AWS S3 Bucket with IAM Access Module

Terraform module which creates an S3 bucket with varying levels of access for IAM users.

The following resources will be created:

• An S3 bucket The following resources are optional:
• IAM User(s)
• IAM Policies
• KMS Keys
• KMS Bucket Policy

Usage

Specify this Module as Source

module "s3" {
  source = "git::https://github.com/zoitech/terraform-aws-s3-with-iam-access.git"

  # Or to specifiy a particular module version:
  source = "git::https://github.com/zoitech/terraform-aws-s3-with-iam-access.git?ref=v0.0.1"

General Arguments

Resource Creation Location

The argument for the region is required to specify where the resources should be created:

region = "eu-west-1" #default = "eu-central-1"

S3 Bucket Arguments

Bucket Name

Set the bucket name:

s3_bucket_name = "my-s3-bucket"

Object Versioning

Enable S3 object versioning:

s3_versioning_enabled = true #default = false

Object Lifecycle

Enable S3 object lifecycle for the whole bucket and specify a rule name.

Object expiration and/or previous version deletion is specified in days:

lifecycle_rule_enabled = true #default = false
lifecycle_rule_id = "expire_objects_older_than_180_days_delete_previous_versions_older_than_90_days" #default = ""
lifecycle_rule_expiration = 180 #default = 0
lifecycle_rule_noncurrent_version_expiration = 90 #default = 90 

N.b. Object versioning must be enabled to expire current versions and delete previous versions of an object.

Bucket Lifecycle Prevent Destroy

By default the prevent_destroy lifecycle is to "true" to prevent accidental bucket deletion via terraform.

The KMS Bucket Policy

Setting the following variable to true, will apply the KMS bucket policy which disables unencrypted uploads and enables uploads from users which possess KMS keys (Pleae note if this variable is enabled, IAM Users are REQUIRED to be created, or the apply will fail!):

enable_kms_bucket_policy = true #default = false

IAM Bucket Management Users

IAM User(s): S3 Bucket Full Permissions

Create IAM user(s) with full S3 bucket permissions (These users receive both management console and programmatic access):

iam_user_s3_full_names = ["superadmin1", "superadmin2"]

IAM User(s): S3 Bucket List/Delete Permissions

Create IAM user(s) with limited administrative (list and delete) S3 bucket permissions (These users receive both management console and programmatic access):

iam_user_s3_list_delete_names = ["admin1", "admin2"]

IAM User(s): S3 Bucket Get/Delete Permissions

Create IAM user(s) with limited administrative (get and delete) S3 bucket permissions (These users receive only programmatic access)

Recommended as a synchronisation user:

iam_user_s3_get_delete_names = ["sync_user", "sync_user2"]

IAM Bucket Standard Users

Create IAM user(s) with their own bucket key (directory) in the S3 bucket. These users are assigned their own KMS keys which enable them to upload files in encrypted format as well as to download them and decrypt. (These users receive only programmatic access, therefore FTP client software such as CloudBerry or Cyberduck should be used):

iam_user_s3_standard_names = ["Huey", "Dewey", "Louie"]

PGP Key

A public PGP key (in binary format) is required for encrypting the IAM secret keys and KMS keys, as these are given in output (Please see outputs below):

pgp_keyname = "C123654C.pgp"

Outputs

The following outputs are possible:

• bucket_name (The name of the S3 bucket)
• bucket_arn (The ARN of the S3 bucket)
• s3_full_user_info (The users with full S3 bucket permissions)
• s3_list_delete_user_info (The users with list/delete S3 bucket permissions)
• s3_get_delete_user_info (The users with get/delete S3 bucket permissions)
• standard_user_info (The users with access to their own S3 bucket keys)

Example usage:

#The name of the S3 bucket
output "Bucket-Name" {
  value = module.s3.bucket_name
}
#The ARN of the S3 bucket
output "Bucket-ARN" {
  value = module.s3.bucket_arn
}
#The users with full S3 bucket permissions
output "Superadmins" {
  value = module.s3.s3_full_user_info
}
#The users with list/delete S3 bucket permissions
output "Admins" {
  value = module.s3.s3_list_delete_user_info
}
#The users with get/delete S3 bucket permissions
output "Sync-Users" {
  value = module.s3.s3_get_delete_user_info
}
#The users with access to their own S3 bucket keys
output "User-Info" {
  value = module.s3.standard_user_info
}

Example output:

Admins = [
"user_name:   Admin",
"access_key:  <omitted>",
"secret_key:  <omitted>",
"password":   <omitted>"
]
Bucket-ARN = arn:aws:s3:::my-s3-bucket
Bucket-Name = my-s3-bucket
Superadmins = [
"user_name:   superadmin",
"access_key:  <omitted>",
"secret_key:  <omitted>",
"password":   <omitted>"
]
Sync-Users = [
"user_name:   sync-user",
"access_key:  <omitted>",
"secret_key:  <omitted>"
]
User-Info = [
"user_name:   Huey",
"access_key:  <omitted>",
"secret_key:  <omitted>",
"kms_key:     <omitted>",
"bucket_key: my-s3-bucket/Huey"

