Merge pull request #3 from Geartrixy/hotfix/optional_kms_key_alias

Hotfix/optional kms key alias
zoitech · Aug 9, 2018 · dc4c5f1 · dc4c5f1
2 parents 0fa98ae + c888459
commit dc4c5f1
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,20 @@
+## Release Version: 0.0.2
+
+BACKWARDS INCOMPATIBILITIES / NOTES:
+
+* Tested with terraform v0.11.7
+
+
+
+IMPROVEMENTS:
+
+* N/A
+
+BUG FIXES:
+
+* KMS Key Alias preventing bucket creations when no KMS keys are created
+* Bucket policy preventing bucket creation when no IAM users are created
+
 ## Release Version: 0.0.1
 
 BACKWARDS INCOMPATIBILITIES / NOTES:

diff --git a/README.md b/README.md
@@ -1,11 +1,13 @@
 # AWS S3 Bucket with IAM Access Module
 Terraform module which creates an S3 bucket with varying levels of access for IAM users.
 
-The following resources can be created:
+The following resources will be created:
 * An S3 bucket
+The following resources are optional:
 * IAM User(s)
 * IAM Policies
 * KMS Keys
+* KMS Bucket Policy
 
 ## Usage
 ### Specify this Module as Source
@@ -22,11 +24,7 @@ The argument for the region is required to specify where the resources should be
 ```hcl
 region = "eu-west-1" #default = "eu-central-1"
 ```
-#### PGP Key 
-A public PGP key (in binary format) is required for encrypting the IAM secret keys and KMS keys, as these are given in output (Please see outputs below):
-```hcl
-pgp_keyname = "C123654C.pgp"
-```
+
 ### S3 Bucket Arguments
 #### Bucket Name 
 Set the bucket name:
@@ -54,7 +52,14 @@ N.b. Object versioning must be enabled to expire current versions and delete pre
 #### Bucket Lifecycle Prevent Destroy
 By default the prevent_destroy lifecycle is to "true" to prevent accidental bucket deletion via terraform.
 
+#### The KMS Bucket Policy 
+Setting the following variable to true, will apply the KMS bucket policy which disables unencrypted uploads and enables uploads from users which possess KMS keys (Pleae note if this variable is enabled, IAM Users are REQUIRED to be created, or the apply will fail!):
+```hcl
+enable_kms_bucket_policy = true #default = false
+```
+
 ### IAM Bucket Management Users 
+
 #### IAM User(s): S3 Bucket Full Permissions 
 Create IAM user(s) with full S3 bucket permissions (These users receive both management console and programmatic access):
 ```hcl
@@ -78,6 +83,12 @@ Create IAM user(s) with their own bucket key (directory) in the S3 bucket. These
 iam_user_s3_standard_names = ["Huey", "Dewey", "Louie"]
 ```
 
+#### PGP Key 
+A public PGP key (in binary format) is required for encrypting the IAM secret keys and KMS keys, as these are given in output (Please see outputs below):
+```hcl
+pgp_keyname = "C123654C.pgp"
+```
+
 ### Outputs 
 The following outputs are possible:
 * bucket_name (The name of the S3 bucket)

diff --git a/kms_keys.tf b/kms_keys.tf
@@ -50,6 +50,7 @@ POLICY
 
 # create alias(') for the KMS key(s)
 resource "aws_kms_alias" "kmskeyaliases" {
+  count       = "${local.count_standard_user}"
   name          = "alias/${element(var.iam_user_s3_standard_names, count.index)}"
   target_key_id = "${element(aws_kms_key.kmskey.*.key_id, count.index)}"
 }
diff --git a/s3_bucket_policy.tf b/s3_bucket_policy.tf
@@ -1,5 +1,6 @@
 # S3 bucket policy
-resource "aws_s3_bucket_policy" "s3_bucket_policy" {
+resource "aws_s3_bucket_policy" "s3_kms_bucket_policy" {
+  count  = "${var.enable_kms_bucket_policy}"
   bucket = "${aws_s3_bucket.s3_bucket.id}"
   policy = "${data.template_file.bucket_policy.rendered}"
 }
diff --git a/variables_s3.tf b/variables_s3.tf
@@ -36,4 +36,8 @@ variable "lifecycle_rule_noncurrent_version_expiration" {
 variable "s3_lifecycle_prevent_destroy" {
   description = "Prevent/allow terraform to destroy the bucket"
   default     = false
+}
+variable "enable_kms_bucket_policy" {
+  description = "Disables unencrypted uploads, enables user uploads with KMS keys"
+  default     = false
 }