Merge pull request #26 from ministryofjustice/block-pub-on

Block public access resource added
ministryofjustice · Jul 15, 2020 · 8697b8b · 8697b8b
2 parents ba94d7d + 7d4c62f
commit 8697b8b
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -26,6 +26,21 @@ module "example_team_s3" {
   infrastructure-support = "[email protected]"
 
  /* 
+
+  * Public Buckets: It is strongly advised to keep buckets 'private' and only make public where necessary. 
+                    By default buckets are private, however to create a 'public' bucket add the following two variables when calling the module:
+
+                    acl                           = "public-read"
+                    enable_allow_block_pub_access = false
+
+                    For more information granting public access to S3 buckets, please see AWS documentation: 
+                    https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
+
+  * Converting existing private bucket to public: If amending an existing private bucket that was created using version 4.3 or above then you will need to raise two PRs:
+                    
+                    (1) First PR to add the var: enable_allow_block_pub_access = false
+                    (2) Second PR to add the var: acl = "public-read"
+
   * Versioning: By default this is set to false. When set to true multiple versions of an object can be stored
                 For more details on versioning please visit: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
   
@@ -199,3 +214,6 @@ aws s3 sync --delete \
 ```
 
 For an example of a pod with a custom CLI that wraps s3 sync you can see the [cccd-migrator](https://github.com/ministryofjustice/cccd-migrator)
+
+
+
diff --git a/example/main.tf b/example/main.tf
@@ -1,5 +1,6 @@
+
 terraform {
-  backend "s3" {
+   backend "s3" {
   }
 }
 

diff --git a/example/s3.tf b/example/s3.tf
@@ -6,14 +6,30 @@
  */
 module "example_team_s3_bucket" {
 
-  source = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=4.2"
+  source = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=4.3"
   team_name              = "cloudplatform"
   business-unit          = "mojdigital"
   application            = "cloud-platform-terraform-s3-bucket"
   is-production          = "false"
   environment-name       = "development"
   infrastructure-support = "[email protected]"
+
  /* 
+
+  * Public Buckets: It is strongly advised to keep buckets 'private' and only make public where necessary. 
+                    By default buckets are private, however to create a 'public' bucket add the following two variables when calling the module:
+
+                    acl                           = "public-read"
+                    enable_allow_block_pub_access = false
+
+                    For more information granting public access to S3 buckets, please see AWS documentation: 
+                    https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
+
+  * Converting existing private bucket to public: If amending an existing private bucket that was created using version 4.3 or above then you will need to raise two PRs:
+                    
+                    (1) First PR to add the var: enable_allow_block_pub_access = false
+                    (2) Second PR to add the var: acl = "public-read"
+
   * Versioning: By default this is set to false. When set to true multiple versions of an object can be stored
                 For more details on versioning please visit: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
   
@@ -163,6 +179,7 @@ EOF
   }
 }
 
+
 resource "kubernetes_secret" "example_team_s3_bucket" {
   metadata {
     name      = "example-team-s3-bucket-output"
@@ -175,5 +192,4 @@ resource "kubernetes_secret" "example_team_s3_bucket" {
     bucket_arn        = module.example_team_s3_bucket.bucket_arn
     bucket_name       = module.example_team_s3_bucket.bucket_name
   }
-}
-
+}
diff --git a/main.tf b/main.tf
@@ -25,6 +25,7 @@ data "template_file" "user_policy" {
 }
 
 resource "aws_s3_bucket" "bucket" {
+
   bucket        = "cloud-platform-${random_id.id.hex}"
   acl           = var.acl
   force_destroy = "true"
@@ -185,3 +186,15 @@ resource "aws_iam_user_policy" "policy" {
   user   = aws_iam_user.user.name
 }
 
+resource "aws_s3_bucket_public_access_block" "block_public_access" {
+
+  count  = var.enable_allow_block_pub_access ? 1 : 0
+  bucket = aws_s3_bucket.bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+}
+
diff --git a/variables.tf b/variables.tf
@@ -42,17 +42,17 @@ variable "versioning" {
 
 variable "log_target_bucket" {
   description = "Set the target bucket for logs"
-  default = ""
+  default     = ""
 }
 
 variable "logging_enabled" {
   description = "Set the logging for bucket"
-  default = false
+  default     = false
 }
 
 variable "log_path" {
   description = "Set the path of the logs"
-  default = ""
+  default     = ""
 }
 
 
@@ -66,3 +66,9 @@ variable "cors_rule" {
   default     = []
 }
 
+
+variable "enable_allow_block_pub_access" {
+  description = "Enable whether to allow for the bucket to be blocked from public access"
+  default     = true
+  type        = bool
+}