"user_name:   Dewey",
"access_key:  <omitted>",
"secret_key:  <omitted>",
"kms_key:     <omitted>",
"bucket_key: my-s3-bucket/Dewey"

"user_name:   Louie",
"access_key:  <omitted>",
"secret_key:  <omitted>",
"kms_key:     <omitted>",
"bucket_key: my-s3-bucket/Louie"
]

Requirements

Name	Version
terraform	>= 0.12

Providers

Name	Version
aws	n/a
template	n/a

Modules

No modules.

Resources

Name	Type
aws_iam_access_key.iam_user_s3_full_access	resource
aws_iam_access_key.iam_user_s3_get_delete_access	resource
aws_iam_access_key.iam_user_s3_list_delete_access	resource
aws_iam_access_key.iam_user_standard_access	resource
aws_iam_policy.iam_policy_s3_all	resource
aws_iam_policy.iam_policy_s3_get_delete	resource
aws_iam_policy.iam_policy_s3_list_delete	resource
aws_iam_policy.iam_policy_standard_user	resource
aws_iam_user.iam_user_s3_full_access	resource
aws_iam_user.iam_user_s3_get_delete_access	resource
aws_iam_user.iam_user_s3_list_delete_access	resource
aws_iam_user.standard_user	resource
aws_iam_user_login_profile.s3_full_login	resource
aws_iam_user_login_profile.s3_list_delete_login	resource
aws_iam_user_policy_attachment.attach_s3_full_access	resource
aws_iam_user_policy_attachment.attach_s3_get_delete	resource
aws_iam_user_policy_attachment.attach_s3_list_delete_access	resource
aws_iam_user_policy_attachment.user-attachment	resource
aws_kms_alias.kmskeyaliases	resource
aws_kms_key.kmskey	resource
aws_s3_bucket.s3_bucket	resource
aws_s3_bucket_acl.name	resource
aws_s3_bucket_lifecycle_configuration.s3_bucket	resource
aws_s3_bucket_object.bucket_objects	resource
aws_s3_bucket_policy.s3_kms_bucket_policy	resource
aws_s3_bucket_versioning.s3_bucket	resource
aws_caller_identity.current	data source
template_file.bucket_policy	data source
template_file.bucket_policy_for_a_standard_user	data source
template_file.bucket_policy_for_deny_unencrypted	data source
template_file.s3_full_user_output	data source
template_file.s3_full_user_outputs	data source
template_file.s3_get_delete_user_output	data source
template_file.s3_get_delete_user_outputs	data source
template_file.s3_list_delete_user_output	data source
template_file.s3_list_delete_user_outputs	data source
template_file.standard_user_output	data source
template_file.standard_user_outputs	data source

Inputs

Name	Description	Type	Default	Required
enable_kms_bucket_policy	Disables unencrypted uploads, enables user uploads with KMS keys	bool	false	no
iam_user_s3_full_names	Names of the IAM users with S3 bucket full access	list(string)	[]	no
iam_user_s3_get_delete_names	Names of the IAM users with S3 bucket get/delete permissions	list(string)	[]	no
iam_user_s3_list_delete_names	Names of the IAM users with S3 bucket list/delete permissions	list(string)	[]	no
iam_user_s3_standard_names	Names of the IAM users with standard access	list(string)	[]	no
lifecycle_config_rule_id	ID of the lifecycle configuration rule	string	""	no
lifecycle_rule_enabled	To enable the lifecycle rule	bool	false	no
lifecycle_rule_expiration	Delete current object version X days after creation	number	0	no
lifecycle_rule_id	Name of the lifecyle rule id.	string	""	no
lifecycle_rule_noncurrent_version_expiration	Delete noncurrent object versions X days after creation	number	90	no
lifecycle_rule_prefix	Lifecycle rule prefix.	string	""	no
pgp_keyname	Public PGP key in binary format	string	""	no
prefix	A prefix which is added to each resource name.	string	""	no
region	The AWS region to run in.	string	"eu-central-1"	no
s3_bucket_name	Name of the S3 bucket	string	""	no
s3_lifecycle_prevent_destroy	Prevent/allow terraform to destroy the bucket	bool	false	no
s3_versioning_enabled	To enable file versioning	bool	false	no
suffix	A suffix which is added to each resource name.	string	""	no
tags	Tags to be added to the bucket	map(string)	{}	no

Outputs

Name	Description
bucket_arn	n/a
bucket_name	n/a
s3_full_user_info	n/a
s3_get_delete_user_info	n/a
s3_list_delete_user_info	n/a
standard_user_info	n/a