Skip to content

Latest commit

 

History

History
63 lines (57 loc) · 3.9 KB

README.md

File metadata and controls

63 lines (57 loc) · 3.9 KB

s3-generic

Creates a s3 bucket with policies to allow using it, for attaching to other roles/users

Example

module "s3-generic" {
  source = "../..//"
  s3_buckets = {
    backups = {
      bucket               = "my-backups"
      permissions_boundary = "arn:aws:iam::${get_aws_account_id()}:policy/MyBoundary"
      region               = "ap-southeast-1"
      acl                  = "private"
      log_bucket_for_s3    = "my-access-logs"
      policies = [jsonencode(
        {
          "Version" : "2012-10-17",
          "Statement" : [
            {
              Action : "s3:GetBucketAcl",
              Effect : "Allow",
              Resource : "arn:aws:s3:::my-backups",
              Principal : { "Service" : "logs.ap-southeast-1.amazonaws.com" }
            },
            {
              Action : "s3:PutObject",
              Effect : "Allow",
              Resource : "arn:aws:s3:::my-backups/**",
              Condition : { "StringEquals" : { "s3:x-amz-acl" : "bucket-owner-full-control" } },
              Principal : { "Service" : "logs.ap-southeast-1.amazonaws.com" }
            }
          ]
        }
      )]
      server_side_encryption_configuration = {
        rule = {
          bucket_key_enabled = true
          apply_server_side_encryption_by_default = {
            sse_algorithm = "aws:kms"
          }
        }
      }
    }
  }
}

Inputs

Name Description Type Default Required
force_destroy When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. bool false no
path Desired path for the IAM user string "/" no
s3_buckets A map of bucket names to an object describing the S3 bucket settings for the bucket. 
map(object({ 
    bucket                               = string 
    permissions_boundary                 = string 
    region                               = string 
    acl                                  = optional(string) 
    log_bucket_for_s3                    = optional(string) 
    policies                             = list(string) 
    server_side_encryption_configuration = any 
    cors_configuration = optional( 
      list( 
        object({ 
          allowed_methods = list(string) 
          allowed_origins = list(string) 
          allowed_headers = optional(list(string)) 
          expose_headers  = optional(list(string)) 
          max_age_seconds = optional(number) 
          id              = optional(string) 
        }) 
      ) 
    ) 
    lifecycle_rules = optional(list(object({ 
      id      = optional(string) 
      enabled = optional(bool, true) 
      filter = optional(object({ 
        prefix                   = optional(string) 
        object_size_greater_than = optional(number) 
        object_size_less_than    = optional(number) 
        tags                     = optional(map(string)) 
      })) 
      transition = optional(list(object({ 
        days          = optional(number) 
        date          = optional(string) 
        storage_class = string 
      }))) 
    }))) 
  }))
no
tags (Optional) A mapping of tags to assign to the bucket. map(string) {} no

Outputs

Name Description
role The role which has access to the bucket
s3_buckets The names of the bucket.