Skip to content

Latest commit

 

History

History
266 lines (237 loc) · 15.3 KB

File metadata and controls

266 lines (237 loc) · 15.3 KB

AWS S3 Bucket with IAM Access Module

Terraform module which creates an S3 bucket with varying levels of access for IAM users.

The following resources will be created:

  • An S3 bucket The following resources are optional:
  • IAM User(s)
  • IAM Policies
  • KMS Keys
  • KMS Bucket Policy

Usage

Specify this Module as Source

module "s3" {
  source = "git::https://github.com/zoitech/terraform-aws-s3-with-iam-access.git"

  # Or to specifiy a particular module version:
  source = "git::https://github.com/zoitech/terraform-aws-s3-with-iam-access.git?ref=v0.0.1"

General Arguments

Resource Creation Location

The argument for the region is required to specify where the resources should be created:

region = "eu-west-1" #default = "eu-central-1"

S3 Bucket Arguments

Bucket Name

Set the bucket name:

s3_bucket_name = "my-s3-bucket"

Object Versioning

Enable S3 object versioning:

s3_versioning_enabled = true #default = false

Object Lifecycle

Enable S3 object lifecycle for the whole bucket and specify a rule name.

Object expiration and/or previous version deletion is specified in days:

lifecycle_rule_enabled = true #default = false
lifecycle_rule_id = "expire_objects_older_than_180_days_delete_previous_versions_older_than_90_days" #default = ""
lifecycle_rule_expiration = 180 #default = 0
lifecycle_rule_noncurrent_version_expiration = 90 #default = 90 

N.b. Object versioning must be enabled to expire current versions and delete previous versions of an object.

Bucket Lifecycle Prevent Destroy

By default the prevent_destroy lifecycle is to "true" to prevent accidental bucket deletion via terraform.

The KMS Bucket Policy

Setting the following variable to true, will apply the KMS bucket policy which disables unencrypted uploads and enables uploads from users which possess KMS keys (Pleae note if this variable is enabled, IAM Users are REQUIRED to be created, or the apply will fail!):

enable_kms_bucket_policy = true #default = false

IAM Bucket Management Users

IAM User(s): S3 Bucket Full Permissions

Create IAM user(s) with full S3 bucket permissions (These users receive both management console and programmatic access):

iam_user_s3_full_names = ["superadmin1", "superadmin2"]

IAM User(s): S3 Bucket List/Delete Permissions

Create IAM user(s) with limited administrative (list and delete) S3 bucket permissions (These users receive both management console and programmatic access):

iam_user_s3_list_delete_names = ["admin1", "admin2"]

IAM User(s): S3 Bucket Get/Delete Permissions

Create IAM user(s) with limited administrative (get and delete) S3 bucket permissions (These users receive only programmatic access)

Recommended as a synchronisation user:

iam_user_s3_get_delete_names = ["sync_user", "sync_user2"]

IAM Bucket Standard Users

Create IAM user(s) with their own bucket key (directory) in the S3 bucket. These users are assigned their own KMS keys which enable them to upload files in encrypted format as well as to download them and decrypt. (These users receive only programmatic access, therefore FTP client software such as CloudBerry or Cyberduck should be used):

iam_user_s3_standard_names = ["Huey", "Dewey", "Louie"]

PGP Key

A public PGP key (in binary format) is required for encrypting the IAM secret keys and KMS keys, as these are given in output (Please see outputs below):

pgp_keyname = "C123654C.pgp"

Outputs

The following outputs are possible:

  • bucket_name (The name of the S3 bucket)
  • bucket_arn (The ARN of the S3 bucket)
  • s3_full_user_info (The users with full S3 bucket permissions)
  • s3_list_delete_user_info (The users with list/delete S3 bucket permissions)
  • s3_get_delete_user_info (The users with get/delete S3 bucket permissions)
  • standard_user_info (The users with access to their own S3 bucket keys)

Example usage:

#The name of the S3 bucket
output "Bucket-Name" {
  value = module.s3.bucket_name
}
#The ARN of the S3 bucket
output "Bucket-ARN" {
  value = module.s3.bucket_arn
}
#The users with full S3 bucket permissions
output "Superadmins" {
  value = module.s3.s3_full_user_info
}
#The users with list/delete S3 bucket permissions
output "Admins" {
  value = module.s3.s3_list_delete_user_info
}
#The users with get/delete S3 bucket permissions
output "Sync-Users" {
  value = module.s3.s3_get_delete_user_info
}
#The users with access to their own S3 bucket keys
output "User-Info" {
  value = module.s3.standard_user_info
}

Example output:

