feat: Create S3 bucket and KMS key. (#2)

jamesiarmes · web-flow · commit 9d5e9b1bd244 · 2026-01-22T15:39:08.000-05:00
diff --git a/README.md b/README.md
@@ -1,33 +1,23 @@
-# Code for America OpenTofu Module Template
+# AWS S3 Uploads Bucket Module
 
 [![Main Checks][badge-checks]][code-checks] [![GitHub Release][badge-release]][latest-release]
 
-Use this template repository to create new OpenTofu modules. Follow the steps
-below to use this repository:
-
-1. Click the "Use this template" button to create a new repository
-1. Name your new repository using the format `todu-modules-<provider>-<module>`
-1. Add the files necessary to support your module to the root of your new
-   repository
-1. Update the `README.md` file with the appropriate information for your module.
-   Make sure you update any references to this template repository with your new
-   repository
-1. Update the [codeforamerica/tofu-modules][tofu-modules] repository to include
-   your new module in the main `README.md` and the documentation
+This module creates an S3 bucket for file uploads. The bucket is configured with
+logging, encryption, verisioning and a lifecycle configuration.
 
 ## Usage
 
 Add this module to your `main.tf` (or appropriate) file and configure the inputs
 to match your desired configuration. For example:
 
-[//]: # (TODO: Update to match your module's name and inputs)
-
 ```hcl
 module "module_name" {
-  source = "github.com/codeforamerica/tofu-modules-template?ref=1.0.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-s3-uploads-bucket?ref=1.0.0"
 
-  project = "my-project"
-  environment = "development"
+  project        = "my-project"
+  environment    = "development"
+  logging-bucket = "my-logging-bucket"
+  name           = "documents"
 }
 ```
 
@@ -46,31 +36,59 @@ tofu init -upgrade
 
 ## Inputs
 
-[//]: # (TODO: Replace the following with your own inputs)
-
-| Name        | Description                                   | Type     | Default | Required |
-|-------------|-----------------------------------------------|----------|---------|----------|
-| project     | Name of the project.                          | `string` | n/a     | yes      |
-| environment | Environment for the project.                  | `string` | `"dev"` | no       |
-| tags        | Optional tags to be applied to all resources. | `list`   | `[]`    | no       |
+| Name                                   | Description                                                                                                                                               | Type           | Default                                         | Required |
+| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------- | -------- |
+| logging_bucket                         | S3 bucket to send access logs to.                                                                                                                         | `string`       | n/a                                             | yes      |
+| name                                   | Name of the bucket. The project and environment will be prepended to this automatically.                                                                  | `string`       | n/a                                             | yes      |
+| project                                | Project that these resources are supporting. This is used in the prefix to all resource names.                                                            | `string`       | n/a                                             | yes      |
+| abort_incomplete_multipart_upload_days | Number of days to abort incomplete multipart uploads.                                                                                                     | `number`       | `7`                                             | no       |
+| allowed_principals                     | List of AWS principal ARNs to allow to use the KMS key. This is used to grant access to other resources that need to use the key, such as ECS task roles. | `list(string)` | `[]`                                            | no       |
+| encryption_key_arn                     | ARN of the KMS key to use for S3 bucket encryption. If not provided, a new KMS key will be created.                                                       | `string`       | `null`                                          | no       |
+| environment                            | The environment for the deployment. This is used in the prefix to all resource names.                                                                     | `string`       | `"development"`                                 | no       |
+| force_delete                           | Whether to force delete the bucket and its contents. Must be set to `true` _and_ applied before the bucket can be deleted.                                | `bool`         | `false`                                         | no       |
+| key_recovery_period                    | Number of days to recover the created KMS key after deletion. Must be between `7` and `30`.                                                               | `number`       | `30`                                            | no       |
+| noncurrent_version_expiration_days     | Number of days to expire noncurrent versions of objects.                                                                                                  | `number`       | `30`                                            | no       |
+| [storage_class_transitions]            | List of storage class transitions to apply to the buckets lifecycle configuration.                                                                        | `list(object)` | `[{days  = 30, storage_class = "STANDARD_IA"}]` | no       |
+| tags                                   | Optional tags to be applied to all resources.                                                                                                             | `map(string)`  | `{}`                                            | no       |
+
+### storage_class_transitions
+
+You can define multiple [storage class][storage-class] transitions for the
+objects in the S3 bucket. This allows you to use a reduced cost storage option
+for objects that need to be retained for a longer time, but won't be regularly
+accessed.
+
+By default, objects added to the bucket will transition to the infrequent access
+storage tier after 30 days. To disable transitions entirely, you can set this
+input to an empty list (`[]`).
+
+| Name          | Description                             | Type     | Default | Required |
+| ------------- | --------------------------------------- | -------- | ------- | -------- |
+| days          | Number of days                          | `number` | n/a     | yes      |
+| storage_class | Storage class to transition objects to. | `string` | n/a     | yes      |
+
+Possible values for `storage_class` are `DEEP_ARCHIVE`, `GLACIER`, `GLACIER_IR`,
+`INTELLIGENT_TIERING`, `ONEZONE_IA`, `STANDARD_IA`. For more information on the
+different storage classes, see the [Amazon S3 documentation][storage-class].
 
