From c0848cf77790489dd20ba16ef8d84f11c508753e Mon Sep 17 00:00:00 2001 From: "ZOI\\graham.geary" Date: Thu, 9 Aug 2018 11:33:07 +0200 Subject: [PATCH 01/10] Added count of "${local.count_standard_user}" for resource "aws_kms_alias" "kmskeyaliases" --- kms_keys.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/kms_keys.tf b/kms_keys.tf index a9e0b02..58f23e0 100644 --- a/kms_keys.tf +++ b/kms_keys.tf @@ -50,6 +50,7 @@ POLICY # create alias(') for the KMS key(s) resource "aws_kms_alias" "kmskeyaliases" { + count = "${local.count_standard_user}" name = "alias/${element(var.iam_user_s3_standard_names, count.index)}" target_key_id = "${element(aws_kms_key.kmskey.*.key_id, count.index)}" } \ No newline at end of file From dadb04befc0cd3ec645525da4627d01c4ea0f909 Mon Sep 17 00:00:00 2001 From: "ZOI\\graham.geary" Date: Thu, 9 Aug 2018 12:02:11 +0200 Subject: [PATCH 02/10] added count for S3_kms_bucket_policy --- s3_bucket_policy.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/s3_bucket_policy.tf b/s3_bucket_policy.tf index 58f0a6a..0b56b26 100644 --- a/s3_bucket_policy.tf +++ b/s3_bucket_policy.tf @@ -1,5 +1,6 @@ # S3 bucket policy -resource "aws_s3_bucket_policy" "s3_bucket_policy" { +resource "aws_s3_bucket_policy" "s3_kms_bucket_policy" { + count = "${var.enable_kms_bucket_policy}" bucket = "${aws_s3_bucket.s3_bucket.id}" policy = "${data.template_file.bucket_policy.rendered}" } \ No newline at end of file From ed0ac6651cdeea172351e863547c733dec6f978f Mon Sep 17 00:00:00 2001 From: "ZOI\\graham.geary" Date: Thu, 9 Aug 2018 12:02:38 +0200 Subject: [PATCH 03/10] added boolean variable for creating kms bucket policy --- variables_s3.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/variables_s3.tf b/variables_s3.tf index 4d26526..90f7974 100644 --- a/variables_s3.tf +++ b/variables_s3.tf @@ -36,4 +36,8 @@ variable "lifecycle_rule_noncurrent_version_expiration" { variable "s3_lifecycle_prevent_destroy" { description = "Prevent/allow terraform to destroy the bucket" default = false +} +variable "enable_kms_bucket_policy" { + description = "Disalbed unencrypted uploads, enables user uploads with KMS keys" + default = false } \ No newline at end of file From 9f1cd2b551b0b44378266176c7989d823035c0e8 Mon Sep 17 00:00:00 2001 From: "ZOI\\graham.geary" Date: Thu, 9 Aug 2018 12:02:51 +0200 Subject: [PATCH 04/10] Updated change log for bug fixes --- CHANGELOG.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79ccd7d..9aec300 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,14 +1,10 @@ -## Release Version: 0.0.1 +## Release Version: 0.0.2 BACKWARDS INCOMPATIBILITIES / NOTES: * Tested with terraform v0.11.7 -INITIAL RELEASE: -* S3 Bucket: supports object versioning, lifecycle policy (on whole bucket) to remove object versions older than X days -* IAM Management Users: Admin, Sync -* Standard Users: User keys (directories) with KMS encryption for uploads IMPROVEMENTS: @@ -16,4 +12,5 @@ IMPROVEMENTS: BUG FIXES: -* N/A \ No newline at end of file +* KMS Key Alias preventing bucket creations when no KMS keys are created +* Bucket policy preventing bucket creation when no IAM users are created \ No newline at end of file From c0af00b9584d62714dc1de9ec02528d8719d3674 Mon Sep 17 00:00:00 2001 From: "ZOI\\graham.geary" Date: Thu, 9 Aug 2018 12:03:14 +0200 Subject: [PATCH 05/10] Updated readme documenting KMS bucket variable --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 82ce740..8f6a1bc 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,12 @@ N.b. Object versioning must be enabled to expire current versions and delete pre #### Bucket Lifecycle Prevent Destroy By default the prevent_destroy lifecycle is to "true" to prevent accidental bucket deletion via terraform. +#### The KMS Bucket Policy +Setting the following variable to true, will apply the KMS bucket policy which disabled unencrypted uploads and enables uploads from users which possess KMS keys: +```hcl +enable_kms_bucket_policy = true #default = false +``` + ### IAM Bucket Management Users #### IAM User(s): S3 Bucket Full Permissions Create IAM user(s) with full S3 bucket permissions (These users receive both management console and programmatic access): From e68204d4dec355b085c8c1ca89c6215e0f170991 Mon Sep 17 00:00:00 2001 From: "ZOI\\graham.geary" Date: Thu, 9 Aug 2018 12:15:13 +0200 Subject: [PATCH 06/10] Updated readme defining optional resource creation --- README.