From 98b507e95b7037ba82d9cb7230b571eae30c1204 Mon Sep 17 00:00:00 2001 From: Imran Awan Date: Tue, 14 Jul 2020 17:16:53 +0100 Subject: [PATCH 1/7] initial commit --- example/main.tf | 4 ---- example/s3.tf | 18 ++++-------------- main.tf | 13 +++++++++++++ variables.tf | 6 ++++++ 4 files changed, 23 insertions(+), 18 deletions(-) diff --git a/example/main.tf b/example/main.tf index 2e17398..1b772ad 100644 --- a/example/main.tf +++ b/example/main.tf @@ -1,7 +1,3 @@ -terraform { - backend "s3" { - } -} provider "aws" { region = "eu-west-1" diff --git a/example/s3.tf b/example/s3.tf index b7513da..258b59a 100644 --- a/example/s3.tf +++ b/example/s3.tf @@ -6,13 +6,16 @@ */ module "example_team_s3_bucket" { - source = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=4.2" + //source = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=4.2" + source = "../" team_name = "cloudplatform" business-unit = "mojdigital" application = "cloud-platform-terraform-s3-bucket" is-production = "false" environment-name = "development" infrastructure-support = "platform@digtal.justice.gov.uk" + + /* * Versioning: By default this is set to false. When set to true multiple versions of an object can be stored For more details on versioning please visit: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html @@ -163,17 +166,4 @@ EOF } } -resource "kubernetes_secret" "example_team_s3_bucket" { - metadata { - name = "example-team-s3-bucket-output" - namespace = "my-namespace" - } - - data = { - access_key_id = module.example_team_s3_bucket.access_key_id - secret_access_key = module.example_team_s3_bucket.secret_access_key - bucket_arn = module.example_team_s3_bucket.bucket_arn - bucket_name = module.example_team_s3_bucket.bucket_name - } -} diff --git a/main.tf b/main.tf index 9277eb9..dc07d88 100644 --- a/main.tf +++ b/main.tf @@ -25,6 +25,7 @@ data "template_file" "user_policy" { } resource "aws_s3_bucket" "bucket" { + bucket = "cloud-platform-${random_id.id.hex}" acl = var.acl force_destroy = "true" @@ -185,3 +186,15 @@ resource "aws_iam_user_policy" "policy" { user = aws_iam_user.user.name } +resource "aws_s3_bucket_public_access_block" "block_public_access" { + + count = var.enable_allow_block_pub_access ? 1 : 0 + bucket = aws_s3_bucket.bucket.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + +} + diff --git a/variables.tf b/variables.tf index ae8a3fc..7471973 100644 --- a/variables.tf +++ b/variables.tf @@ -66,3 +66,9 @@ variable "cors_rule" { default = [] } + +variable "enable_allow_block_pub_access" { + description = "Enable whether to allow for the bucket to be blocked from public access" + default = true + type = bool +} \ No newline at end of file From 4b8ef88aa2eeab9f8b408c0cb3c4341395bebcee Mon Sep 17 00:00:00 2001 From: Imran Awan Date: Wed, 15 Jul 2020 12:33:56 +0100 Subject: [PATCH 2/7] added new vars --- example/main.tf | 5 +++++ example/s3.tf | 10 +++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/example/main.tf b/example/main.tf index 1b772ad..22cc4fb 100644 --- a/example/main.tf +++ b/example/main.tf @@ -1,4 +1,9 @@ +terraform { + backend "s3" { + } +} + provider "aws" { region = "eu-west-1" } diff --git a/example/s3.tf b/example/s3.tf index 258b59a..05ad063 100644 --- a/example/s3.tf +++ b/example/s3.tf @@ -6,8 +6,7 @@ */ module "example_team_s3_bucket" { - //source = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=4.2" - source = "../" + source = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=4.2" team_name = "cloudplatform" business-unit = "mojdigital" application = "cloud-platform-terraform-s3-bucket" @@ -15,8 +14,13 @@ module "example_team_s3_bucket" { environment-name = "development" infrastructure-support = "platform@digtal.justice.gov.uk" - /* + + Public Buckets: By default, buckets are private, however to create a 'public' bucket add the following two variables when calling the module + acl = "public-read" + enable_allow_block_pub_access = false + + * Versioning: By default this is set to false. When set to true multiple versions of an object can be stored For more details on versioning please visit: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html From a971642622180c802e752f8f49ab4579666123bb Mon Sep 17 00:00:00 2001 From: Imran Awan Date: Wed, 15 Jul 2020 14:55:36 +0100 Subject: [PATCH 3/7] amended README --- example/main.tf | 2 +- example/s3.tf | 12 +++++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/example/main.tf b/example/main.tf index 22cc4fb..ce2d47d 100644 --- a/example/main.tf +++ b/example/main.tf @@ -1,6 +1,6 @@ terraform { - backend "s3" { + backend "s3" { } } diff --git a/example/s3.tf b/example/s3.tf index 05ad063..b73e5a8 100644 --- a/example/s3.tf +++ b/example/s3.tf @@ -6,7 +6,7 @@ */ module "example_team_s3_bucket" { - source = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=4.2" + source = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=4.3" team_name = "cloudplatform" business-unit = "mojdigital" application = "cloud-platform-terraform-s3-bucket" @@ -16,10 +16,16 @@ module "example_team_s3_bucket" { /* - Public Buckets: By default, buckets are private, however to create a 'public' bucket add the following two variables when calling the module + * Public Buckets: It is strongly advised to keep buckets 'private' and only make public where necessary. + By default buckets are private, however to create a 'public' bucket add the following two