From 89eefd82f6beb57e5058e1b89b6fc26d0133a03e Mon Sep 17 00:00:00 2001 From: Andrew Roth Date: Tue, 23 Jun 2020 13:29:06 -0400 Subject: [PATCH] make the S3 Bucket Public Access Block optional (#48) --- README.md | 1 + docs/terraform.md | 1 + main.tf | 1 + variables.tf | 6 ++++++ 4 files changed, 9 insertions(+) diff --git a/README.md b/README.md index bffb9a7..0c97727 100644 --- a/README.md +++ b/README.md @@ -186,6 +186,7 @@ Available targets: | context | Default context to use for passing state between label invocations |
object({
namespace = string
environment = string
stage = string
name = string
enabled = bool
delimiter = string
attributes = list(string)
label_order = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": "",
"enabled": true,
"environment": "",
"label_order": [],
"name": "",
"namespace": "",
"regex_replace_chars": "",
"stage": "",
"tags": {}
}
| no | | delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | `string` | `"-"` | no | | enable\_point\_in\_time\_recovery | Enable DynamoDB point-in-time recovery | `bool` | `false` | no | +| enable\_public\_access\_block | Enable Bucket Public Access Block | `bool` | `true` | no | | enable\_server\_side\_encryption | Enable DynamoDB server-side encryption | `bool` | `true` | no | | environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | `string` | `""` | no | | force\_destroy | A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable | `bool` | `false` | no | diff --git a/docs/terraform.md b/docs/terraform.md index cffc31c..3b1a418 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -30,6 +30,7 @@ | context | Default context to use for passing state between label invocations |
object({
namespace = string
environment = string
stage = string
name = string
enabled = bool
delimiter = string
attributes = list(string)
label_order = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": "",
"enabled": true,
"environment": "",
"label_order": [],
"name": "",
"namespace": "",
"regex_replace_chars": "",
"stage": "",
"tags": {}
}
| no | | delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | `string` | `"-"` | no | | enable\_point\_in\_time\_recovery | Enable DynamoDB point-in-time recovery | `bool` | `false` | no | +| enable\_public\_access\_block | Enable Bucket Public Access Block | `bool` | `true` | no | | enable\_server\_side\_encryption | Enable DynamoDB server-side encryption | `bool` | `true` | no | | environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | `string` | `""` | no | | force\_destroy | A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable | `bool` | `false` | no | diff --git a/main.tf b/main.tf index 8213327..186b151 100644 --- a/main.tf +++ b/main.tf @@ -145,6 +145,7 @@ resource "aws_s3_bucket" "default" { } resource "aws_s3_bucket_public_access_block" "default" { + count = var.enable_public_access_block ? 1 : 0 bucket = aws_s3_bucket.default.id block_public_acls = var.block_public_acls ignore_public_acls = var.ignore_public_acls diff --git a/variables.tf b/variables.tf index a13a622..05a8003 100644 --- a/variables.tf +++ b/variables.tf @@ -138,6 +138,12 @@ variable "enable_server_side_encryption" { default = true } +variable "enable_public_access_block" { + type = bool + description = "Enable Bucket Public Access Block" + default = true +} + variable "block_public_acls" { type = bool description = "Whether Amazon S3 should block public ACLs for this bucket"