diff --git a/modules/storage/s3_bucket_2023/README.md b/modules/storage/s3_bucket_2023/README.md new file mode 100644 index 0000000..279eaa7 --- /dev/null +++ b/modules/storage/s3_bucket_2023/README.md @@ -0,0 +1,39 @@ +# s3_bucket_2023 module +This module creates s3 bucket, following new terraform standards. + +If lifecycle policy is enabled, provide the expiration days. +Transition days are hard-coded with intelligent-tiering class to simplify administration. + +## Example +```hcl +module "bucket1" { + source = "../../../../whk1-bea-sys-ss-prd-codecommit-sharedmodules/Storage/s3_bucket_2023" + + bucket_name = var.bucket_name1 + bucket_policy_json = jsonencode( + { + "Version" : "2012-10-17", + "Id" : "", + "Statement" : [ + { + "Sid" : "Set permissions for objects", + "Effect" : "Allow", + "Principal" : { + "AWS" : "851239346925" + }, + "Action" : ["s3:ReplicateObject", "s3:ReplicateDelete"], + "Resource" : "arn:aws:s3:::${var.bucket_name1}/*" + } + ] + } + ) + enable_encryption = true + encryption_key_arn = var.encryption_key_arn + enable_versioning = false + enable_bucket_logging = false + enable_bucket_lifecycle = true + current_version_expiration_days = 731 + noncurrent_version_expiration_days = 731 +} + +``` \ No newline at end of file diff --git a/modules/storage/s3_bucket_2023/main.tf b/modules/storage/s3_bucket_2023/main.tf new file mode 100644 index 0000000..b075b94 --- /dev/null +++ b/modules/storage/s3_bucket_2023/main.tf @@ -0,0 +1,108 @@ +resource "aws_s3_bucket" "this" { + bucket = var.bucket_name +} + +resource "aws_s3_bucket_public_access_block" "block_public_access" { + bucket = aws_s3_bucket.this.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_s3_bucket_policy" "bucket_policy" { + bucket = aws_s3_bucket.this.id + policy = var.bucket_policy_json +} + +resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" { + count = var.enable_bucket_lifecycle ? 1 : 0 + bucket = aws_s3_bucket.this.id + rule { + id = "CurrentVersion" + + expiration { + days = var.current_version_expiration_days + } + + status = "Enabled" + + transition { + days = 15 + storage_class = "INTELLIGENT_TIERING" + } + } + + rule { + id = "NonCurrentVersion" + + noncurrent_version_expiration { + noncurrent_days = var.noncurrent_version_expiration_days + } + + noncurrent_version_transition { + noncurrent_days = 15 + storage_class = "INTELLIGENT_TIERING" + } + + status = var.enable_versioning ? "Enabled" : "Disabled" + } +} + + +resource "aws_s3_bucket_intelligent_tiering_configuration" "intel_tiering_config" { + bucket = aws_s3_bucket.this.id + name = "IntelligentTieringArchiveConfigurations" + + tiering { + access_tier = "DEEP_ARCHIVE_ACCESS" + days = 180 # minimum + } + tiering { + access_tier = "ARCHIVE_ACCESS" + days = 90 + } +} + +resource "aws_s3_bucket_logging" "logging" { + count = var.enable_bucket_logging ? 1 : 0 + bucket = aws_s3_bucket.this.id + target_bucket = var.logging_bucket_id + target_prefix = "s3-log/" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" { + count = var.enable_encryption ? 1 : 0 + bucket = aws_s3_bucket.this.id + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = var.encryption_key_arn + sse_algorithm = length(var.encryption_key_arn) > 0 ? "aws:kms" : "AES256" + } + bucket_key_enabled = length(var.encryption_key_arn) > 0 ? true : false + } +} + +resource "aws_s3_bucket_versioning" "versioning" { + count = var.enable_versioning ? 1 : 0 + bucket = aws_s3_bucket.this.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_replication_configuration" "replication" { + count = var.enable_replication && var.enable_versioning ? 1 : 0 + role = var.replication_role_arn + bucket = aws_s3_bucket.this.id + rule { + id = "replrule1" + status = "Enabled" + destination { + bucket = var.replication_dest_bucket_name + storage_class = "INTELLIGENT_TIERING" + } + } +} + diff --git a/modules/storage/s3_bucket_2023/outputs.tf b/modules/storage/s3_bucket_2023/outputs.tf new file mode 100644 index 0000000..a2d779b --- /dev/null +++ b/modules/storage/s3_bucket_2023/outputs.tf @@ -0,0 +1,3 @@ +output bucket_name { + value = aws_s3_bucket.this.id +} \ No newline at end of file diff --git a/modules/storage/s3_bucket_2023/variables.tf b/modules/storage/s3_bucket_2023/variables.tf new file mode 100644 index 0000000..860152c --- /dev/null +++ b/modules/storage/s3_bucket_2023/variables.tf @@ -0,0 +1,51 @@ +variable bucket_name {} +variable bucket_policy_json {} +variable current_version_expiration_days { + type = number + default = 2560 + description = "731 for flowlogs" +} + +variable noncurrent_version_expiration_days { + type = number + default = 2560 + description = "731 for flowlogs" +} + +variable enable_bucket_logging { + type = bool +} +variable logging_bucket_id { + type = string + default = null +} +variable enable_encryption { + type = bool +} +variable encryption_key_arn { + type = string + default = "" + description = "Leave blank to use AES256" +} +variable enable_versioning { + type = bool +} +variable enable_bucket_lifecycle { + type = bool +} + +variable enable_replication { + type = bool + default = false +} + +variable replication_role_arn { + type = string + default = null +} + +variable replication_dest_bucket_name { + type = string + default = null +} + diff --git a/modules/storage/s3_bucket_2023/versions.tf b/modules/storage/s3_bucket_2023/versions.tf new file mode 100644 index 0000000..cd4b7aa --- /dev/null +++ b/modules/storage/s3_bucket_2023/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.72.0" + } + } +}