Attach Bucket Policy as part of module

README.md

@@ -69,6 +69,8 @@ No Modules.
 | Name |
 |------|
 | [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/2.7.0/docs/resources/s3_bucket) |
+| [aws_s3_bucket_ownership_controls](https://registry.terraform.io/providers/hashicorp/aws/2.7.0/docs/resources/s3_bucket_ownership_controls) |
+| [aws_s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/2.7.0/docs/resources/s3_bucket_policy) |
 | [aws_s3_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/2.7.0/docs/resources/s3_bucket_public_access_block) |
 
 ## Inputs
@@ -78,13 +80,15 @@ No Modules.
 | allowed\_headers | Specifies which headers are allowed. | `list(string)` | `[]` | no |
 | allowed\_methods | (Required) Specifies which methods are allowed. Can be GET, PUT, POST, DELETE or HEAD. | `list(string)` | `[]` | no |
 | allowed\_origins | (Required) Specifies which origins are allowed. | `list(string)` | `[]` | no |
-| block\_public\_access | Block various forms of public access on a per bucket level | `bool` | `false` | no |
+| block\_public\_access | Block various forms of public access on a per bucket level. | `bool` | `false` | no |
 | block\_public\_access\_acl | Related to block\_public\_access. PUT Bucket acl and PUT Object acl calls will fail if the specified ACL allows public access. PUT Object calls will fail if the request includes an object ACL. | `bool` | `true` | no |
 | block\_public\_access\_ignore\_acl | Related to block\_public\_access. Ignore public ACLs on this bucket and any objects that it contains. | `bool` | `true` | no |
 | block\_public\_access\_policy | Related to block\_public\_access. Reject calls to PUT Bucket policy if the specified bucket policy allows public access. | `bool` | `true` | no |
 | block\_public\_access\_restrict\_bucket | Related to block\_public\_access. Only the bucket owner and AWS Services can access this buckets if it has a public policy. | `bool` | `true` | no |
 | bucket\_acl | Bucket ACL. Must be either authenticated-read, aws-exec-read, log-delivery-write, private, public-read or public-read-write. For more details https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl | `string` | `"private"` | no |
 | bucket\_logging | Enable bucket logging. Will store logs in another existing bucket. You must give the log-delivery group WRITE and READ\_ACP permissions to the target bucket. i.e. true \| false | `bool` | `false` | no |
+| bucket\_policy | A valid bucket policy JSON document to attach to this bucket. | `string` | `""` | no |
+| enable\_bucket\_policy | A boolean that indicates whether a custom bucket policy should be attached to this bucket. | `bool` | `false` | no |
 | environment | Application environment for which this network is being created. must be one of ['Development', 'Integration', 'PreProduction', 'Production', 'QA', 'Staging', 'Test'] | `string` | `"Development"` | no |
 | expose\_headers | Specifies expose header in the response. | `list(string)` | `[]` | no |
 | force\_destroy\_bucket | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
@@ -103,6 +107,7 @@ No Modules.
 | object\_lock\_mode | The default Object Lock retention mode you want to apply to new objects placed in this bucket. Valid values are GOVERNANCE and COMPLIANCE. Default is GOVERNANCE (allows administrative override). | `string` | `"GOVERNANCE"` | no |
 | object\_lock\_retention\_days | The retention of the object lock in days. Either days or years must be specified, but not both. | `number` | `null` | no |
 | object\_lock\_retention\_years | The retention of the object lock in years. Either days or years must be specified, but not both. | `number` | `null` | no |
+| ownership\_controls | S3 Bucket Ownership Controls. Valid values are BucketOwnerPreferred and ObjectWriter. | `string` | `""` | no |
 | rax\_mpu\_cleanup\_enabled | Enable Rackspace default values for cleanup of Multipart Uploads. | `bool` | `true` | no |
 | sse\_algorithm | The server-side encryption algorithm to use. Valid values are AES256, aws:kms, and none | `string` | `"AES256"` | no |
 | tags | A map of tags to be applied to the Bucket. i.e {Environment='Development'} | `map(string)` | `{}` | no |