variables when calling the module: + acl = "public-read" enable_allow_block_pub_access = false - + + * Converting existing private bucket to public: If amending an existing private bucket that was created using version 4.3 or above then you will need to raise two PRs: + + (1) First PR to add the var: enable_allow_block_pub_access = false + (2) Second PR to add the var: acl = "public-read" * Versioning: By default this is set to false. When set to true multiple versions of an object can be stored For more details on versioning please visit: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html From 9c1b6db920bfb49d586fc915a918deb762d06776 Mon Sep 17 00:00:00 2001 From: Imran Awan Date: Wed, 15 Jul 2020 14:55:55 +0100 Subject: [PATCH 4/7] amended readme --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index 382852e..8eb040e 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,18 @@ module "example_team_s3" { infrastructure-support = "example-team@digtal.justice.gov.uk" /* + + * Public Buckets: It is strongly advised to keep buckets 'private' and only make public where necessary. + By default buckets are private, however to create a 'public' bucket add the following two variables when calling the module: + + acl = "public-read" + enable_allow_block_pub_access = false + + * Converting existing private bucket to public: If amending an existing private bucket that was created using version 4.3 or above then you will need to raise two PRs: + + (1) First PR to add the var: enable_allow_block_pub_access = false + (2) Second PR to add the var: acl = "public-read" + * Versioning: By default this is set to false. When set to true multiple versions of an object can be stored For more details on versioning please visit: https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html @@ -199,3 +211,6 @@ aws s3 sync --delete \ ``` For an example of a pod with a custom CLI that wraps s3 sync you can see the [cccd-migrator](https://github.com/ministryofjustice/cccd-migrator) + + + From a9d425f6022aa71a90205617e000810b70aa273b Mon Sep 17 00:00:00 2001 From: Imran Awan Date: Wed, 15 Jul 2020 15:01:35 +0100 Subject: [PATCH 5/7] amended README --- README.md | 3 +++ example/s3.tf | 3 +++ 2 files changed, 6 insertions(+) diff --git a/README.md b/README.md index 8eb040e..0f1af22 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,9 @@ module "example_team_s3" { acl = "public-read" enable_allow_block_pub_access = false + For more information granting public access to S3 buckets, please see AWS documentation: + https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html + * Converting existing private bucket to public: If amending an existing private bucket that was created using version 4.3 or above then you will need to raise two PRs: (1) First PR to add the var: enable_allow_block_pub_access = false diff --git a/example/s3.tf b/example/s3.tf index b73e5a8..4b0994e 100644 --- a/example/s3.tf +++ b/example/s3.tf @@ -22,6 +22,9 @@ module "example_team_s3_bucket" { acl = "public-read" enable_allow_block_pub_access = false + For more information granting public access to S3 buckets, please see AWS documentation: + https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html + * Converting existing private bucket to public: If amending an existing private bucket that was created using version 4.3 or above then you will need to raise two PRs: (1) First PR to add the var: enable_allow_block_pub_access = false From 29cf73d71e5cbf7a27ccef455ad22a92466d5edc Mon Sep 17 00:00:00 2001 From: Imran Awan Date: Wed, 15 Jul 2020 15:13:45 +0100 Subject: [PATCH 6/7] added kubernetes secret block back --- example/s3.tf | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/example/s3.tf b/example/s3.tf index 4b0994e..1be31b4 100644 --- a/example/s3.tf +++ b/example/s3.tf @@ -180,3 +180,16 @@ EOF } +resource "kubernetes_secret" "example_team_s3_bucket" { + metadata { + name = "example-team-s3-bucket-output" + namespace = "my-namespace" + } + + data = { + access_key_id = module.example_team_s3_bucket.access_key_id + secret_access_key = module.example_team_s3_bucket.secret_access_key + bucket_arn = module.example_team_s3_bucket.bucket_arn + bucket_name = module.example_team_s3_bucket.bucket_name + } +} \ No newline at end of file From 7d4c62f19f721cde87b200ec68fda8b96e7fde25 Mon Sep 17 00:00:00 2001 From: Imran Awan Date: Wed, 15 Jul 2020 15:26:24 +0100 Subject: [PATCH 7/7] applied terraform fmt --- main.tf | 10 +++++----- variables.tf | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/main.tf b/main.tf index dc07d88..7f3bdbe 100644 --- a/main.tf +++ b/main.tf @@ -188,13 +188,13 @@ resource "aws_iam_user_policy" "policy" { resource "aws_s3_bucket_public_access_block" "block_public_access" { - count = var.enable_allow_block_pub_access ? 1 : 0 + count = var.enable_allow_block_pub_access ? 1 : 0 bucket = aws_s3_bucket.bucket.id - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true } diff --git a/variables.tf b/variables.tf index 7471973..9e6412d 100644 --- a/variables.tf +++ b/variables.tf @@ -42,17 +42,17 @@ variable "versioning" { variable "log_target_bucket" { description = "Set the target bucket for logs" - default = "" + default = "" } variable "logging_enabled" { description = "Set the logging for bucket" - default = false + default = false } variable "log_path" { description = "Set the path of the logs" - default = "" + default = "" }