terraform.aws-baseline-infra/modules/storage/s3_bucket_2023
2024-01-13 00:31:26 +08:00
..
main.tf UPD: added force_destroy support tp s3 bucket module 2024-01-13 00:31:26 +08:00
outputs.tf UPD: Added Cwl-firehose-s3 module and pulled a couple updates from upstream repo. 2024-01-13 00:25:30 +08:00
README.md NEW: s3 replication module 2024-01-12 13:49:50 +08:00
variables.tf UPD: added force_destroy support tp s3 bucket module 2024-01-13 00:31:26 +08:00
versions.tf NEW: s3 bucket module 2023-05-25 08:28:19 +08:00

s3_bucket_2023 module

This module creates s3 bucket, following new terraform standards.

If lifecycle policy is enabled, provide the expiration days. Transition days are hard-coded with intelligent-tiering class to simplify administration.

Example

module "bucket1" {
  source = "../../../../whk1-bea-sys-ss-prd-codecommit-sharedmodules/Storage/s3_bucket_2023"

  bucket_name = var.bucket_name1
  bucket_policy_json = jsonencode(
    {
      "Version" : "2012-10-17",
      "Id" : "",
      "Statement" : [
        {
          "Sid" : "Set permissions for objects",
          "Effect" : "Allow",
          "Principal" : {
            "AWS" : "851239346925"
          },
          "Action" : ["s3:ReplicateObject", "s3:ReplicateDelete"],
          "Resource" : "arn:aws:s3:::${var.bucket_name1}/*"
        }
      ]
    }
  )
  enable_encryption                  = true
  encryption_key_arn                 = var.encryption_key_arn
  enable_versioning                  = false
  enable_bucket_logging              = false
  enable_bucket_lifecycle            = true
  current_version_expiration_days    = 731
  noncurrent_version_expiration_days = 731
}

Note on bucket replication

To securely replicate a bucket to a bucket in another aws account, kms key is required.

Steps to setup replication are:

  1. Create replication iam role on the source account, with an assume role policy trusting s3
  {
     "Effect":"Allow",
     "Principal":{
        "Service":"s3.amazonaws.com"
     },
     "Action":"sts:AssumeRole"
  }

The role needs permissions granted in the role iam policy. For example:

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetReplicationConfiguration"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::whk1-bea-icc-mbk-prd-vpc01-flowlog-s3-accept",
            "Sid": ""
        },
        {
            "Action": [
                "s3:GetObjectVersionTagging",
                "s3:GetObjectVersionForReplication",
                "s3:GetObjectVersionAcl"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::whk1-bea-icc-mbk-prd-vpc01-flowlog-s3-accept/*",
            "Sid": ""
        },
        {
            "Action": [
                "s3:ReplicateTags",
                "s3:ReplicateObject",
                "s3:ReplicateDelete",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::whk1-bea-icc-log-mbk-prd-vpc01-flowlog-s3-accept/*",
            "Sid": ""
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": [
                "arn:aws:kms:ap-east-1:851239346925:key/708b6ece-05f5-40ed-a91c-dbcf2af46407"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Encrypt"
            ],
            "Resource": [
                "arn:aws:kms:ap-east-1:894849410890:key/b555d9d6-d451-4ec8-8ca2-cb6849cadee4"
            ]
        }
    ],
    "Version": "2012-10-17"
}

If bucket key is used, then additional permission needs to be granted

{
         "Action":[
            "kms:Decrypt"
         ],
         "Effect":"Allow",
         "Condition":{
            "StringLike":{
               "kms:ViaService":"s3.ap-east-1.amazonaws.com",
               "kms:EncryptionContext:aws:s3:arn":[
                  "arn:aws:s3:::<source-bucket-name>/*"
               ]
            }
         },
         "Resource":[
           "arn:aws:kms:ap-east-1:<source-account-id>:key/<source-account-key-id>"
         ]
      },
      {
         "Action":[
            "kms:Encrypt"
         ],
         "Effect":"Allow",
         "Condition":{
            "StringLike":{
               "kms:ViaService":"s3.ap-east-1.amazonaws.com",
               "kms:EncryptionContext:aws:s3:arn":[
                  "arn:aws:s3:::<dest-bucket-name>/*"
               ]
            }
         },
         "Resource":[
            "arn:aws:kms:ap-east-1:<dest-account-id>:key/<dest-account-key-id>"
         ]
      }
  1. On the destination account, grant access in KMS key policy
{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<dest-account-id>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<src-account-id>:root",
                    "arn:aws:iam::<dest-account-id>:root"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                  "arn:aws:iam::<src-account-id>:root",
                  "arn:aws:iam::<dest-account-id>:root"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        },
        {
            "Sid": "Allow AWS Service to use the key",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "s3.amazonaws.com",
                    "delivery.logs.amazonaws.com",
                    "cloudtrail.amazonaws.com"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}
  1. Edit destination bucket policy
{
    "Version": "2012-10-17",
    "Id": "",
    "Statement": [
        {
            "Sid": "Set permissions for objects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<src-account-id>:root"
            },
            "Action": [
                "s3:ReplicateDelete",
                "s3:ReplicateObject",
                "s3:ReplicateTags",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Resource": "arn:aws:s3:::<dest-bucket-name>/*"
        },
        {
            "Sid": "Set permissions on bucket",
            "Effect": "Allow",
            "Principal": {
              "AWS": "arn:aws:iam::<src-account-id>:root"
            },
            "Action": [
                "s3:List*",
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::<dest-bucket-name>"
        }
    ]
}