jrab66 · jrab66 · Oct 1, 2024 · Oct 1, 2024 · Oct 1, 2024
diff --git a/modules/s3/README.md b/modules/s3/README.md
@@ -0,0 +1,46 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_logging.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_access_logging"></a> [access\_logging](#input\_access\_logging) | Whether or not to enable access logging on the bucket | `bool` | `true` | no |
+| <a name="input_access_logging_bucket"></a> [access\_logging\_bucket](#input\_access\_logging\_bucket) | Destination for access logging | `string` | `""` | no |
+| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Enable public acl block | `bool` | `true` | no |
+| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Enable block\_public\_policy | `bool` | `true` | no |
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name to be assigned to bucket and resources | `any` | n/a | yes |
+| <a name="input_bucket_public_acl"></a> [bucket\_public\_acl](#input\_bucket\_public\_acl) | Whether or not bucket should have a publicly accessible ACL | `string` | `"private"` | no |
+| <a name="input_enable_versioning"></a> [enable\_versioning](#input\_enable\_versioning) | Whether or not to enable object versioning | `bool` | `true` | no |
+| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Enable ignore\_public\_acls | `bool` | `true` | no |
+| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Enable restrict\_public\_buckets | `bool` | `true` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/modules/s3/bucket.tf b/modules/s3/bucket.tf
@@ -0,0 +1,16 @@
+resource "aws_s3_bucket" "this" {
+  #checkov:skip=CKV2_AWS_61: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_62: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_144: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_145: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_21: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_6: "This is a demo bucket"
+  bucket = var.bucket_name
+}
+
+resource "aws_s3_bucket_versioning" "this" {
+  bucket = aws_s3_bucket.this.id
+  versioning_configuration {
+    status = var.enable_versioning ? "Enabled" : "Disabled"
+  }
+}
diff --git a/modules/s3/bucket_logging.tf b/modules/s3/bucket_logging.tf
@@ -0,0 +1,19 @@
+resource "aws_s3_bucket_logging" "example" {
+  count  = var.access_logging ? 1 : 0
+  bucket = aws_s3_bucket.this.id
+
+  # If bucket specified, otherwise use created
+  target_bucket = var.access_logging_bucket == null ? aws_s3_bucket.access_logs[0].id : var.access_logging_bucket
+  target_prefix = "log/${var.bucket_name}"
+}
+
+resource "aws_s3_bucket" "access_logs" {
+  #checkov:skip=CKV2_AWS_61: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_62: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_144: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_145: "This is a demo bucket"
+  #checkov:skip=CKV_AWS_21: "This is a demo bucket"
+  #checkov:skip=CKV2_AWS_6: "This is a demo bucket"
+  count  = var.access_logging ? var.access_logging_bucket == null ? 1 : 0 : 0
+  bucket = var.access_logging_bucket
+}
diff --git a/modules/s3/bucket_policy.tf b/modules/s3/bucket_policy.tf
@@ -0,0 +1,14 @@
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = jsonencode({
+    Statement = [
+      merge({
+        Actions   = "*"
+        Effect    = "Allow"
+        Principal = "*"
+        Resource  = "*"
+      })
+    ]
+    Version = "2012-10-17"
+  })
+}
diff --git a/modules/s3/bucket_security.tf b/modules/s3/bucket_security.tf
@@ -0,0 +1,23 @@
+resource "aws_s3_bucket_acl" "this" {
+  bucket = aws_s3_bucket.this.id
+  acl    = var.bucket_public_acl != false ? "private" : "public"
+}
+
+resource "aws_s3_bucket_public_access_block" "this" {
+  bucket = aws_s3_bucket.this.id
+
+  block_public_acls       = var.block_public_acls
+  block_public_policy     = var.block_public_policy
+  restrict_public_buckets = var.restrict_public_buckets
+  ignore_public_acls      = var.ignore_public_acls
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
+  bucket = aws_s3_bucket.this.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+  }
+}
diff --git a/modules/s3/package.json b/modules/s3/package.json
@@ -0,0 +1,4 @@
+{
+  "name": "tjth-s3-bucket",
+  "description": "A terraform module for creating an s3 bucket"
+}
diff --git a/modules/s3/variables.tf b/modules/s3/variables.tf
@@ -0,0 +1,53 @@
+variable "bucket_name" {
+  description = "The name to be assigned to bucket and resources"
+}
+
+variable "bucket_public_acl" {
+  description = "Whether or not bucket should have a publicly accessible ACL"
+  default     = "private"
+  type        = string
+  validation {
+    condition     = can(regex("private|public-read|public-read-write|authenticated-read|aws-exec-read|log-delivery-write", var.bucket_public_acl))
+    error_message = "Must be one of \"private public-read public-read-write authenticated-read aws-exec-read log-delivery-write\"."
+  }
+}
+
+variable "block_public_acls" {
+  description = "Enable public acl block"
+  default     = true
+  type        = bool
+}
+
+variable "block_public_policy" {
+  description = "Enable block_public_policy"
+  default     = true
+  type        = bool
+}
+
+variable "restrict_public_buckets" {
+  description = "Enable restrict_public_buckets"
+  default     = true
+  type        = bool
+}
+
+variable "ignore_public_acls" {
+  description = "Enable ignore_public_acls"
+  default     = true
+  type        = bool
+}
+
+variable "enable_versioning" {
+  description = "Whether or not to enable object versioning"
+  default     = true
+  type        = bool
+}
+
+variable "access_logging" {
+  description = "Whether or not to enable access logging on the bucket"
+  default     = true
+}
+
+variable "access_logging_bucket" {
+  description = "Destination for access logging"
+  default     = ""
+}