Admins = [
"user_name:   Admin",
"access_key:  <omitted>",
"secret_key:  <omitted>",
"password":   <omitted>"
]
Bucket-ARN = arn:aws:s3:::my-s3-bucket
Bucket-Name = my-s3-bucket
Superadmins = [
"user_name:   superadmin",
"access_key:  <omitted>",
"secret_key:  <omitted>",
"password":   <omitted>"
]
Sync-Users = [
"user_name:   sync-user",
"access_key:  <omitted>",
"secret_key:  <omitted>"
]
User-Info = [
"user_name:   Huey",
"access_key:  <omitted>",
"secret_key:  <omitted>",
"kms_key:     <omitted>",
"bucket_key: my-s3-bucket/Huey"

"user_name:   Dewey",
"access_key:  <omitted>",
"secret_key:  <omitted>",
"kms_key:     <omitted>",
"bucket_key: my-s3-bucket/Dewey"

"user_name:   Louie",
"access_key:  <omitted>",
"secret_key:  <omitted>",
"kms_key:     <omitted>",
"bucket_key: my-s3-bucket/Louie"
]

Requirements

Name Version
terraform >= 0.12

Providers

Name Version
aws n/a
template n/a

Modules

No modules.

Resources

Name Type
aws_iam_access_key.iam_user_s3_full_access resource
aws_iam_access_key.iam_user_s3_get_delete_access resource
aws_iam_access_key.iam_user_s3_list_delete_access resource
aws_iam_access_key.iam_user_standard_access resource
aws_iam_policy.iam_policy_s3_all resource
aws_iam_policy.iam_policy_s3_get_delete resource
aws_iam_policy.iam_policy_s3_list_delete resource
aws_iam_policy.iam_policy_standard_user resource
aws_iam_user.iam_user_s3_full_access resource
aws_iam_user.iam_user_s3_get_delete_access resource
aws_iam_user.iam_user_s3_list_delete_access resource
aws_iam_user.standard_user resource
aws_iam_user_login_profile.s3_full_login resource
aws_iam_user_login_profile.s3_list_delete_login resource
aws_iam_user_policy_attachment.attach_s3_full_access resource
aws_iam_user_policy_attachment.attach_s3_get_delete resource
aws_iam_user_policy_attachment.attach_s3_list_delete_access resource
aws_iam_user_policy_attachment.user-attachment resource
aws_kms_alias.kmskeyaliases resource
aws_kms_key.kmskey resource
aws_s3_bucket.s3_bucket resource
aws_s3_bucket_acl.name resource
aws_s3_bucket_lifecycle_configuration.s3_bucket resource
aws_s3_bucket_object.bucket_objects resource
aws_s3_bucket_policy.s3_kms_bucket_policy resource
aws_s3_bucket_versioning.s3_bucket resource
aws_caller_identity.current data source
template_file.bucket_policy data source
template_file.bucket_policy_for_a_standard_user data source
template_file.bucket_policy_for_deny_unencrypted data source
template_file.s3_full_user_output data source
template_file.s3_full_user_outputs data source
template_file.s3_get_delete_user_output data source
template_file.s3_get_delete_user_outputs data source
template_file.s3_list_delete_user_output data source
template_file.s3_list_delete_user_outputs data source
template_file.standard_user_output data source
template_file.standard_user_outputs data source

Inputs

Name Description Type Default Required
enable_kms_bucket_policy Disables unencrypted uploads, enables user uploads with KMS keys bool false no
iam_user_s3_full_names Names of the IAM users with S3 bucket full access list(string) [] no
iam_user_s3_get_delete_names Names of the IAM users with S3 bucket get/delete permissions list(string) [] no
iam_user_s3_list_delete_names Names of the IAM users with S3 bucket list/delete permissions list(string) [] no
iam_user_s3_standard_names Names of the IAM users with standard access list(string) [] no
lifecycle_config_rule_id ID of the lifecycle configuration rule string "" no
lifecycle_rule_enabled To enable the lifecycle rule bool false no
lifecycle_rule_expiration Delete current object version X days after creation number 0 no
lifecycle_rule_id Name of the lifecyle rule id. string "" no
lifecycle_rule_noncurrent_version_expiration Delete noncurrent object versions X days after creation number 90 no
lifecycle_rule_prefix Lifecycle rule prefix. string "" no
pgp_keyname Public PGP key in binary format string "" no
prefix A prefix which is added to each resource name. string "" no
region The AWS region to run in. string "eu-central-1" no
s3_bucket_name Name of the S3 bucket string "" no
s3_lifecycle_prevent_destroy Prevent/allow terraform to destroy the bucket bool false no
s3_versioning_enabled To enable file versioning bool false no
suffix A suffix which is added to each resource name. string "" no
tags Tags to be added to the bucket map(string) {} no

Outputs

Name Description
bucket_arn n/a
bucket_name n/a
s3_full_user_info n/a
s3_get_delete_user_info n/a
s3_list_delete_user_info n/a
standard_user_info n/a