s3 (terraform)

Introduction

Sample: Private S3 bucket with versioning, encryption & lifecycle

Sample: Frontend app via CloudFront (Block all public access)

Introduction

Terraform s3 configuration changed significantly for provider hashicorp/aws version 4.

Examples shown use the new configuration.

For creating an user and giving it access to S3 bucket, see:

https://sites.google.com/site/pawneecity/terraform/iam-terraform#h.m7i6tdp3tf70

Sample: Private S3 bucket with versioning, encryption & lifecycle

modules/s3/variables.tf

variable "env" {}

variable "ci" {}

variable "Department" {}

variable "Program" {}

variable "bucket_data1" {}

modules/s3/outputs.tf

# Buckets regional domain name, taken from any of them

output "s3_domain" {

value = aws_s3_bucket.myapp-bucket-data1.bucket_regional_domain_name

}

output "s3_data1_arn" {

value = aws_s3_bucket.myapp-bucket-data1.arn

}

output "s3_data1_bucket" {

value = aws_s3_bucket.myapp-bucket-data1.bucket

}

output "s3_data1_id" {

value = aws_s3_bucket.myapp-bucket-data1.id

}

modules/s3/s3.tf

resource "aws_s3_bucket" "data1" {

bucket = "${var.env}-${var.ci}-${var.bucket_data1}"

tags = {

Name = "${var.bucket_data1}-s3-${var.env}"

ci = var.ci

Departament = var.Department

COUEnv = var.env

Programa = var.Program

}

resource "aws_s3_bucket_acl" "data1_acl" {

bucket = aws_s3_bucket.myapp-bucket-data1.id

acl = "private"

}

resource "aws_s3_bucket_versioning" "data1_versioning" {

bucket = aws_s3_bucket.myapp-bucket-data1.id

versioning_configuration {

status = "Enabled"

}

resource "aws_s3_bucket_server_side_encryption_configuration" "data1_encrypt" {

bucket = aws_s3_bucket.myapp-bucket-data1.id

rule {

apply_server_side_encryption_by_default {

sse_algorithm = "AES256"

}

resource "aws_s3_bucket_lifecycle_configuration" "data1_lifecycle" {

depends_on = [aws_s3_bucket_versioning.data1_versioning]

bucket = aws_s3_bucket.data1.id

rule {

id = "all_tiering_expire"

status = "Enabled"

filter {} # Applies to all objects in the bucket

expiration {

days = var.bucket_data1_lifecycle_expiration_days

}

transition {

days = 256

storage_class = "INTELLIGENT_TIERING" //Intelligent-Tiering

}

transition {

days = 512

storage_class = "GLACIER_IR" //Glacier Isntant Retrieval

}

#Permanently delete noncurrent versions of objects >> Days after objects become noncurrent

noncurrent_version_expiration {

noncurrent_days = 384

}

noncurrent_version_transition {

noncurrent_days = 4

storage_class = "GLACIER_IR" //Glacier Instant Retrieval

}

#Delete expired object delete markers or incomplete multipart uploads >> Incomplete multipart uploads

abort_incomplete_multipart_upload {

days_after_initiation = 128

}

Sample: Frontend app via CloudFront (Block all public access)

Eg: fwdefense

modules/s3/variables

variable "front_policy_text" {

nullable = false

}

#finalwork_cors_origins. Eg: ["http://localhost:4200", "https://${local.domain}]"]

variable "finalwork_cors_origins" {

description = "CORS AllowedOrigins array"

type = list(string)

nullable = false

}

modules/s3/s3.tf

# Frontend app

resource "aws_s3_bucket" "frontend" {

bucket = "${var.env}-${var.ci}-s3"

force_destroy = true

}

# Block all public access

resource "aws_s3_bucket_public_access_block" "frontend" {

bucket = aws_s3_bucket.frontend.id

block_public_acls = true

block_public_policy = true

ignore_public_acls = true

restrict_public_buckets = true

}

# ACL private [1/2] (frontend)

resource "aws_s3_bucket_ownership_controls" "frontend" {

bucket = aws_s3_bucket.frontend.id

rule {

object_ownership = "BucketOwnerPreferred"

}

# ACL private [2/2] (frontend)

resource "aws_s3_bucket_acl" "frontend" {

depends_on = [aws_s3_bucket_ownership_controls.frontend]

bucket = aws_s3_bucket.frontend.id

acl = "private"

}

# Allow access from CloudFront (frontend)

# The policy text (JSON) is generated from the module 'cloudfront' using one of:

# data "aws_iam_policy_document" "origin_access_control" (attribute 'json')

# data "aws_iam_policy_document" "origin access identity" (attribute 'json')

resource "aws_s3_bucket_policy" "front_policy" {

bucket = aws_s3_bucket.frontend.id

policy = var.front_policy_text

}

# CORS. Ensure the browser AJAX fill be able to POST for uploading the file

resource "aws_s3_bucket_cors_configuration" "finalwork_cors" {

bucket = aws_s3_bucket.finalwork_s3.id

cors_rule {

allowed_headers = ["*"] //Eg: ["*"]

allowed_methods = ["GET", "HEAD", "POST"]

allowed_origins = var.finalwork_cors_origins

expose_headers = [] //Eg: ["ETag"]

max_age_seconds = 3000

}