 ## Outputs
 
-[//]: # (TODO: Replace the following with your own outputs)
-
-| Name     | Description                       | Type     |
-|----------|-----------------------------------|----------|
-| id       | Id of the newly created resource. | `string` |
-
+| Name               | Description                                                                     | Type     |
+| ------------------ | ------------------------------------------------------------------------------- | -------- |
+| bucket_name        | Name of the created bucket.                                                     | `string` |
+| bucket_arn         | Full ARN of the created bucket.                                                 | `string` |
+| bucket_domain_name | Domain name of the created bucket, in the format `bucketname.s3.amazonaws.com`. | `string` |
+| kms_key_arn        | ARN of the KMS key used for bucket encryption.                                  | `string` |
 
 ## Contributing
 
 Follow the [contributing guidelines][contributing] to contribute to this
 repository.
 
-[badge-checks]: https://github.com/codeforamerica/tofu-modules-template/actions/workflows/main.yaml/badge.svg
-[badge-release]: https://img.shields.io/github/v/release/codeforamerica/tofu-modules-template?logo=github&label=Latest%20Release
-[code-checks]: https://github.com/codeforamerica/tofu-modules-template/actions/workflows/main.yaml
+[badge-checks]: https://github.com/codeforamerica/tofu-modules-aws-s3-uploads-bucket/actions/workflows/main.yaml/badge.svg
+[badge-release]: https://img.shields.io/github/v/release/codeforamerica/tofu-modules-aws-s3-uploads-bucket?logo=github&label=Latest%20Release
+[code-checks]: https://github.com/codeforamerica/tofu-modules-aws-s3-uploads-bucket/actions/workflows/main.yaml
 [contributing]: CONTRIBUTING.md
-[latest-release]: https://github.com/codeforamerica/tofu-modules-template/releases/latest
-[tofu-modules]: https://github.com/codeforamerica/tofu-modules
+[latest-release]: https://github.com/codeforamerica/tofu-modules-aws-s3-uploads-bucket/releases/latest
+[storage-class]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html
+[storage_class_transitions]: #storage_class_transitions
diff --git a/data.tf b/data.tf
@@ -0,0 +1,3 @@
+data "aws_caller_identity" "identity" {}
+
+data "aws_partition" "current" {}
diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  bucket_name = join("-", [var.project, var.environment, var.name])
+  kms_key_arn = var.encryption_key_arn != null ? var.encryption_key_arn : aws_kms_key.bucket["this"].arn
+  logs_path   = "/AWSLogs/${data.aws_caller_identity.identity.account_id}"
+  tags = merge({ use : "file-uploads" }, var.tags)
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,65 @@
+resource "aws_kms_key" "bucket" {
+  for_each = var.encryption_key_arn != null ? toset([]) : toset(["this"])
+
+  description             = "Encryption key for bucket ${local.bucket_name}"
+  deletion_window_in_days = var.key_recovery_period
+  enable_key_rotation     = true
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/key-policy.yaml.tftpl", {
+    account : data.aws_caller_identity.identity.account_id
+    bucket : local.bucket_name
+    partition : data.aws_partition.current.partition
+    principals : var.allowed_principals
+  })))
+
+  tags = local.tags
+}
+
+resource "aws_kms_alias" "bucket" {
+  for_each = var.encryption_key_arn != null ? toset([]) : toset(["this"])
+
+  name          = "alias/${local.bucket_name}"
+  target_key_id = aws_kms_key.bucket["this"].arn
+}
+
+module "this" {
+  source  = "boldlink/s3/aws"
+  version = "2.6.0"
+
+  bucket        = local.bucket_name
+  force_destroy = var.force_delete
+
+  bucket_policy = jsonencode(yamldecode(templatefile("${path.module}/templates/bucket-policy.yaml.tftpl", {
+    partition : data.aws_partition.current.partition
+    bucket : local.bucket_name
+  })))
+
+  lifecycle_configuration = [{
+    id     = "state"
+    status = "Enabled"
+
+    filter = {
+      prefix = ""
+    }
+
+    abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days
+
+    noncurrent_version_expiration = [{
+      noncurrent_days = var.noncurrent_version_expiration_days
+    }]
+
+    transition = var.storage_class_transitions
+  }]
+
+  sse_bucket_key_enabled = true
+  sse_kms_master_key_arn = local.kms_key_arn
+  sse_sse_algorithm      = "aws:kms"
+
+  versioning_status = "Enabled"
+
+  s3_logging = {
+    target_bucket = var.logging_bucket
+    target_prefix = "${local.logs_path}/s3accesslogs/${local.bucket_name}"
+  }
+
+  tags = local.tags
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,22 @@
+output "bucket_name" {
+  description = "Name of the created bucket."
+  value       = module.this.bucket
+}
+
+output "bucket_arn" {
+  description = "Full ARN of the created bucket."
+  value       = module.this.arn
+}
+
+output "bucket_domain_name" {
+  description = <<-EOT
