When cloning this repository, use the option --recursive to initialize and update the submodule.
Configure an IAM user with programatic access only and apply the following policy to that account:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"kms:GetPublicKey",
"s3:*",
"kms:GetKeyPolicy",
"iam:CreateRole",
"iam:DeleteRole",
"kms:ListResourceTags",
"kms:GetParametersForImport",
"iam:ListInstanceProfilesForRole",
"kms:DescribeCustomKeyStores",
"kms:GetKeyRotationStatus",
"kms:ScheduleKeyDeletion",
"kms:DescribeKey",
"kms:CreateKey"
],
"Resource": "*"
}
]
}Note: You may want to tune the above policy with stricter permissions.
This project assumes only EC2 instances will access the created buckets (and creates a IAM role for that purpose, displaying the resulting ARN as part of the output variables).
The access policy can be configured per bucket (see below).
Make sure you properly back up your terraform.tfstate or use a different backend to store it. By default, terraform will save it to the local directory from where it's being invoked.
You can configure your AWS global settings in aws.tf
Credentials can be provided in this file, via Environment Variables or via a Shared Credentials File. For more information see the Terraform AWS Provider Documentation
Configuration in this directory creates as many S3 buckets as declared in the terraform.tfvars. Each bucket can have its own configuration for the items listed below:
- bucket access policy
- versioning
- lifecycle rules
- server-side encryption
- object locking
The upstream terraform-aws-s3-bucket module allows for extra configuration parameters that are outside of the scope of this project but could be incorporated later such as:
- static web-site hosting
- CORS
If you add these to your project, please create a pull request.
Create a terraform.tfvars file with the following structure:
buckets = {
bucket1 = { ... },
bucket2 = { ... },
...
bucketN = { ... },
}For each bucket you can define the following variables:
bucket = "my-bucket-name",
bucket_policy_actions = [ "s3:*", ],
acl = "private",
force_destroy = true,
attach_policy = true,
tags = {
project = "my_project_name",
name = "my_bucket_name",
},
versioning = {
enabled = true
},
lifecycle_rule = [
{
id = "root"
enabled = true
prefix = "/"
tags = {
rule = "root"
autoclean = "true"
}
transition = [
{
days = 30
storage_class = "ONEZONE_IA"
}, {
days = 60
storage_class = "GLACIER"
}
]
expiration = {
days = 90
}
noncurrent_version_expiration = {
days = 30
}
},
],
object_lock_configuration = {
object_lock_enabled = "Enabled"
rule = {
default_retention = {
mode = "COMPLIANCE"
years = 5
}
}
},
# S3 bucket-level Public Access Block configuration
block_public_acls = true,
block_public_policy = true,
ignore_public_acls = true,
restrict_public_buckets = true,See an example here.
For more details, visit the Terraform AWS Provider Documentation
To create the specified resources you need to execute:
terraform init
terraform plan
terraform applyNote that this example may create resources which cost money. Run terraform destroy when you don't need these resources anymore.
| Name | Version |
|---|---|
| terraform | >= 0.13.2, < 0.14 |
| aws | >= 3.0, < 4.0 |
| Name | Version |
|---|---|
| aws | >= 3.0, < 4.0 |
| Name | Description |
|---|---|
| this_aws_iam_role_arn | The ARN of the role that will have access to the buckets. Will be of format arn:aws:iam::account-id:role/rolename. |
| this_s3_bucket_arn | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. |
| this_s3_bucket_bucket_domain_name | The bucket domain name. Will be of format bucketname.s3.amazonaws.com. |
| this_s3_bucket_bucket_regional_domain_name | The bucket region-specific domain name. The bucket domain name including the region name. |
| this_s3_bucket_hosted_zone_id | The Route 53 Hosted Zone ID for this bucket's region. |
| this_s3_bucket_id | The name of the bucket. |