = true + sse_algorithm = "AES256" + target_bucket = "bucket-logs12" + target_prefix = "logs" } ``` ### Logging Bucket ```hcl module "s3_bucket" { - source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.4" + source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.5" name = "logging-bucket" region = "eu-west-1" application = "clouddrove" @@ -117,7 +133,7 @@ module "s3_bucket" { ### Website Host Bucket ```hcl module "s3_bucket" { - source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.4" + source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.5" name = "website-bucket" region = "eu-west-1" application = "clouddrove" @@ -158,47 +174,48 @@ data "aws_iam_policy_document" "default" { | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| -| acl | Canned ACL to apply to the S3 bucket. | string | `""` | no | -| application | Application \(e.g. `cd` or `clouddrove`\). | string | `""` | no | -| attributes | Additional attributes \(e.g. `1`\). | list | `` | no | -| aws\_iam\_policy\_document | Specifies the number of days after object creation when the object expires. | string | `""` | no | -| bucket\_enabled | Enable simple S3. | bool | `"false"` | no | -| bucket\_logging\_enabled | Enable logging of S3. | bool | `"false"` | no | -| bucket\_policy | Conditionally create S3 bucket policy. | bool | `"false"` | no | -| create\_bucket | Conditionally create S3 bucket. | bool | `"true"` | no | -| delimiter | Delimiter to be used between `organization`, `environment`, `name` and `attributes`. | string | `"-"` | no | -| encryption\_enabled | Enable encryption of S3. | bool | `"false"` | no | -| environment | Environment \(e.g. `prod`, `dev`, `staging`\). | string | `""` | no | -| force\_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool | `"false"` | no | -| kms\_master\_key\_id | The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms. | string | `""` | no | -| label\_order | Label order, e.g. `name`,`application`. | list | `` | no | -| lifecycle\_days\_to\_expiration | Specifies the number of days after object creation when the object expires. | number | `"365"` | no | -| lifecycle\_days\_to\_glacier\_transition | Specifies the number of days after object creation when it will be moved to Glacier storage. | number | `"180"` | no | -| lifecycle\_days\_to\_infrequent\_storage\_transition | Specifies the number of days after object creation when it will be moved to standard infrequent access storage. | number | `"60"` | no | -| lifecycle\_expiration\_enabled | Specifies expiration lifecycle rule status. | bool | `"false"` | no | -| lifecycle\_expiration\_object\_prefix | Object key prefix identifying one or more objects to which the lifecycle rule applies. | string | `""` | no | -| lifecycle\_glacier\_object\_prefix | Object key prefix identifying one or more objects to which the lifecycle rule applies. | string | `""` | no | -| lifecycle\_glacier\_transition\_enabled | Specifies Glacier transition lifecycle rule status. | bool | `"false"` | no | -| lifecycle\_infrequent\_storage\_object\_prefix | Object key prefix identifying one or more objects to which the lifecycle rule applies. | string | `""` | no | -| lifecycle\_infrequent\_storage\_transition\_enabled | Specifies infrequent storage transition lifecycle rule status. | bool | `"false"` | no | -| managedby | ManagedBy, eg 'CloudDrove' or 'AnmolNagpal'. | string | `"anmol@clouddrove.com"` | no | -| name | Name \(e.g. `app` or `cluster`\). | string | `""` | no | -| region | Region Where you want to host S3. | string | `""` | no | -| sse\_algorithm | The server-side encryption algorithm to use. Valid values are AES256 and aws:kms. | string | `"AES256"` | no | -| tags | Additional tags \(e.g. map\(`BusinessUnit`,`XYZ`\). | map | `` | no | -| target\_bucket | The name of the bucket that will receive the log objects. | string | `""` | no | -| target\_prefix | To specify a key prefix for log objects. | string | `""` | no | -| versioning | Enable Versioning of S3. | bool | `"false"` | no | -| website\_error | An absolute path to the document to return in case of a 4XX error. | string | `"error.html"` | no | -| website\_hosting\_bucket | Enable website hosting of S3. | bool | `"false"` | no | -| website\_index | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders. | string | `"index.html"` | no | +| acl | Canned ACL to apply to the S3 bucket. | string | `` | no | +| application | Application (e.g. `cd` or `clouddrove`). | string | `` | no | +| attributes | Additional attributes (e.g. `1`). | list | `` | no | +| aws_iam_policy_document | Specifies the number of days after object creation when the object expires. | string | `` | no | +| bucket_enabled | Enable simple S3. | bool | `false` | no | +| bucket_encryption_enabled | Enable encryption of S3. | bool | `false` | no | +| bucket_logging_enabled | Enable logging of S3. | bool | `false` | no | +| bucket_logging_encryption_enabled | Enable logging encryption of S3. | bool | `false` | no | +| bucket_policy | Conditionally create S3 bucket policy. | bool | `false` | no | +| create_bucket | Conditionally create S3 bucket. | bool | `true` | no | +| delimiter | Delimiter to be used between `organization`, `environment`, `name` and `attributes`. | string | `-` | no | +| environment | Environment (e.g. `prod`, `dev`, `staging`). | string | `` | no | +| force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool | `false` | no | +| kms_master_key_id | The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms. | string | `` | no | +| label_order | Label order, e.g. `name`,`application`. | list | `` | no | +| lifecycle_days_to_expiration | Specifies the number of days after object creation when the object expires. | number | `365` | no | +| lifecycle_days_to_glacier_transition | Specifies the number of days after object creation when it will be moved to Glacier storage. | number | `180` | no | +| lifecycle_days_to_infrequent_storage_transition | Specifies the number of days after object creation when it will be moved to standard infrequent access storage. | number | `60` | no | +| lifecycle_expiration_enabled | Specifies expiration lifecycle rule status. | bool | `false` | no | +| lifecycle_expiration_object_prefix | Object key prefix identifying one or more objects to which the lifecycle rule applies. | string | `` | no | +| lifecycle_glacier_object_prefix | Object key prefix identifying one or more objects to which the lifecycle rule applies. | string | `` | no | +| lifecycle_glacier_transition_enabled | Specifies Glacier transition lifecycle rule status. | bool | `false` | no | +| lifecycle_infrequent_storage_object_prefix | Object key prefix identifying one or more objects to which the lifecycle rule applies. | string | `` | no | +| lifecycle_infrequent_storage_transition_enabled | Specifies infrequent storage transition lifecycle rule status. | bool | `false` | no | +| managedby | ManagedBy, eg 'CloudDrove' or 'AnmolNagpal'. | string | `anmol@clouddrove.com` | no | +| name | Name (e.g. `app` or `cluster`). | string | `` | no | +| region | Region Where you want to host S3. | string | `` | no | +| sse_algorithm | The server-side encryption algorithm to use. Valid values are AES256 and aws:kms. | string | `AES256` | no | +| tags | Additional tags (e.g. map(`BusinessUnit`,`XYZ`). | map | `` | no | +| target_bucket | The name of the bucket that will receive the log objects. | string | `` | no | +| target_prefix | To specify a key prefix for log objects. | string | `` | no | +| versioning | Enable Versioning of S3. | bool | `false` | no | +| website_error | An absolute path to the document to return in case of a 4XX error. | string | `error.html` | no | +| website_hosting_bucket | Enable website hosting of S3. | bool | `false` | no | +| website_index | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders. | string | `index.html` | no | ## Outputs | Name | Description | |------|-------------| | arn | The ARN of the s3 bucket. | -| bucket\_domain\_name | The Domain of the s3 bucket. | +| bucket_domain_name | The Domain of the s3 bucket. | | id | The ID of the s3 bucket. | | tags | A mapping of tags to assign to the resource. | @@ -233,4 +250,4 @@ At [CloudDrove][website], we offer expert guidance, implementation support and s [linkedin]: https://cpco.io/linkedin [twitter]: https://twitter.com/clouddrove/ [email]: https://clouddrove.com/contact-us.html - [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= + [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= \ No newline at end of file diff --git a/README.yaml b/README.yaml index 04a5cfe..1b9da71 100644 --- a/README.yaml +++ b/README.yaml @@ -36,7 +36,7 @@ usage : |- ### Basic Bucket ```hcl module "s3_bucket" { - source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.4" + source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.5" name = "secure-bucket" region = "eu-west-1" application = "clouddrove" @@ -50,22 +50,38 @@ usage : |- ### Encryption Bucket ```hcl module "s3_bucket" { - source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.4" - name = "encryption-bucket" - region = "eu-west-1" - application = "clouddrove" - environment = "test" - label_order = ["environment", "application", "name"] - versioning = true - acl = "private" - encryption_enabled = true - sse_algorithm = "AES256" + source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.5" + name = "encryption-bucket" + region = "eu-west-1" + application = "clouddrove" + environment = "test" + label_order = ["environment", "application", "name"] + versioning = true + acl = "private" + bucket_encryption_enabled = true + sse_algorithm = "AES256" + } + ### Logging-Encryption Bucket + ```hcl + module "s3_bucket" { + source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.5" + name = "logging-encryption-bucket" + region = "eu-west-1" + application = "clouddrove" + environment = "test" + label_order = ["environment", "application", "name"] + versioning = true + acl = "private" + bucket_logging_encryption_enabled = true + sse_algorithm = "AES256" + target_bucket = "bucket-logs12" + target_prefix = "logs" } ``` ### Logging Bucket ```hcl module "s3_bucket" { - source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.4" + source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.5" name = "logging-bucket" region = "eu-west-1" application = "clouddrove" @@ -81,7 +97,7 @@ usage : |- ### Website Host Bucket ```hcl module "s3_bucket" { - source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.4" + source = "https://github.com/clouddrove/terraform-aws-s3?ref=tags/0.12.5" name = "website-bucket" region = "eu-west-1" application = "clouddrove" @@ -111,4 +127,4 @@ usage : |- resources = ["arn:aws:s3:::test-website-bucket-clouddrove/*"] } } - ``` \ No newline at end of file + ``` diff --git a/_example/encryption-s3/example.tf b/_example/encryption-s3/example.tf index b309714..ca8b525 100644 --- a/_example/encryption-s3/example.tf +++ b/_example/encryption-s3/example.tf @@ -10,9 +10,9 @@ module "s3_bucket" { environment = "test" label_order = ["environment", "application", "name"] - region = "eu-west-1" - versioning = true - acl = "private" - encryption_enabled = true - sse_algorithm = "AES256" + region = "eu-west-1" + versioning = true + acl = "private" + bucket_encryption_enabled = true + sse_algorithm = "AES256" } \ No newline at end of file diff --git a/_example/logging-encryption-s3/example.tf b/_example/logging-encryption-s3/example.tf new file mode 100644 index 0000000..362044c --- /dev/null +++ b/_example/logging-encryption-s3/example.tf @@ -0,0 +1,20 @@ +provider "aws" { + region = "eu-west-1" +} + +module "s3_bucket" { + source = "./../../" + + name = "logging-encryption-bucket" + application = "clouddrove" + environment = "test" + label_order = ["environment", "application", "name"] + + region = "eu-west-1" + versioning = true + acl = "private" + bucket_logging_encryption_enabled = true + sse_algorithm = "AES256" + target_bucket = "bucket-logs12" + target_prefix = "logs" +} diff --git a/_example/logging-encryption-s3/outputs.tf b/_example/logging-encryption-s3/outputs.tf new file mode 100644 index 0000000..14954f1 --- /dev/null +++ b/_example/logging-encryption-s3/outputs.tf @@ -0,0 +1,9 @@ +output "id" { + value = module.s3_bucket.*.id + description = "The ID of the s3 bucket." +} + +output "tags" { + value = module.s3_bucket.tags + description = "A mapping of tags to assign to the S3." +} diff --git a/_test/logging-encryption-s3/s3_test.go b/_test/logging-encryption-s3/s3_test.go new file mode 100644 index 0000000..37dd6d2 --- /dev/null +++ b/_test/logging-encryption-s3/s3_test.go @@ -0,0 +1,35 @@ +// Managed By : CloudDrove +// Description : This Terratest is used to test the Terraform S3 module. +// Copyright @ CloudDrove. All Right Reserved. +package test + +import ( + "testing" + "strings" + "github.com/stretchr/testify/assert" + "github.com/gruntwork-io/terratest/modules/terraform" +) + +func Test(t *testing.T) { + t.Parallel() + + terraformOptions := &terraform.Options{ + // Source path of Terraform directory. + TerraformDir: "../../_example/logging-encryption-s3", + Upgrade: true, + } + + // This will run 'terraform init' and 'terraform application' and will fail the test