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 8f6a1bc..ef9633d 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,13 @@ # AWS S3 Bucket with IAM Access Module Terraform module which creates an S3 bucket with varying levels of access for IAM users. -The following resources can be created: +The following resources will be created: * An S3 bucket +The following resources are optional: * IAM User(s) * IAM Policies * KMS Keys +* KMS Bucket Policy ## Usage ### Specify this Module as Source @@ -22,11 +24,7 @@ The argument for the region is required to specify where the resources should be ```hcl region = "eu-west-1" #default = "eu-central-1" ``` -#### PGP Key -A public PGP key (in binary format) is required for encrypting the IAM secret keys and KMS keys, as these are given in output (Please see outputs below): -```hcl -pgp_keyname = "C123654C.pgp" -``` + ### S3 Bucket Arguments #### Bucket Name Set the bucket name: @@ -55,12 +53,13 @@ N.b. Object versioning must be enabled to expire current versions and delete pre By default the prevent_destroy lifecycle is to "true" to prevent accidental bucket deletion via terraform. #### The KMS Bucket Policy -Setting the following variable to true, will apply the KMS bucket policy which disabled unencrypted uploads and enables uploads from users which possess KMS keys: +Setting the following variable to true, will apply the KMS bucket policy which disables unencrypted uploads and enables uploads from users which possess KMS keys (Pleae note if this variable is enabled, IAM Users are REQUIRED to be created, or the apply will fail!): ```hcl enable_kms_bucket_policy = true #default = false ``` ### IAM Bucket Management Users + #### IAM User(s): S3 Bucket Full Permissions Create IAM user(s) with full S3 bucket permissions (These users receive both management console and programmatic access): ```hcl @@ -84,6 +83,12 @@ Create IAM user(s) with their own bucket key (directory) in the S3 bucket. These iam_user_s3_standard_names = ["Huey", "Dewey", "Louie"] ``` +#### PGP Key +A public PGP key (in binary format) is required for encrypting the IAM secret keys and KMS keys, as these are given in output (Please see outputs below): +```hcl +pgp_keyname = "C123654C.pgp" +``` + ### Outputs The following outputs are possible: * bucket_name (The name of the S3 bucket) From 65b2e442764ce0a7ef41834695fc24257931daa7 Mon Sep 17 00:00:00 2001 From: "ZOI\\graham.geary" Date: Thu, 9 Aug 2018 12:18:23 +0200 Subject: [PATCH 07/10] ammended typo --- variables_s3.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables_s3.tf b/variables_s3.tf index 90f7974..38ff44a 100644 --- a/variables_s3.tf +++ b/variables_s3.tf @@ -38,6 +38,6 @@ variable "s3_lifecycle_prevent_destroy" { default = false } variable "enable_kms_bucket_policy" { - description = "Disalbed unencrypted uploads, enables user uploads with KMS keys" + description = "Disables unencrypted uploads, enables user uploads with KMS keys" default = false } \ No newline at end of file From 18b22899389bb319937cac652ebd7b744763e02e Mon Sep 17 00:00:00 2001 From: "ZOI\\graham.geary" Date: Thu, 9 Aug 2018 12:57:43 +0200 Subject: [PATCH 08/10] Updated release version on readme --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index ef9633d..dbdaade 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +## Release Version: 0.0.2 + # AWS S3 Bucket with IAM Access Module Terraform module which creates an S3 bucket with varying levels of access for IAM users. From 74d5b3283037a3cbef52618ca3875a94f26e76e1 Mon Sep 17 00:00:00 2001 From: "ZOI\\graham.geary" Date: Thu, 9 Aug 2018 13:02:10 +0200 Subject: [PATCH 09/10] Removed release version title --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index dbdaade..ef9633d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,3 @@ -## Release Version: 0.0.2 - # AWS S3 Bucket with IAM Access Module Terraform module which creates an S3 bucket with varying levels of access for IAM users. From c8884592215e131006ae89693bd86a1ac6973a2c Mon Sep 17 00:00:00 2001 From: "ZOI\\graham.geary" Date: Thu, 9 Aug 2018 13:02:30 +0200 Subject: [PATCH 10/10] Ammended change log with release version 0.0.2 --- CHANGELOG.md | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9aec300..a26f6a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,4 +13,24 @@ IMPROVEMENTS: BUG FIXES: * KMS Key Alias preventing bucket creations when no KMS keys are created -* Bucket policy preventing bucket creation when no IAM users are created \ No newline at end of file +* Bucket policy preventing bucket creation when no IAM users are created + +## Release Version: 0.0.1 + +BACKWARDS INCOMPATIBILITIES / NOTES: + +* Tested with terraform v0.11.7 + +INITIAL RELEASE: + +* S3 Bucket: supports object versioning, lifecycle policy (on whole bucket) to remove object versions older than X days +* IAM Management Users: Admin, Sync +* Standard Users: User keys (directories) with KMS encryption for uploads + +IMPROVEMENTS: + +* N/A + +BUG FIXES: + +* N/A \ No newline at end of file