initial commit
This commit is contained in:
@@ -0,0 +1,9 @@
|
||||
# terraform-setup module
|
||||
Module for creating terraform state bucket and locks.
|
||||
|
||||
The output ```provider-config-block``` shows how to configure terraform provider.
|
||||
|
||||
Please enable terraform default tags. See https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider
|
||||
|
||||
## Examples
|
||||
See examples in the examples directory.
|
||||
@@ -0,0 +1,131 @@
|
||||
resource "aws_s3_bucket" "s3bucket" {
|
||||
bucket = var.bucket-name
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
|
||||
depends_on = [aws_s3_bucket.s3bucket]
|
||||
bucket = aws_s3_bucket.s3bucket.id
|
||||
|
||||
block_public_acls = true
|
||||
block_public_policy = true
|
||||
ignore_public_acls = true
|
||||
restrict_public_buckets = true
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_ownership_controls" "bucket-ownership-setting" {
|
||||
depends_on = [aws_s3_bucket_public_access_block.s3-public-access-settings]
|
||||
bucket = aws_s3_bucket.s3bucket.id
|
||||
|
||||
rule {
|
||||
object_ownership = "BucketOwnerPreferred"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_lifecycle_configuration" "bucket-lifecycle-config" {
|
||||
count = var.bucket-enable-lifecycle ? 1 : 0
|
||||
|
||||
bucket = aws_s3_bucket.s3bucket.bucket
|
||||
|
||||
rule {
|
||||
id = "default"
|
||||
status = "Enabled"
|
||||
|
||||
dynamic "noncurrent_version_expiration" {
|
||||
for_each = var.enable-bucket-versioning ? [1] : []
|
||||
content {
|
||||
noncurrent_days = 90
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "expiration" {
|
||||
for_each = var.bucket-retain-days > 0 ? [1] : []
|
||||
content {
|
||||
days = var.bucket-retain-days
|
||||
}
|
||||
}
|
||||
|
||||
transition {
|
||||
days = var.transition-ia-days
|
||||
storage_class = "STANDARD_IA"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_versioning" "bucket-versioning" {
|
||||
count = var.enable-bucket-versioning ? 1 : 0
|
||||
bucket = aws_s3_bucket.s3bucket.id
|
||||
versioning_configuration {
|
||||
status = "Enabled"
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_server_side_encryption_configuration" "bucket-encryption" {
|
||||
bucket = aws_s3_bucket.s3bucket.bucket
|
||||
rule {
|
||||
apply_server_side_encryption_by_default {
|
||||
sse_algorithm = "AES256"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_acl" "bucket-acl" {
|
||||
bucket = aws_s3_bucket.s3bucket.bucket
|
||||
acl = var.bucket-acl
|
||||
}
|
||||
|
||||
resource "aws_s3_bucket_policy" "bucket-policy" {
|
||||
bucket = aws_s3_bucket.s3bucket.bucket
|
||||
policy = <<EOT
|
||||
{
|
||||
"Id": "policy01",
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "AllowFullAccessFromBastion",
|
||||
"Action": "s3:*",
|
||||
"Effect": "Allow",
|
||||
"Resource": [
|
||||
"arn:aws:s3:::${var.bucket-name}/*",
|
||||
"arn:aws:s3:::${var.bucket-name}"
|
||||
],
|
||||
"Principal": {
|
||||
"AWS": [
|
||||
"arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"Sid": "AllowSSLRequestsOnly",
|
||||
"Action": "s3:*",
|
||||
"Effect": "Deny",
|
||||
"Resource": "arn:aws:s3:::${var.bucket-name}/*",
|
||||
"Condition": {
|
||||
"Bool": {
|
||||
"aws:SecureTransport": "false"
|
||||
}
|
||||
},
|
||||
"Principal": "*"
|
||||
}
|
||||
]
|
||||
}
|
||||
EOT
|
||||
}
|
||||
|
||||
resource "aws_dynamodb_table" "tfstate-lock-table" {
|
||||
name = var.ddb-table-name
|
||||
billing_mode = "PAY_PER_REQUEST"
|
||||
hash_key = "LockID"
|
||||
point_in_time_recovery {
|
||||
enabled = true
|
||||
}
|
||||
# If enabled is false then server-side encryption is set to AWS owned CMK (shown as DEFAULT in the AWS console)
|
||||
server_side_encryption {
|
||||
enabled = false
|
||||
}
|
||||
attribute {
|
||||
name = "LockID"
|
||||
type = "S"
|
||||
}
|
||||
}
|
||||
|
||||
data "aws_caller_identity" "this" {}
|
||||
@@ -0,0 +1,27 @@
|
||||
output bucket-name {
|
||||
value = aws_s3_bucket.s3bucket.id
|
||||
}
|
||||
|
||||
output bucket_regional_domain_name {
|
||||
value = aws_s3_bucket.s3bucket.bucket_regional_domain_name
|
||||
}
|
||||
|
||||
output ddb-table-name {
|
||||
value = aws_dynamodb_table.tfstate-lock-table.name
|
||||
}
|
||||
|
||||
output ddb-table-arn {
|
||||
value = aws_dynamodb_table.tfstate-lock-table.arn
|
||||
}
|
||||
|
||||
output provider-config-block {
|
||||
value = <<EOT
|
||||
backend "s3" {
|
||||
bucket = "${aws_s3_bucket.s3bucket.id}"
|
||||
key = "terraform_state/terraform.tfstate"
|
||||
region = ""
|
||||
dynamodb_table = "${aws_dynamodb_table.tfstate-lock-table.name}"
|
||||
encrypt = true
|
||||
}
|
||||
EOT
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
variable "ddb-table-name" {}
|
||||
variable "transition-ia-days" {}
|
||||
variable "bucket-retain-days" {
|
||||
default = 0
|
||||
}
|
||||
variable "bucket-enable-lifecycle" {
|
||||
default = true
|
||||
}
|
||||
variable "bucket-acl" {
|
||||
default = "private"
|
||||
}
|
||||
variable "enable-bucket-versioning" {
|
||||
default = true
|
||||
}
|
||||
variable "bucket-name" {}
|
||||
Reference in New Issue
Block a user