s3 - Back to life (#419)

terraform-modules/aws/s3/bucket/README.md

@@ -0,0 +1,80 @@
+# s3_bucket
+Create an S3 bucket:
+* Versioning
+* Encryption
+* Logging
+* HTTPS access only
+
+## HTTPS access only
+This is a Prowler finding and cloud help with other compliancy.  This will set the bucket
+to accept HTTPS requests only.
+
+```
+var.policy = {
+    "Id": "ExamplePolicy",
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "AllowSSLRequestsOnly",
+        "Action": "s3:*",
+        "Effect": "Deny",
+        "Resource": [
+          "arn:aws:s3:::${bucket_name}",
+          "arn:aws:s3:::${bucket_name}/*"
+        ],
+        "Condition": {
+          "Bool": {
+            "aws:SecureTransport": "false"
+          }
+        },
+        "Principal": "*"
+      }
+    ]
+  }
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_key.kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.encryption_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | n/a | `string` | `"us-east-1"` | no |
+| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket. | `bool` | n/a | yes |
+| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket. | `bool` | n/a | yes |
+| <a name="input_bucket"></a> [bucket](#input\_bucket) | The name of the bucket. If omitted, Terraform will assign a random, unique name. Must be less than or equal to 63 characters in length. | `string` | n/a | yes |
+| <a name="input_deletion_window_in_days"></a> [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | (Optional) The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. | `number` | `10` | no |
+| <a name="input_enable_key_rotation"></a> [enable\_key\_rotation](#input\_enable\_key\_rotation) | (Optional) Specifies whether key rotation is enabled. Defaults to false. | `bool` | `true` | no |
+| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | n/a | yes |
+| <a name="input_policy"></a> [policy](#input\_policy) | n/a | `string` | `null` | no |
+| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for this bucket. | `bool` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the bucket. If configured with a provider default\_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | `map(any)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_domain_name"></a> [bucket\_domain\_name](#output\_bucket\_domain\_name) | n/a |
+| <a name="output_bucket_id"></a> [bucket\_id](#output\_bucket\_id) | The ID of the bucket |

terraform-modules/aws/s3/bucket/main.tf

@@ -0,0 +1,67 @@
+resource "aws_kms_key" "kms_key" {
+  description             = "This key is used to encrypt bucket objects"
+  deletion_window_in_days = var.deletion_window_in_days
+
+  enable_key_rotation = var.enable_key_rotation
+
+  tags = var.tags
+}
+
+resource "aws_s3_bucket" "bucket" {
+  bucket = var.bucket
+
+  tags = var.tags
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "encryption_config" {
+  bucket = aws_s3_bucket.bucket.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "acl" {
+  bucket = aws_s3_bucket.bucket.id
+
+  block_public_acls       = var.block_public_acls
+  block_public_policy     = var.block_public_policy
+  ignore_public_acls      = var.ignore_public_acls
+  restrict_public_buckets = var.restrict_public_buckets
+
+}
+
+resource "aws_s3_bucket_policy" "bucket_policy" {
+  bucket = aws_s3_bucket.bucket.id
+  policy = var.policy
+}
+
+resource "aws_s3_bucket_versioning" "versioning" {
+  count = var.enable_versioning ? 1 : 0
+
+  bucket = aws_s3_bucket.bucket.id
+  versioning_configuration {
+    status = var.versioning
+  }
+}
+
+resource "aws_s3_bucket_logging" "logging" {
+  count = var.enable_logging ? 1 : 0
+
+  # Bucket to enable logging on
+  bucket = aws_s3_bucket.bucket.id
+
+  # (Required) The name of the bucket where you want Amazon S3 to store server access logs.
+  target_bucket = var.logging_bucket_name
+  target_prefix = "log/"
+}
+
+resource "aws_s3_bucket_ownership_controls" "bucket_ownership_controls" {
+  count = var.enable_bucket_owner_enforced ? 1 : 0
+  bucket = aws_s3_bucket.bucket.id
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}

terraform-modules/aws/s3/bucket/outputs.tf

@@ -0,0 +1,8 @@
+output "bucket_id" {
+  description = "The ID of the bucket"
+  value       = aws_s3_bucket.bucket.id
+}
+
+output "bucket_domain_name" {
+  value = aws_s3_bucket.bucket.bucket_domain_name
+}

terraform-modules/aws/s3/bucket/test/go.mod

@@ -0,0 +1,8 @@
+module github.com/ManagedKube/kubernetes-ops
+
+go 1.15
+
+require (
+	github.com/gruntwork-io/terratest v0.32.24
+	github.com/stretchr/testify v1.7.0
+)