github.com/swisspost/terratest@v0.0.0-20230214120104-7ec6de2e1ae0/examples/terraform-aws-s3-example/main.tf

github.com/swisspost/terratest@v0.0.0-20230214120104-7ec6de2e1ae0/examples/terraform-aws-s3-example/main.tf (about)

     1  # ---------------------------------------------------------------------------------------------------------------------
     2  # PIN TERRAFORM VERSION TO >= 0.12
     3  # The examples have been upgraded to 0.12 syntax
     4  # ---------------------------------------------------------------------------------------------------------------------
     5  provider "aws" {
     6    region = var.region
     7  }
     8  
     9  terraform {
    10    # This module is now only being tested with Terraform 0.13.x. However, to make upgrading easier, we are setting
    11    # 0.12.26 as the minimum version, as that version added support for required_providers with source URLs, making it
    12    # forwards compatible with 0.13.x code.
    13    required_version = ">= 0.12.26"
    14  }
    15  
    16  # ---------------------------------------------------------------------------------------------------------------------
    17  # DEPLOY A S3 BUCKET WITH VERSIONING ENABLED INCLUDING TAGS
    18  # See test/terraform_aws_s3_example_test.go for how to write automated tests for this code.
    19  # ---------------------------------------------------------------------------------------------------------------------
    20  
    21  # Deploy and configure test S3 bucket with versioning and access log
    22  resource "aws_s3_bucket" "test_bucket" {
    23    bucket = "${local.aws_account_id}-${var.tag_bucket_name}"
    24  
    25    tags = {
    26      Name        = var.tag_bucket_name
    27      Environment = var.tag_bucket_environment
    28    }
    29  }
    30  
    31  resource "aws_s3_bucket_logging" "test_bucket" {
    32    bucket        = aws_s3_bucket.test_bucket.id
    33    target_bucket = aws_s3_bucket.test_bucket_logs.id
    34    target_prefix = "TFStateLogs/"
    35  }
    36  
    37  resource "aws_s3_bucket_versioning" "test_bucket" {
    38    bucket = aws_s3_bucket.test_bucket.id
    39    versioning_configuration {
    40      status = "Enabled"
    41    }
    42  }
    43  
    44  resource "aws_s3_bucket_acl" "test_bucket" {
    45    bucket = aws_s3_bucket.test_bucket.id
    46    acl    = "private"
    47  }
    48  
    49  
    50  # Deploy S3 bucket to collect access logs for test bucket
    51  resource "aws_s3_bucket" "test_bucket_logs" {
    52    bucket = "${local.aws_account_id}-${var.tag_bucket_name}-logs"
    53  
    54    tags = {
    55      Name        = "${local.aws_account_id}-${var.tag_bucket_name}-logs"
    56      Environment = var.tag_bucket_environment
    57    }
    58  
    59    force_destroy = true
    60  }
    61  
    62  resource "aws_s3_bucket_acl" "test_bucket_logs" {
    63    bucket = aws_s3_bucket.test_bucket_logs.id
    64    acl    = "log-delivery-write"
    65  }
    66  
    67  # Configure bucket access policies
    68  
    69  resource "aws_s3_bucket_policy" "bucket_access_policy" {
    70    count  = var.with_policy ? 1 : 0
    71    bucket = aws_s3_bucket.test_bucket.id
    72    policy = data.aws_iam_policy_document.s3_bucket_policy.json
    73  }
    74  
    75  data "aws_iam_policy_document" "s3_bucket_policy" {
    76    statement {
    77      effect = "Allow"
    78      principals {
    79        # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
    80        # force an interpolation expression to be interpreted as a list by wrapping it
    81        # in an extra set of list brackets. That form was supported for compatibility in
    82        # v0.11, but is no longer supported in Terraform v0.12.
    83        #
    84        # If the expression in the following list itself returns a list, remove the
    85        # brackets to avoid interpretation as a list of lists. If the expression
    86        # returns a single list item then leave it as-is and remove this TODO comment.
    87        identifiers = [local.aws_account_id]
    88        type        = "AWS"
    89      }
    90      actions   = ["*"]
    91      resources = ["${aws_s3_bucket.test_bucket.arn}/*"]
    92    }
    93  
    94    statement {
    95      effect = "Deny"
    96      principals {
    97        identifiers = ["*"]
    98        type        = "AWS"
    99      }
   100      actions   = ["*"]
   101      resources = ["${aws_s3_bucket.test_bucket.arn}/*"]
   102  
   103      condition {
   104        test     = "Bool"
   105        variable = "aws:SecureTransport"
   106        values = [
   107          "false",
   108        ]
   109      }
   110    }
   111  }
   112  
   113  # ---------------------------------------------------------------------------------------------------------------------
   114  # LOCALS
   115  # Used to represent any data that requires complex expressions/interpolations
   116  # ---------------------------------------------------------------------------------------------------------------------
   117  
   118  data "aws_caller_identity" "current" {
   119  }
   120  
   121  locals {
   122    aws_account_id = data.aws_caller_identity.current.account_id
   123  }
   124