xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity

initial commit

Browse Source
This commit is contained in:
xpk
2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/storage/s3_bucket_2023/main.tf
+173
View File
@@ -0,0 +1,173 @@
resource "aws_s3_bucket" "this" {
bucket = var.bucket_name
force_destroy = var.bucket_force_destroy
}
resource "aws_s3_bucket_public_access_block" "block_public_access" {
bucket = aws_s3_bucket.this.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# Add SecureTransport restriction by default
data "aws_iam_policy_document" "bucket_policy" {
source_policy_documents = [var.bucket_policy_json]
statement {
sid = "AllowSSLRequestsOnly"
actions = ["s3:*"]
effect = "Deny"
principals {
type = "*"
identifiers = ["*"]
}
resources = [
aws_s3_bucket.this.arn,
"${aws_s3_bucket.this.arn}/*"
]
condition {
test = "Bool"
values = [false]
variable = "aws:SecureTransport"
}
}
}
resource "aws_s3_bucket_policy" "bucket_policy" {
bucket = aws_s3_bucket.this.id
# policy = var.bucket_policy_json
policy = data.aws_iam_policy_document.bucket_policy.json
}
resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" {
count = var.enable_bucket_lifecycle ? 1 : 0
bucket = aws_s3_bucket.this.id
rule {
id = "CurrentVersion"
expiration {
days = var.current_version_expiration_days
}
status = "Enabled"
transition {
days = 15
storage_class = "INTELLIGENT_TIERING"
}
}
rule {
id = "NonCurrentVersion"
noncurrent_version_expiration {
noncurrent_days = var.noncurrent_version_expiration_days
}
noncurrent_version_transition {
noncurrent_days = 15
storage_class = "INTELLIGENT_TIERING"
}
status = var.enable_versioning ? "Enabled" : "Disabled"
}
}
resource "aws_s3_bucket_intelligent_tiering_configuration" "intel_tiering_config" {
bucket = aws_s3_bucket.this.id
name = "IntelligentTieringArchiveConfigurations"
tiering {
access_tier = "DEEP_ARCHIVE_ACCESS"
days = 180 # minimum
}
tiering {
access_tier = "ARCHIVE_ACCESS"
days = 90
}
}
resource "aws_s3_bucket_logging" "logging" {
count = var.enable_bucket_logging ? 1 : 0
bucket = aws_s3_bucket.this.id
target_bucket = var.logging_bucket_id
target_prefix = "s3-log/"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
count = var.enable_encryption ? 1 : 0
bucket = aws_s3_bucket.this.id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = var.encryption_key_arn
sse_algorithm = length(var.encryption_key_arn) > 0 ? "aws:kms" : "AES256"
}
bucket_key_enabled = length(var.encryption_key_arn) > 0 ? true : false
}
}
resource "aws_s3_bucket_versioning" "versioning" {
count = var.enable_versioning ? 1 : 0
bucket = aws_s3_bucket.this.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_replication_configuration" "replication" {
count = var.enable_replication && var.enable_versioning ? 1 : 0
role = var.replication_role_arn
bucket = aws_s3_bucket.this.id
rule {
id = "replrule1"
status = "Enabled"
delete_marker_replication {
status = "Enabled"
}
source_selection_criteria {
replica_modifications {
status = "Enabled"
}
sse_kms_encrypted_objects {
status = "Enabled"
}
}
destination {
bucket = var.replication_dest_bucket_name
storage_class = "INTELLIGENT_TIERING"
account = var.replication_destination_aws_account_id
encryption_configuration {
replica_kms_key_id = var.replication_destination_kms_key_arn
}
access_control_translation {
owner = "Destination"
}
replication_time {
status = "Enabled"
time {
minutes = 15
}
}
metrics {
status = "Enabled"
event_threshold {
minutes = 15
}
}
}
}
}