diff --git a/CHANGELOG.md b/CHANGELOG.md index 79ccd7d..a26f6a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,20 @@ +## Release Version: 0.0.2 + +BACKWARDS INCOMPATIBILITIES / NOTES: + +* Tested with terraform v0.11.7 + + + +IMPROVEMENTS: + +* N/A + +BUG FIXES: + +* KMS Key Alias preventing bucket creations when no KMS keys are created +* Bucket policy preventing bucket creation when no IAM users are created + ## Release Version: 0.0.1 BACKWARDS INCOMPATIBILITIES / NOTES: diff --git a/README.md b/README.md index 82ce740..ef9633d 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,13 @@ # AWS S3 Bucket with IAM Access Module Terraform module which creates an S3 bucket with varying levels of access for IAM users. -The following resources can be created: +The following resources will be created: * An S3 bucket +The following resources are optional: * IAM User(s) * IAM Policies * KMS Keys +* KMS Bucket Policy ## Usage ### Specify this Module as Source @@ -22,11 +24,7 @@ The argument for the region is required to specify where the resources should be ```hcl region = "eu-west-1" #default = "eu-central-1" ``` -#### PGP Key -A public PGP key (in binary format) is required for encrypting the IAM secret keys and KMS keys, as these are given in output (Please see outputs below): -```hcl -pgp_keyname = "C123654C.pgp" -``` + ### S3 Bucket Arguments #### Bucket Name Set the bucket name: @@ -54,7 +52,14 @@ N.b. Object versioning must be enabled to expire current versions and delete pre #### Bucket Lifecycle Prevent Destroy By default the prevent_destroy lifecycle is to "true" to prevent accidental bucket deletion via terraform. +#### The KMS Bucket Policy +Setting the following variable to true, will apply the KMS bucket policy which disables unencrypted uploads and enables uploads from users which possess KMS keys (Pleae note if this variable is enabled, IAM Users are REQUIRED to be created, or the apply will fail!): +```hcl +enable_kms_bucket_policy = true #default = false +``` + ### IAM Bucket Management Users + #### IAM User(s): S3 Bucket Full Permissions Create IAM user(s) with full S3 bucket permissions (These users receive both management console and programmatic access): ```hcl @@ -78,6 +83,12 @@ Create IAM user(s) with their own bucket key (directory) in the S3 bucket. These iam_user_s3_standard_names = ["Huey", "Dewey", "Louie"] ``` +#### PGP Key +A public PGP key (in binary format) is required for encrypting the IAM secret keys and KMS keys, as these are given in output (Please see outputs below): +```hcl +pgp_keyname = "C123654C.pgp" +``` + ### Outputs The following outputs are possible: * bucket_name (The name of the S3 bucket) diff --git a/kms_keys.tf b/kms_keys.tf index a9e0b02..58f23e0 100644 --- a/kms_keys.tf +++ b/kms_keys.tf @@ -50,6 +50,7 @@ POLICY # create alias(') for the KMS key(s) resource "aws_kms_alias" "kmskeyaliases" { + count = "${local.count_standard_user}" name = "alias/${element(var.iam_user_s3_standard_names, count.index)}" target_key_id = "${element(aws_kms_key.kmskey.*.key_id, count.index)}" } \ No newline at end of file diff --git a/s3_bucket_policy.tf b/s3_bucket_policy.tf index 58f0a6a..0b56b26 100644 --- a/s3_bucket_policy.tf +++ b/s3_bucket_policy.tf @@ -1,5 +1,6 @@ # S3 bucket policy -resource "aws_s3_bucket_policy" "s3_bucket_policy" { +resource "aws_s3_bucket_policy" "s3_kms_bucket_policy" { + count = "${var.enable_kms_bucket_policy}" bucket = "${aws_s3_bucket.s3_bucket.id}" policy = "${data.template_file.bucket_policy.rendered}" } \ No newline at end of file diff --git a/variables_s3.tf b/variables_s3.tf index 4d26526..38ff44a 100644 --- a/variables_s3.tf +++ b/variables_s3.tf @@ -36,4 +36,8 @@ variable "lifecycle_rule_noncurrent_version_expiration" { variable "s3_lifecycle_prevent_destroy" { description = "Prevent/allow terraform to destroy the bucket" default = false +} +variable "enable_kms_bucket_policy" { + description = "Disables unencrypted uploads, enables user uploads with KMS keys" + default = false } \ No newline at end of file