Built with ❤️ by Atomic
A Terraform module for building an encrypted bucket in AWS S3.
To use the module, include something like the following in your terraform configuration:
module "encrypted_bucket" {
source = "[email protected]:infrablocks/terraform-aws-encrypted-bucket.git//src"
bucket_name = "my-organisations-encrypted-bucket"
}
See the Terraform registry entry for more details.
| Name | Description | Default | Required |
|---|---|---|---|
| bucket_name | The name to use for the encrypted S3 bucket. | - | yes |
| bucket_policy_template | A template for the policy to apply to the bucket. Deprecated - use source_policy_json instead. | see policies | no |
| source_policy_json | A source policy for the bucket, additional statements to enable encryption will be added to the policy. | "" | no |
| acl | The canned ACL to apply. | "private" | no |
| tags | A map of additional tags to set on the bucket | {} | no |
| kms_key_arn | If provided, "aws:kms" encryption will be enforced using the KMS key with the provided ARN. By default, "AES-256" encryption is used. | "" | no |
| access_log_bucket_name | The name of the bucket to use for access logging, required when enable_access_logging is "yes". | "" | no |
| access_log_object_key_prefix | The key prefix to use for log objects for access logging. | "" | no |
| public_access_block | An object of public access block settings to apply to the bucket | see below | no |
| public_access_block.block_public_acls | Whether to block public ACLs | false | no |
| public_access_block.block_public_policy | Whether to block public bucket policies | false | no |
| public_access_block.ignore_public_acls | Whether to ignore public ACLs | false | no |
| public_access_block.restrict_public_buckets | Whether to restrict public buckets | false | no |
| mfa_delete | Whether or not to enable MFA delete on the bucket ("true" or "false"). Deprecated - use enable_mfa_delete instead. | "false" | no |
| enable_mfa_delete | Whether or not to enable MFA delete on the bucket ("yes" or "no"). | "no" | no |
| enable_versioning | Whether or not to enable versioning on the bucket ("yes" or "no"). | "yes" | no |
| enable_access_logging | Whether or not to enable access logging on the bucket ("yes" or "no"). | "no" | no |
| enable_bucket_key | Whether or not to use an Amazon S3 Bucket Key for SSE-KMS. ("yes" or "no"). | "no" | no |
| allow_destroy_when_objects_present | Whether or not to allow the bucket to be destroyed if it still contains objects ("yes" or "no"). | "no" | no |
By default, a bucket policy that enforces encrypted inflight operations, encryption using the correct algorithm, and encryption using the correct key is applied to the bucket.
In the case that further statements need to be applied, there are two methods that can be used:
- A
bucket_policy_templatecan be provided that will receivedeny_encryption_using_incorrect_algorithm_fragment,deny_encryption_using_incorrect_key_fragmentanddeny_unencrypted_inflight_operations_fragmentstatement fragments along with thebucket_nameand the resulting policy will be used instead. - A
source_policy_jsoncan be provided and the additional statements will be added to this policy before being attached to the bucket
The provided tags map, when present will be merged with a compulsory tags map
containing a Name tag equal to the bucket name.
| Name | Description |
|---|---|
| bucket_name | The name of the created bucket |
| bucket_arn | The ARN of the created bucket |
This module is compatible with Terraform versions greater than or equal to Terraform 0.14.
- s3:CreateBucket
- s3:ListBucket
- s3:GetBucketCORS
- s3:GetBucketVersioning
- s3:GetAccelerateConfiguration
- s3:GetBucketRequestPayment
- s3:GetBucketLogging
- s3:GetLifecycleConfiguration
- s3:GetReplicationConfiguration
- s3:GetBucketLocation
- s3:GetBucketTagging
- s3:PutBucketTagging
- s3:PutBucketVersioning
- s3:PutBucketPolicy
- s3:PutBucketAcl
- s3:DeleteBucketPolicy
- s3:DeleteBucket
If public access block settings are specified
- s3:GetBucketPolicyStatus
- s3:GetBucketPublicAccessBlock
- s3:PutBucketPublicAccessBlock
In order for the build to run correctly, a few tools will need to be installed on your development machine:
- Ruby (2.7.5)
- Bundler
- git
- git-crypt
- gnupg
- direnv
Installing the required tools is best managed by homebrew.
To install homebrew:
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Then, to install the required tools:
# ruby
brew install rbenv
brew install ruby-build
echo 'eval "$(rbenv init - bash)"' >> ~/.bash_profile
echo 'eval "$(rbenv init - zsh)"' >> ~/.zshrc
eval "$(rbenv init -)"
rbenv install 2.7.5
rbenv rehash
rbenv local 2.7.5
gem install bundler
# git, git-crypt, gnupg
brew install git
brew install git-crypt
brew install gnupg
# direnv
brew install direnv
echo "$(direnv hook bash)" >> ~/.bash_profile
echo "$(direnv hook zsh)" >> ~/.zshrc
eval "$(direnv hook $SHELL)"
direnv allow <repository-directory>
To provision module infrastructure, run tests and then destroy that infrastructure, execute:
./goTo provision the module contents:
./go deployment:harness:provision[<deployment_identifier>]To destroy the module contents:
./go deployment:harness:destroy[<deployment_identifier>]To encrypt a GPG key for use by CircleCI:
openssl aes-256-cbc \
-e \
-md sha1 \
-in ./config/secrets/ci/gpg.private \
-out ./.circleci/gpg.private.enc \
-k "<passphrase>"To check decryption is working correctly:
openssl aes-256-cbc \
-d \
-md sha1 \
-in ./.circleci/gpg.private.enc \
-k "<passphrase>"Bug reports and pull requests are welcome on GitHub at https://github.com/infrablocks/terraform-aws-encrypted-bucket. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
The library is available as open source under the terms of the MIT License.