Skip to content

GovTechSG/terraform-s3-generic

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

s3-generic

Creates a s3 bucket with policies to allow using it, for attaching to other roles/users

Example

module "s3-generic" {
  source = "../..//"
  s3_buckets = {
    backups = {
      bucket               = "my-backups"
      permissions_boundary = "arn:aws:iam::${get_aws_account_id()}:policy/MyBoundary"
      region               = "ap-southeast-1"
      acl                  = "private"
      log_bucket_for_s3    = "my-access-logs"
      policies = [jsonencode(
        {
          "Version" : "2012-10-17",
          "Statement" : [
            {
              Action : "s3:GetBucketAcl",
              Effect : "Allow",
              Resource : "arn:aws:s3:::my-backups",
              Principal : { "Service" : "logs.ap-southeast-1.amazonaws.com" }
            },
            {
              Action : "s3:PutObject",
              Effect : "Allow",
              Resource : "arn:aws:s3:::my-backups/**",
              Condition : { "StringEquals" : { "s3:x-amz-acl" : "bucket-owner-full-control" } },
              Principal : { "Service" : "logs.ap-southeast-1.amazonaws.com" }
            }
          ]
        }
      )]
      server_side_encryption_configuration = {
        rule = {
          bucket_key_enabled = true
          apply_server_side_encryption_by_default = {
            sse_algorithm = "aws:kms"
          }
        }
      }
    }
  }
}

Inputs

Name Description Type Default Required
force_destroy When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. bool false no
path Desired path for the IAM user string "/" no
s3_buckets A map of bucket names to an object describing the S3 bucket settings for the bucket.
map(object({ 
bucket = string
permissions_boundary = string
region = string
acl = optional(string)
log_bucket_for_s3 = optional(string)
policies = list(string)
server_side_encryption_configuration = any
cors_configuration = optional(
list(
object({
allowed_methods = list(string)
allowed_origins = list(string)
allowed_headers = optional(list(string))
expose_headers = optional(list(string))
max_age_seconds = optional(number)
id = optional(string)
})
)
)
lifecycle_rules = optional(list(object({
id = optional(string)
enabled = optional(bool, true)
filter = optional(object({
prefix = optional(string)
object_size_greater_than = optional(number)
object_size_less_than = optional(number)
tags = optional(map(string))
}))
transition = optional(list(object({
days = optional(number)
date = optional(string)
storage_class = string
})))
})))
}))
no
tags (Optional) A mapping of tags to assign to the bucket. map(string) {} no

Outputs

Name Description
role The role which has access to the bucket
s3_buckets The names of the bucket.

About

No description or website provided.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages