NEW: s3 bucket module

modules/storage/s3_bucket_2023/README.md

@@ -0,0 +1,39 @@
+# s3_bucket_2023 module
+This module creates s3 bucket, following new terraform standards.
+
+If lifecycle policy is enabled, provide the expiration days. 
+Transition days are hard-coded with intelligent-tiering class to simplify administration.
+
+## Example
+```hcl
+module "bucket1" {
+  source = "../../../../whk1-bea-sys-ss-prd-codecommit-sharedmodules/Storage/s3_bucket_2023"
+
+  bucket_name = var.bucket_name1
+  bucket_policy_json = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Id" : "",
+      "Statement" : [
+        {
+          "Sid" : "Set permissions for objects",
+          "Effect" : "Allow",
+          "Principal" : {
+            "AWS" : "851239346925"
+          },
+          "Action" : ["s3:ReplicateObject", "s3:ReplicateDelete"],
+          "Resource" : "arn:aws:s3:::${var.bucket_name1}/*"
+        }
+      ]
+    }
+  )
+  enable_encryption                  = true
+  encryption_key_arn                 = var.encryption_key_arn
+  enable_versioning                  = false
+  enable_bucket_logging              = false
+  enable_bucket_lifecycle            = true
+  current_version_expiration_days    = 731
+  noncurrent_version_expiration_days = 731
+}
+
+```

modules/storage/s3_bucket_2023/main.tf

@@ -0,0 +1,108 @@
+resource "aws_s3_bucket" "this" {
+  bucket = var.bucket_name
+}
+
+resource "aws_s3_bucket_public_access_block" "block_public_access" {
+  bucket = aws_s3_bucket.this.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_policy" "bucket_policy" {
+  bucket = aws_s3_bucket.this.id
+  policy = var.bucket_policy_json
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" {
+  count  = var.enable_bucket_lifecycle ? 1 : 0
+  bucket = aws_s3_bucket.this.id
+  rule {
+    id = "CurrentVersion"
+
+    expiration {
+      days = var.current_version_expiration_days
+    }
+
+    status = "Enabled"
+
+    transition {
+      days          = 15
+      storage_class = "INTELLIGENT_TIERING"
+    }
+  }
+
+  rule {
+    id = "NonCurrentVersion"
+
+    noncurrent_version_expiration {
+      noncurrent_days = var.noncurrent_version_expiration_days
+    }
+
+    noncurrent_version_transition {
+      noncurrent_days = 15
+      storage_class   = "INTELLIGENT_TIERING"
+    }
+
+    status = var.enable_versioning ? "Enabled" : "Disabled"
+  }
+}
+
+
+resource "aws_s3_bucket_intelligent_tiering_configuration" "intel_tiering_config" {
+  bucket = aws_s3_bucket.this.id
+  name   = "IntelligentTieringArchiveConfigurations"
+
+  tiering {
+    access_tier = "DEEP_ARCHIVE_ACCESS"
+    days        = 180 # minimum
+  }
+  tiering {
+    access_tier = "ARCHIVE_ACCESS"
+    days        = 90
+  }
+}
+
+resource "aws_s3_bucket_logging" "logging" {
+  count         = var.enable_bucket_logging ? 1 : 0
+  bucket        = aws_s3_bucket.this.id
+  target_bucket = var.logging_bucket_id
+  target_prefix = "s3-log/"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
+  count  = var.enable_encryption ? 1 : 0
+  bucket = aws_s3_bucket.this.id
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = var.encryption_key_arn
+      sse_algorithm     = length(var.encryption_key_arn) > 0 ? "aws:kms" : "AES256"
+    }
+    bucket_key_enabled = length(var.encryption_key_arn) > 0 ? true : false
+  }
+}
+
+resource "aws_s3_bucket_versioning" "versioning" {
+  count  = var.enable_versioning ? 1 : 0
+  bucket = aws_s3_bucket.this.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_replication_configuration" "replication" {
+  count      = var.enable_replication && var.enable_versioning ? 1 : 0
+  role       = var.replication_role_arn
+  bucket     = aws_s3_bucket.this.id
+  rule {
+    id     = "replrule1"
+    status = "Enabled"
+    destination {
+      bucket        = var.replication_dest_bucket_name
+      storage_class = "INTELLIGENT_TIERING"
+    }
+  }
+}
+

modules/storage/s3_bucket_2023/outputs.tf

@@ -0,0 +1,3 @@
+output bucket_name {
+  value = aws_s3_bucket.this.id
+}

modules/storage/s3_bucket_2023/variables.tf

@@ -0,0 +1,51 @@
+variable bucket_name {}
+variable bucket_policy_json {}
+variable current_version_expiration_days {
+  type = number
+  default = 2560
+  description = "731 for flowlogs"
+}
+
+variable noncurrent_version_expiration_days {
+  type = number
+  default = 2560
+  description = "731 for flowlogs"
+}
+
+variable enable_bucket_logging {
+  type = bool
+}
+variable logging_bucket_id {
+  type = string
+  default = null
+}
+variable enable_encryption {
+  type = bool
+}
+variable encryption_key_arn {
+  type = string
+  default = ""
+  description = "Leave blank to use AES256"
+}
+variable enable_versioning {
+  type = bool
+}
+variable enable_bucket_lifecycle {
+  type = bool
+}
+
+variable enable_replication {
+  type = bool
+  default = false
+}
+
+variable replication_role_arn {
+  type = string
+  default = null
+}
+
+variable replication_dest_bucket_name {
+  type = string
+  default = null
+}
+

modules/storage/s3_bucket_2023/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.72.0"
+    }
+  }
+}