+    Domain name of the created bucket, in the format
+    `bucketname.s3.amazonaws.com`.
+    EOT
+  value       = module.this.bucket_domain_name
+}
+
+output "kms_key_arn" {
+  description = "ARN of the KMS key used for bucket encryption."
+  value       = local.kms_key_arn
+}
diff --git a/templates/bucket-policy.yaml.tftpl b/templates/bucket-policy.yaml.tftpl
@@ -0,0 +1,13 @@
+Version: "2012-10-17"
+Statement:
+- Sid: AllowSSLRequestsOnly
+  Effect: Deny
+  Principal: "*"
+  Action:
+  - s3:*
+  Resource:
+  - arn:${partition}:s3:::${bucket}
+  - arn:${partition}:s3:::${bucket}/*
+  Condition:
+    Bool:
+      aws:SecureTransport: false
diff --git a/templates/key-policy.yaml.tftpl b/templates/key-policy.yaml.tftpl
@@ -0,0 +1,37 @@
+Version: "2012-10-17"
+Statement:
+- Sid: Enable IAM User Permissions
+  Effect: Allow
+  Principal:
+    AWS: arn:${partition}:iam::${account}:root
+  Action: kms:*
+  Resource: "*"
+- Sid: Allow S3 to encrypt and decrypt objects
+  Effect: Allow
+  Principal:
+    AWS: "*"
+  Action:
+  - kms:Decrypt
+  - kms:Encrypt
+  - kms:GenerateDataKey
+  - kms:ReEncrypt*
+  Resource: "*"
+  Condition:
+    StringLike:
+      kms:CallerAccount: "${account}"
+      kms:EncryptionContext:aws:s3:arn:
+      - "arn:${partition}:s3:::${bucket}"
+      - "arn:${partition}:s3:::${bucket}/*"
+%{ if length(principals) > 0 ~}
+- Sid: Allow other resources to use the key
+  Effect: Allow
+  Principal:
+    AWS:
+    %{ for principal in principals ~}
+    - "${principal}"
+    %{ endfor }
+  Action:
+  - kms:GenerateDataKey
+  - kms:Decrypt
+  Resource: "*"
+%{ endif ~}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,115 @@
+variable "abort_incomplete_multipart_upload_days" {
+  type        = number
+  description = "Number of days to abort incomplete multipart uploads."
+  default     = 7
+
+  validation {
+    condition     = var.abort_incomplete_multipart_upload_days > 0
+    error_message = "Abort incomplete multipart upload days must be greater than 0."
+  }
+}
+
+variable "allowed_principals" {
+  type        = list(string)
+  description = <<-EOT
+    List of AWS principal ARNs to allow to use the KMS key. This is used to
+    grant access to other resources that need to use the key, such as ECS task
+    roles.
+    EOT
+  default     = []
+}
+
+variable "encryption_key_arn" {
+  type        = string
+  description = <<-EOT
+    ARN of the KMS key to use for S3 bucket encryption. If not provided, a new
+    KMS key will be created.
+    EOT
+  default     = null
+}
+
+variable "environment" {
+  type        = string
+  description = <<-EOT
+    The environment for the deployment. This is used in the prefix to all
+    resource names.
+    EOT
+  default     = "development"
+}
+
+variable "force_delete" {
+  type        = bool
+  description = <<-EOT
+    Whether to force delete the bucket and its contents. Must be set to `true`
+    _and_ applied before the bucket can be deleted.
+    EOT
+  default     = false
+}
+
+variable "key_recovery_period" {
+  type        = number
+  description = <<-EOT
+    Number of days to recover the created KMS key after deletion. Must be
+    between `7` and `30`.
+    EOT
+  default     = 30
+
+  validation {
+    condition     = var.key_recovery_period > 6 && var.key_recovery_period < 31
+    error_message = "Key recovery period must be between 7 and 30."
+  }
+}
+
+variable "logging_bucket" {
+  type        = string
+  description = "S3 bucket to send access logs to."
+}
+
+variable "name" {
+  type        = string
+  description = <<-EOT
+    Name of the bucket. The project and environment will be prepended to this
+    automatically.
+    EOT
+}
+
+variable "noncurrent_version_expiration_days" {
+  type        = number
+  description = "Number of days to expire noncurrent versions of objects."
+  default     = 30
+
+  validation {
+    condition     = var.noncurrent_version_expiration_days > 0
+    error_message = "Noncurrent version expiration days must be greater than 0."
+  }
+}
+
+variable "project" {
+  type        = string
+  description = <<-EOT
+    Project that these resources are supporting. This is used in the prefix to
+    all resource names.
+    EOT
+}
+
+variable "storage_class_transitions" {
+  type = list(object({
+    days          = number
+    storage_class = string
+  }))
+
+  description = <<-EOT
+    List of storage class transitions to apply to the buckets lifecycle
+    configuration.
+    EOT
+  default = [{
+    days          = 30
+    storage_class = "STANDARD_IA"
+  }]
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Optional tags to be applied to all resources."
+  default     = {}
+}
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.10"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.28"
+    }
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+data "aws_caller_identity" "identity" {}`
	`2`	`+`
	`3`	`+data "aws_partition" "current" {}`