examples/s3.tf

@@ -14,7 +14,7 @@ resource "random_string" "s3_rstring" {
 }
 
 module "s3" {
-  source = "[email protected]:rackspace-infrastructure-automation/aws-terraform-s3//?ref=v0.12.3"
+  source = "[email protected]:rackspace-infrastructure-automation/aws-terraform-s3//?ref=v0.12.8"
 
   bucket_logging                             = false
   bucket_acl                                 = "private"
@@ -43,7 +43,7 @@ module "s3" {
 
 
 module "s3_no_website" {
-  source = "[email protected]:rackspace-infrastructure-automation/aws-terraform-s3//?ref=v0.12.3"
+  source = "[email protected]:rackspace-infrastructure-automation/aws-terraform-s3//?ref=v0.12.8"
 
   bucket_logging                             = false
   bucket_acl                                 = "private"
@@ -66,7 +66,7 @@ module "s3_no_website" {
 }
 
 module "s3_object_lock" {
-  source = "[email protected]:rackspace-infrastructure-automation/aws-terraform-s3//?ref=v0.12.3"
+  source = "[email protected]:rackspace-infrastructure-automation/aws-terraform-s3//?ref=v0.12.8"
 
   bucket_acl                                 = "private"
   bucket_logging                             = false
@@ -89,6 +89,55 @@ module "s3_object_lock" {
   website_error                              = "error.html"
   website_index                              = "index.html"
 
+  tags = {
+    RightSaid = "Fred"
+    LeftSaid  = "George"
+  }
+}
+
+module "s3_bucket_with_policy" {
+  source = "[email protected]:rackspace-infrastructure-automation/aws-terraform-s3//?ref=v0.12.8"
+
+  bucket_acl                                 = "private"
+  bucket_logging                             = false
+  environment                                = "Development"
+  lifecycle_enabled                          = true
+  name                                       = "${random_string.s3_rstring.result}-example-s3-bucket"
+  noncurrent_version_expiration_days         = "425"
+  noncurrent_version_transition_glacier_days = "60"
+  noncurrent_version_transition_ia_days      = "30"
+  object_expiration_days                     = "425"
+  object_lock_enabled                        = true
+  object_lock_mode                           = "GOVERNANCE"
+  object_lock_retention_days                 = 1
+  rax_mpu_cleanup_enabled                    = false
+  sse_algorithm                              = "none"
+  transition_to_glacier_days                 = "60"
+  transition_to_ia_days                      = "30"
+  versioning                                 = true
+  website                                    = true
+  website_error                              = "error.html"
+  website_index                              = "index.html"
+
+
+  ownership_controls = "BucketOwnerPreferred"
+  bucket_policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "CloudTrailBucketPolicy"
+    Statement = [
+      {
+        Sid    = "AWSCloudTrailAclCheck",
+        Effect = "Allow",
+        Principal = {
+          Service = "cloudtrail.amazonaws.com"
+        },
+        Action   = "s3:GetBucketAcl",
+        Resource = module.s3_bucket_with_policy.bucket_arn
+      }
+    ]
+  })
+
+
   tags = {
     RightSaid = "Fred"
     LeftSaid  = "George"

