diff --git a/modules/terraform-setup/README.md b/modules/terraform-setup/README.md new file mode 100644 index 0000000..361b2f0 --- /dev/null +++ b/modules/terraform-setup/README.md @@ -0,0 +1,6 @@ +# terraform-setup module +Module for creating terraform state bucket and locks. + +The output ```provider-config-block``` shows how to configure terraform provider. + +Please enable terraform default tags. See https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider \ No newline at end of file diff --git a/modules/terraform-setup/main.tf b/modules/terraform-setup/main.tf new file mode 100644 index 0000000..a4b79b1 --- /dev/null +++ b/modules/terraform-setup/main.tf @@ -0,0 +1,98 @@ +resource "aws_s3_bucket" "s3bucket" { + bucket = var.bucket-name +} + +resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" { + depends_on = [aws_s3_bucket.s3bucket] + bucket = aws_s3_bucket.s3bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +resource "aws_s3_bucket_ownership_controls" "bucket-ownership-setting" { + depends_on = [aws_s3_bucket_public_access_block.s3-public-access-settings] + bucket = aws_s3_bucket.s3bucket.id + + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_lifecycle_configuration" "bucket-lifecycle-config" { + count = var.bucket-enable-lifecycle ? 1 : 0 + + bucket = aws_s3_bucket.s3bucket.bucket + + rule { + id = "default" + status = "Enabled" + + dynamic "noncurrent_version_expiration" { + for_each = var.enable-bucket-versioning ? [1] : [] + content { + noncurrent_days = 90 + } + } + + dynamic "expiration" { + for_each = var.bucket-retain-days > 0 ? [1] : [] + content { + days = var.bucket-retain-days + } + } + + transition { + days = var.transition-ia-days + storage_class = "STANDARD_IA" + } + } +} + +resource "aws_s3_bucket_versioning" "bucket-versioning" { + count = var.enable-bucket-versioning ? 1 : 0 + bucket = aws_s3_bucket.s3bucket.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "bucket-encryption" { + bucket = aws_s3_bucket.s3bucket.bucket + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_acl" "bucket-acl" { + bucket = aws_s3_bucket.s3bucket.bucket + acl = var.bucket-acl +} + +resource "aws_s3_bucket_policy" "bucket-policy" { + bucket = aws_s3_bucket.s3bucket.bucket + policy = var.bucket-policy-json +} + +resource "aws_dynamodb_table" "tfstate-lock-table" { + name = var.ddb-table-name + billing_mode = "PAY_PER_REQUEST" + hash_key = "LockID" + point_in_time_recovery { + enabled = true + } + # If enabled is false then server-side encryption is set to AWS owned CMK (shown as DEFAULT in the AWS console) + server_side_encryption { + enabled = false + } + attribute { + name = "LockID" + type = "S" + } +} + +data aws_caller_identity this {} diff --git a/modules/terraform-setup/outputs.tf b/modules/terraform-setup/outputs.tf new file mode 100644 index 0000000..c31f977 --- /dev/null +++ b/modules/terraform-setup/outputs.tf @@ -0,0 +1,27 @@ +output bucket-name { + value = aws_s3_bucket.s3bucket.id +} + +output bucket_regional_domain_name { + value = aws_s3_bucket.s3bucket.bucket_regional_domain_name +} + +output ddb-table-name { + value = aws_dynamodb_table.tfstate-lock-table.name +} + +output ddb-table-arn { + value = aws_dynamodb_table.tfstate-lock-table.arn +} + +output provider-config-block { + value = <