feat: Create S3 bucket and KMS key.

jamesiarmes · jamesiarmes · commit f3cfae559ac2 · 2026-01-21T12:07:46.000-05:00
diff --git a/data.tf b/data.tf
@@ -0,0 +1,3 @@
+data "aws_caller_identity" "identity" {}
+
+data "aws_partition" "current" {}
diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  bucket_name = join("-", [var.project, var.environment, var.name])
+  kms_key_arn = var.encryption_key_arn != null ? var.encryption_key_arn : aws_kms_key.bucket["this"].arn
+  logs_path   = "/AWSLogs/${data.aws_caller_identity.identity.account_id}"
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1,65 @@
+resource "aws_kms_key" "bucket" {
+  for_each = var.encryption_key_arn != null ? toset([]) : toset(["this"])
+
+  description             = "Encryption key for bucket ${local.bucket_name}"
+  deletion_window_in_days = var.key_recovery_period
+  enable_key_rotation     = true
+  policy = templatefile("${path.module}/templates/key-policy.json.tftpl", {
+    account : data.aws_caller_identity.identity.account_id
+    bucket : local.bucket_name
+    partition : data.aws_partition.current.partition
+    principals : var.allowed_principals
+  })
+
+  tags = var.tags
+}
+
+resource "aws_kms_alias" "bucket" {
+  for_each = var.encryption_key_arn != null ? toset([]) : toset(["this"])
+
+  name          = "alias/${local.bucket_name}"
+  target_key_id = each.value.id
+}
+
+module "this" {
+  source  = "boldlink/s3/aws"
+  version = "2.6.0"
+
+  bucket        = local.bucket_name
+  force_destroy = var.force_delete
+
+  bucket_policy = templatefile("${path.module}/templates/bucket-policy.yaml.tftpl", {
+    partition : data.aws_partition.current.partition
+    bucket : local.bucket_name
+  })
+
+  lifecycle_configuration = [{
+    id     = "state"
+    status = "Enabled"
+
+    filter = {
+      prefix = ""
+    }
+
+    abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days
+
+    noncurrent_version_expiration = [{
+      noncurrent_days = var.noncurrent_version_expiration_days
+    }]
+
+    transition = var.storage_class_transitions
+  }]
+
+  sse_bucket_key_enabled = true
+  sse_kms_master_key_arn = local.kms_key_arn
+  sse_sse_algorithm      = "aws:kms"
+
+  versioning_status = "Enabled"
+
+  s3_logging = {
+    target_bucket = var.logging_bucket
+    target_prefix = "${local.logs_path}/s3accesslogs/${local.bucket_name}"
+  }
+
+  tags = var.tags
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,19 @@
+output "bucket_name" {
+  description = "Name of the created bucket."
+  value       = module.this.bucket
+}
+
+output "bucket_arn" {
+  description = "ARN of the created bucket."
+  value       = module.this.arn
+}
+
+output "bucket_domain_name" {
+  description = "Domain name of the created bucket."
+  value       = module.this.bucket_domain_name
+}
+
+output "kms_key_arn" {
+  description = "ARN of the KMS key used for bucket encryption."
