Merge pull request #2 from ministryofjustice/add/terraform

added readme/ added example module.
ministryofjustice · Jun 6, 2018 · fb7ace4 · fb7ace4
2 parents f9a2332 + 28ac6a0
commit fb7ace4
Show file tree

Hide file tree

Showing 7 changed files with 175 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,65 @@
-# cloud-platform-terraform-s3 module
+# cloud-platform-terraform-s3-bucket module
 
 Terraform module that will create an S3 bucket in AWS with relevant user account that will have access to bucket.
 
+The bucket created will prefix the business unit tag and your team name to the bucket identifier to create the bucket name. This ensures that the bucket created is globally unique and avoids name clashes.
+
+```bash
+bucket name = ${business-unit}-${team_name}-${bucket_identifier} 
+```
+
 ## Usage
 
+```hcl
+module "example_team_s3" {
+  source = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=master"
+
+  team_name         = "example-repo"
+  bucket_identifier = "example-bucket"
+  acl               = "public-read"
+  versioning        =  true
+}
+```
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| acl | acl manages access to your bucket | string | `private` | no |
+| bucket_identifier | This is the bucket identifier, the bucket name will be this prefixed with your team name | string | - | yes |
+| team_name |  | string | - | yes |
+| versioning | version objects stored within your bucket. | boolean | false | no |
+
+### Tags 
+
+Some of the inputs are tags. All infrastructure resources need to be tagged according to MOJ techincal guidence. The tags are stored as variables that you will need to fill out as part of your module.
+
+https://ministryofjustice.github.io/technical-guidance/standards/documenting-infrastructure-owners/#documenting-owners-of-infrastructure
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| application |  | string | - | yes |
+| business-unit | Area of the MOJ responsible for the service | string | `mojdigital` | yes |
+| environment-name |  | string | - | yes |
+| infrastructure-support | The team responsible for managing the infrastructure. Should be of the form team-email | string | - | yes |
+| is-production |  | string | `false` | yes |
+
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| access_key_id | Access key id for s3 account |
+| bucket_arn | Arn for s3 bucket created |
+| bucket_name | bucket name |
+| iam_user_name | user name for s3 service account |
+| policy_arn | ARN for the new policy |
+| secret_access_key | Secret key for s3 account |
+| user_arn | Arn for iam user |
+
+
+
+
+
+
+
diff --git a/example/README.md b/example/README.md
@@ -0,0 +1,18 @@
+# example AWS S3 Bucket Creation
+
+Configuration in this directory creates an example AWS public-read S3 bucket with versioning.
+
+This example outputs user name and secrets for the new credentials.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Run `terraform destroy` when you want to destroy these resources created.
+
diff --git a/example/main.tf b/example/main.tf
@@ -0,0 +1,17 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+module "example_team_s3" {
+  source = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=master"
+
+  team_name              = "cloudplatform"
+  bucket_identifier      = "example-bucket"
+  acl                    = "public-read"
+  versioning             = true
+  business-unit          = "mojdigital"
+  application            = "cloud-platform-terraform-s3-bucket"
+  is-production          = "false"
+  environment-name       = "development"
+  infrastructure-support = "[email protected]"
+}
diff --git a/example/output.tf b/example/output.tf
@@ -0,0 +1,34 @@
+output "policy_arn" {
+  description = "ARN for the new policy"
+  value       = "${module.example_team_s3.policy_arn}"
+}
+
+output "iam_user_name" {
+  description = "User name for s3 service account"
+  value       = "${module.example_team_s3.iam_user_name}"
+}
+
+output "access_key_id" {
+  description = "Access key id for s3 account"
+  value       = "${module.example_team_s3.access_key_id}"
+}
+
+output "secret_access_key" {
+  description = "Secret key for s3 account"
+  value       = "${module.example_team_s3.secret_access_key}"
+}
+
+output "bucket_arn" {
+  description = "Arn for s3 bucket created"
+  value       = "${module.example_team_s3.bucket_arn}"
+}
+
+output "bucket_name" {
+  description = "bucket name"
+  value       = "${module.example_team_s3.bucket_name}"
+}
+
+output "user_arn" {
+  description = "ARN for iam user"
+  value       = "${module.example_team_s3.user_arn}"
+}
diff --git a/main.tf b/main.tf
@@ -1,8 +1,8 @@
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
-resource "aws_s3_bucket" "bucket" {
-  bucket        = "${var.team_name}-${var.bucket_name}"
+resource "aws_s3_bucket" "s3bucket" {
+  bucket        = "${var.business-unit}-${var.team_name}-${var.bucket_identifier}"
   acl           = "${var.acl}"
   force_destroy = "true"
   region        = "${data.aws_region.current.name}"
@@ -18,14 +18,23 @@ resource "aws_s3_bucket" "bucket" {
   versioning {
     enabled = "${var.versioning}"
   }
+
+  tags {
+    business-unit          = "${var.business-unit}"
+    application            = "${var.application}"
+    is-production          = "${var.is-production}"
+    environment-name       = "${var.environment-name}"
+    owner                  = "${var.team_name}"
+    infrastructure-support = "${var.infrastructure-support}"
+  }
 }
 