main.tf

@@ -372,3 +372,30 @@ resource "aws_s3_bucket_public_access_block" "block_public_access_settings" {
   ignore_public_acls      = var.block_public_access_ignore_acl
   restrict_public_buckets = var.block_public_access_restrict_bucket
 }
+
+##############################################################
+# Ownership Control Settings
+##############################################################
+
+resource "aws_s3_bucket_ownership_controls" "ownership_controls" {
+  count  = var.ownership_controls != "" ? 1 : 0
+  bucket = aws_s3_bucket.s3_bucket.id
+
+  rule {
+    object_ownership = var.ownership_controls
+  }
+
+  depends_on = [aws_s3_bucket_public_access_block.block_public_access_settings]
+}
+
+##############################################################
+# S3 Bucket policy
+##############################################################
+resource "aws_s3_bucket_policy" "bucket_policy" {
+  count  = var.enable_bucket_policy ? 1 : 0
+  bucket = aws_s3_bucket.s3_bucket.id
+
+  policy = var.bucket_policy
+
+  depends_on = [aws_s3_bucket_ownership_controls.ownership_controls]
+}

tests/test5/main.tf

@@ -0,0 +1,66 @@
+###
+# This test adds the sse_algorithm option 'none' and disabled MPU cleanup
+###
+
+terraform {
+  required_version = ">= 0.12"
+}
+
+provider "aws" {
+  version = "~> 3.0"
+  region  = "us-west-2"
+}
+
+resource "random_string" "s3_rstring" {
+  length  = 18
+  special = false
+  upper   = false
+}
+
+module "s3" {
+  source = "../../module"
+
+  bucket_acl                                 = "private"
+  bucket_logging                             = false
+  environment                                = "Development"
+  lifecycle_enabled                          = true
+  name                                       = "${random_string.s3_rstring.result}-example-s3-bucket"
+  noncurrent_version_expiration_days         = "425"
+  noncurrent_version_transition_glacier_days = "60"
+  noncurrent_version_transition_ia_days      = "30"
+  object_expiration_days                     = "425"
+  object_lock_enabled                        = true
+  object_lock_mode                           = "GOVERNANCE"
+  object_lock_retention_days                 = 1
+  rax_mpu_cleanup_enabled                    = false
+  sse_algorithm                              = "none"
+  transition_to_glacier_days                 = "60"
+  transition_to_ia_days                      = "30"
+  versioning                                 = true
+  website                                    = true
+  website_error                              = "error.html"
+  website_index                              = "index.html"
+
+  ownership_controls                         = "BucketOwnerPreferred"
+  enable_bucket_policy                       = true
+  bucket_policy                              = jsonencode({
+    Version = "2012-10-17"
+    Id      = "CloudTrailBucketPolicy"
+    Statement = [
+      {
+        Sid    = "AWSCloudTrailAclCheck",
+        Effect = "Allow",
+        Principal = {
+          Service = "cloudtrail.amazonaws.com"
+        },
+        Action   = "s3:GetBucketAcl",
+        Resource = module.s3.bucket_arn
+      }
+    ]
+  })
+
+  tags = {
+    RightSaid = "Fred"
+    LeftSaid  = "George"
+  }
+}

variables.tf

@@ -29,8 +29,14 @@ variable "bucket_logging" {
   default     = false
 }
 
+variable "bucket_policy" {
+  description = "A valid bucket policy JSON document to attach to this bucket."
+  type        = string
+  default     = ""
+}
+
 variable "block_public_access" {
-  description = "Block various forms of public access on a per bucket level"
+  description = "Block various forms of public access on a per bucket level."
   type        = bool
   default     = false
 }
@@ -65,6 +71,12 @@ variable "environment" {
   default     = "Development"
 }
 
+variable "enable_bucket_policy" {
+  description = "A boolean that indicates whether a custom bucket policy should be attached to this bucket."
+  type        = bool
+  default     = false
+}
+
 variable "expose_headers" {
   description = " Specifies expose header in the response."
   type        = list(string)
@@ -163,6 +175,12 @@ variable "object_lock_retention_years" {
   default     = null
 }
 
+variable "ownership_controls" {
+  description = "S3 Bucket Ownership Controls. Valid values are BucketOwnerPreferred and ObjectWriter."
+  type        = string
+  default     = ""
+}
+
 variable "rax_mpu_cleanup_enabled" {
   description = "Enable Rackspace default values for cleanup of Multipart Uploads."
   type        = bool