7.3 KiB
7.3 KiB
s3_bucket_2023 module
This module creates s3 bucket, following new terraform standards.
If lifecycle policy is enabled, provide the expiration days. Transition days are hard-coded with intelligent-tiering class to simplify administration.
Example
module "bucket1" {
source = "../../../../whk1-bea-sys-ss-prd-codecommit-sharedmodules/Storage/s3_bucket_2023"
bucket_name = var.bucket_name1
bucket_policy_json = jsonencode(
{
"Version" : "2012-10-17",
"Id" : "",
"Statement" : [
{
"Sid" : "Set permissions for objects",
"Effect" : "Allow",
"Principal" : {
"AWS" : "851239346925"
},
"Action" : ["s3:ReplicateObject", "s3:ReplicateDelete"],
"Resource" : "arn:aws:s3:::${var.bucket_name1}/*"
}
]
}
)
enable_encryption = true
encryption_key_arn = var.encryption_key_arn
enable_versioning = false
enable_bucket_logging = false
enable_bucket_lifecycle = true
current_version_expiration_days = 731
noncurrent_version_expiration_days = 731
}
Note on bucket replication
To securely replicate a bucket to a bucket in another aws account, kms key is required.
Steps to setup replication are:
- Create replication iam role on the source account, with an assume role policy trusting s3
{
"Effect":"Allow",
"Principal":{
"Service":"s3.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
The role needs permissions granted in the role iam policy. For example:
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetReplicationConfiguration"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::whk1-bea-icc-mbk-prd-vpc01-flowlog-s3-accept",
"Sid": ""
},
{
"Action": [
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::whk1-bea-icc-mbk-prd-vpc01-flowlog-s3-accept/*",
"Sid": ""
},
{
"Action": [
"s3:ReplicateTags",
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::whk1-bea-icc-log-mbk-prd-vpc01-flowlog-s3-accept/*",
"Sid": ""
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:ap-east-1:851239346925:key/708b6ece-05f5-40ed-a91c-dbcf2af46407"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": [
"arn:aws:kms:ap-east-1:894849410890:key/b555d9d6-d451-4ec8-8ca2-cb6849cadee4"
]
}
],
"Version": "2012-10-17"
}
If bucket key is used, then additional permission needs to be granted
{
"Action":[
"kms:Decrypt"
],
"Effect":"Allow",
"Condition":{
"StringLike":{
"kms:ViaService":"s3.ap-east-1.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn":[
"arn:aws:s3:::<source-bucket-name>/*"
]
}
},
"Resource":[
"arn:aws:kms:ap-east-1:<source-account-id>:key/<source-account-key-id>"
]
},
{
"Action":[
"kms:Encrypt"
],
"Effect":"Allow",
"Condition":{
"StringLike":{
"kms:ViaService":"s3.ap-east-1.amazonaws.com",
"kms:EncryptionContext:aws:s3:arn":[
"arn:aws:s3:::<dest-bucket-name>/*"
]
}
},
"Resource":[
"arn:aws:kms:ap-east-1:<dest-account-id>:key/<dest-account-key-id>"
]
}
- On the destination account, grant access in KMS key policy
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<dest-account-id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<src-account-id>:root",
"arn:aws:iam::<dest-account-id>:root"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<src-account-id>:root",
"arn:aws:iam::<dest-account-id>:root"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow AWS Service to use the key",
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com",
"delivery.logs.amazonaws.com",
"cloudtrail.amazonaws.com"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
- Edit destination bucket policy
{
"Version": "2012-10-17",
"Id": "",
"Statement": [
{
"Sid": "Set permissions for objects",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<src-account-id>:root"
},
"Action": [
"s3:ReplicateDelete",
"s3:ReplicateObject",
"s3:ReplicateTags",
"s3:ObjectOwnerOverrideToBucketOwner"
],
"Resource": "arn:aws:s3:::<dest-bucket-name>/*"
},
{
"Sid": "Set permissions on bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<src-account-id>:root"
},
"Action": [
"s3:List*",
"s3:GetBucketVersioning",
"s3:PutBucketVersioning"
],
"Resource": "arn:aws:s3:::<dest-bucket-name>"
}
]
}