 resource "aws_iam_user" "s3-account" {
-  name = "${aws_s3_bucket.bucket.bucket}-s3-system-account"
+  name = "${aws_s3_bucket.s3bucket.bucket}-s3-system-account"
   path = "/teams/${var.team_name}/"
 }
 
-resource "aws_iam_access_key" "s3-account-access-keys" {
+resource "aws_iam_access_key" "s3-account-access-key" {
   user = "${aws_iam_user.s3-account.name}"
 }
 
@@ -68,17 +77,17 @@ data "aws_iam_policy_document" "policy" {
     ]
 
     resources = [
-      "arn:aws:s3:::${aws_s3_bucket.bucket.bucket}",
-      "arn:aws:s3:::${aws_s3_bucket.bucket.bucket}/*",
+      "arn:aws:s3:::${aws_s3_bucket.s3bucket.bucket}",
+      "arn:aws:s3:::${aws_s3_bucket.s3bucket.bucket}/*",
     ]
   }
 }
 
 resource "aws_iam_policy" "policy" {
-  name        = "${aws_s3_bucket.bucket.bucket}-s3-policy"
+  name        = "${aws_s3_bucket.s3bucket.bucket}-s3-policy"
   path        = "/teams/${var.team_name}/"
   policy      = "${data.aws_iam_policy_document.policy.json}"
-  description = "Policy for S3 bucket ${aws_s3_bucket.bucket.bucket}"
+  description = "Policy for S3 bucket ${aws_s3_bucket.s3bucket.bucket}"
 }
 
 resource "aws_iam_policy_attachment" "attach-policy" {

diff --git a/output.tf → outputs.tf b/output.tf → outputs.tf
@@ -3,29 +3,29 @@ output "policy_arn" {
   value       = "${aws_iam_policy.policy.arn}"
 }
 
-output "iam_am_user" {
+output "iam_user_name" {
   description = "user name for s3 service account"
   value       = "${aws_iam_user.s3-account.name}"
 }
 
 output "access_key_id" {
-  description = "Access keys id"
-  value       = "${aws_iam_access_key.s3-account-access-keys.id}"
+  description = "Access key id for s3 account"
+  value       = "${aws_iam_access_key.s3-account-access-key.id}"
 }
 
 output "secret_access_key" {
   description = "Secret key for s3 account"
-  value       = "${aws_iam_access_key.s3-account-access-keys.secret}"
+  value       = "${aws_iam_access_key.s3-account-access-key.secret}"
 }
 
 output "bucket_arn" {
   description = "Arn for s3 bucket created"
-  value       = "${aws_s3_bucket.bucket.arn}"
+  value       = "${aws_s3_bucket.s3bucket.arn}"
 }
 
 output "bucket_name" {
   description = "bucket name"
-  value       = "${aws_s3_bucket.bucket.bucket}"
+  value       = "${aws_s3_bucket.s3bucket.bucket}"
 }
 
 output "user_arn" {

diff --git a/variables.tf b/variables.tf
@@ -1,11 +1,32 @@
 variable "team_name" {}
 
-variable "bucket_name" {}
+variable "bucket_identifier" {
+  description = "This is the bucket identifier, the bucket name will be this prefixed with your team name"
+}
 
 variable "acl" {
-  default = "private"
+  description = "acl manages access to your bucket"
+  default     = "private"
 }
 
 variable "versioning" {
+  description = "version objects stored within your bucket. "
+  default     = false
+}
+
+variable "business-unit" {
+  description = " Area of the MOJ responsible for the service"
+  default     = "mojdigital"
+}
+
+variable "application" {}
+
+variable "is-production" {
   default = "false"
 }
+
+variable "environment-name" {}
+
+variable "infrastructure-support" {
+  description = "The team responsible for managing the infrastructure. Should be of the form <team-name> (<team-email>)"
+}