if any errors occur + terraform.InitAndApply(t, terraformOptions) + + // To clean up any resources that have been created, run 'terraform destroy' towards the end of the test + defer terraform.Destroy(t, terraformOptions) + + // To get the value of an output variable, run 'terraform output' + s3BucketId := strings.Join(terraform.OutputList(t, terraformOptions, "id")," ") + Tags := terraform.OutputMap(t, terraformOptions, "tags") + + // Verify we're getting back the outputs we expect + assert.Equal(t, "test-clouddrove-logging-encryption-bucket", s3BucketId) + assert.Equal(t, "test-clouddrove-logging-encryption-bucket", Tags["Name"]) +} diff --git a/main.tf b/main.tf index c2577ac..835061d 100644 --- a/main.tf +++ b/main.tf @@ -205,6 +205,83 @@ resource "aws_s3_bucket" "s3_logging" { } +# Module : S3 BUCKET +# Description : Terraform module which creates S3 bucket with logging resource on AWS +resource "aws_s3_bucket" "s3_logging_encryption" { + count = var.create_bucket && var.bucket_logging_encryption_enabled == true ? 1 : 0 + + bucket = module.labels.id + force_destroy = var.force_destroy + region = var.region + acl = var.acl + + versioning { + enabled = var.versioning + } + + lifecycle_rule { + id = "transition-to-infrequent-access-storage" + enabled = var.lifecycle_infrequent_storage_transition_enabled + + prefix = var.lifecycle_infrequent_storage_object_prefix + + transition { + days = var.lifecycle_days_to_infrequent_storage_transition + storage_class = "STANDARD_IA" + } + } + + lifecycle_rule { + id = "transition-to-glacier" + enabled = var.lifecycle_glacier_transition_enabled + + prefix = var.lifecycle_glacier_object_prefix + + transition { + days = var.lifecycle_days_to_glacier_transition + storage_class = "GLACIER" + } + } + + lifecycle_rule { + id = "expire-objects" + enabled = var.lifecycle_expiration_enabled + + prefix = var.lifecycle_expiration_object_prefix + + expiration { + days = var.lifecycle_days_to_expiration + } + } + logging { + target_bucket = var.target_bucket + target_prefix = var.target_prefix + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = var.sse_algorithm + kms_master_key_id = var.kms_master_key_id + } + } + } + tags = module.labels.tags + +} + + + +# Module : S3 BUCKET POLICY +# Description : Terraform module which creates policy for S3 bucket logging on AWS +resource "aws_s3_bucket_policy" "s3_logging_encryption" { + count = var.create_bucket && var.bucket_policy && var.bucket_logging_encryption_enabled == true ? 1 : 0 + + bucket = aws_s3_bucket.s3_logging[count.index].id + policy = var.aws_iam_policy_document +} + + # Module : S3 BUCKET POLICY # Description : Terraform module which creates policy for S3 bucket logging on AWS resource "aws_s3_bucket_policy" "s3_logging" { @@ -217,7 +294,7 @@ resource "aws_s3_bucket_policy" "s3_logging" { # Module : S3 BUCKET # Description : Terraform module which creates S3 bucket with encryption resource on AWS resource "aws_s3_bucket" "s3_encryption" { - count = var.create_bucket && var.encryption_enabled == true ? 1 : 0 + count = var.create_bucket && var.bucket_encryption_enabled == true ? 1 : 0 bucket = module.labels.id force_destroy = var.force_destroy @@ -279,7 +356,7 @@ resource "aws_s3_bucket" "s3_encryption" { # Module : S3 BUCKET POLICY # Description : Terraform module which creates policy for S3 bucket encryption on AWS resource "aws_s3_bucket_policy" "s3_encryption" { - count = var.create_bucket && var.bucket_policy && var.encryption_enabled == true ? 1 : 0 + count = var.create_bucket && var.bucket_policy && var.bucket_encryption_enabled == true ? 1 : 0 bucket = aws_s3_bucket.s3_encryption[count.index].id policy = var.aws_iam_policy_document diff --git a/variables.tf b/variables.tf index a6f601b..0578c0e 100644 --- a/variables.tf +++ b/variables.tf @@ -86,12 +86,18 @@ variable "bucket_logging_enabled" { description = "Enable logging of S3." } -variable "encryption_enabled" { +variable "bucket_encryption_enabled" { type = bool default = false description = "Enable encryption of S3." } +variable "bucket_logging_encryption_enabled" { + type = bool + default = false + description = "Enable logging encryption of S3." +} + variable "website_hosting_bucket" { type = bool default = false @@ -206,4 +212,4 @@ variable "force_destroy" { type = bool default = false description = "A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable." -} \ No newline at end of file +}