+  value       = local.kms_key_arn
+}
diff --git a/templates/bucket-policy.yaml.tftpl b/templates/bucket-policy.yaml.tftpl
@@ -0,0 +1,13 @@
+Version: "2012-10-17"
+Statement:
+- Sid: AllowSSLRequestsOnly
+  Effect: Deny
+  Principal: "*"
+  Action:
+  - s3:*
+  Resource:
+  - arn:${partition}:s3:::${bucket}
+  - arn:${partition}:s3:::${bucket}/*
+  Condition:
+    Bool:
+      aws:SecureTransport: false
diff --git a/templates/key-policy.yaml.tftpl b/templates/key-policy.yaml.tftpl
@@ -0,0 +1,36 @@
+Version: "2012-10-17"
+Statement:
+- Sid: Enable IAM User Permissions
+  Effect: Allow
+  Principal:
+    AWS: arn:${partition}:iam::${account}:root
+  Action: kms:*
+  Resource: "*"
+- Sid: Allow S3 to encrypt and decrypt objects
+  Effect: Allow
+  Principal:
+    AWS: "*"
+  Action:
+  - kms:Decrypt
+  - kms:Encrypt
+  - kms:GenerateDataKey
+  - kms:ReEncrypt*
+  Resource: "*"
+  Condition:
+    StringLike:
+      kms:CallerAccount: "${account}"
+      kms:EncryptionContext:aws:s3:arn:
+      - "arn:${partition}:s3:::${bucket}"
+      - "arn:${partition}:s3:::${bucket}/*"
+{% if length(principals) > 0 }
+- Sid: Allow other resources to use the key
+  Effect: Allow
+  Principal:
+    AWS:
+    {% for principal in principals }
+    - "${principal}"
+    %{ endfor }
+  Action:
+  - kms:GenerateDataKey
+  - kms:Decrypt
+{% endif }
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,98 @@
+variable "abort_incomplete_multipart_upload_days" {
+  type        = number
+  description = "Number of days to abort incomplete multipart uploads."
+  default     = 7
+
+  validation {
+    condition     = var.abort_incomplete_multipart_upload_days > 0
+    error_message = "Abort incomplete multipart upload days must be greater than 0."
+  }
+}
+
+variable "allowed_principals" {
+  type        = list(string)
+  description = <<-EOT
+    List of AWS principal ARNs to allow to use the KMS key. This is used to
+    grant access to other resources that need to use the key, such as ECS task
+    roles.
+    EOT
+}
+
+variable "encryption_key_arn" {
+  type        = string
+  description = "ARN of the KMS key to use for S3 bucket encryption. If not provided, a new KMS key will be created."
+  default     = null
+}
+
+variable "environment" {
+  type        = string
+  description = "The environment for the deployment."
+  default     = "development"
+}
+
+variable "force_delete" {
+  type        = bool
+  description = "Whether to force delete the bucket and its contents."
+  default     = false
+}
+
+variable "key_recovery_period" {
+  type        = number
+  description = "Number of days to recover the created KMS key after deletion. Must be between 7 and 30."
+  default     = 30
+
+  validation {
+    condition     = var.key_recovery_period > 6 && var.key_recovery_period < 31
+    error_message = "Key recovery period must be between 7 and 30."
+  }
+}
+
+variable "logging_bucket" {
+  type        = string
+  description = "S3 bucket to send access logs to."
+}
+
+variable "name" {
+  type        = string
+  description = "Name of the bucket. The project and environment will be prepended to this automatically."
+}
+
+variable "noncurrent_version_expiration_days" {
+  type        = number
+  description = "Number of days to expire noncurrent versions of objects."
+  default     = 30
+
+  validation {
+    condition     = var.noncurrent_version_expiration_days > 0
+    error_message = "Noncurrent version expiration days must be greater than 0."
+  }
+
+  validation {
+    condition     = var.noncurrent_version_expiration_days <= var.abort_incomplete_multipart_upload_days
+    error_message = "Noncurrent version expiration days must be less than or equal to the abort incomplete multipart upload days."
+  }
+}
+
+variable "storage_class_transitions" {
+  type = list(object({
+    days          = number
+    storage_class = string
+  }))
+
+  description = "List of storage class transitions to apply to the bucket."
+  default = [{
+    days          = 30
+    storage_class = "STANDARD_IA"
+  }]
+}
+
+variable "project" {
+  type        = string
+  description = "Project that these resources are supporting."
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Optional tags to be applied to all resources."
+  default     = {}
+}
diff --git a/versions.tf b/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.10"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.28"
+    }
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+data "aws_caller_identity" "identity" {}`
	`2`	`+`
	`3`	`+data "aws_partition" "current" {}`