From f57511f53c55c26e47487e64c8c91dafff6175b8 Mon Sep 17 00:00:00 2001 From: Jerome Wolff Date: Tue, 9 May 2023 17:16:10 +0200 Subject: [PATCH] feat: allow bucket versioning configuration. add policy for denying insecure requests to bucket. update templates --- .editorconfig | 2 +- .github/.templatesyncignore | 9 ++++++ .github/labels.yaml | 34 ---------------------- .github/workflows/release.yaml | 31 ++++++++++++++++---- .github/workflows/sync-templates.yaml | 41 +++++++-------------------- .terraform-docs.yml | 8 ++++-- README.md | 22 ++++++++++---- data.tf | 41 +++++++++++++++++++++------ docs/10-header.md | 1 + docs/{badges.md => 20-badges.md} | 5 ++++ docs/assets/logo.svg | 22 -------------- docs/logo.md | 1 - main.tf | 10 +++++++ variables.tf | 24 ++++++++++++++++ 14 files changed, 140 insertions(+), 111 deletions(-) create mode 100644 .github/.templatesyncignore delete mode 100644 .github/labels.yaml create mode 100644 docs/10-header.md rename docs/{badges.md => 20-badges.md} (99%) delete mode 100644 docs/assets/logo.svg delete mode 100644 docs/logo.md diff --git a/.editorconfig b/.editorconfig index 0a5f88d..2705490 100644 --- a/.editorconfig +++ b/.editorconfig @@ -8,7 +8,7 @@ end_of_line = lf indent_size = 2 indent_style = space insert_final_newline = true -max_line_length = 80 +max_line_length = 120 trim_trailing_whitespace = true [*.md] diff --git a/.github/.templatesyncignore b/.github/.templatesyncignore new file mode 100644 index 0000000..775d81f --- /dev/null +++ b/.github/.templatesyncignore @@ -0,0 +1,9 @@ +README.md +.github/workflows/* +.terraform-docs.yml +docs/20-badges.md +docs/assets/logo.svg +*.tf +test/* +go.mod +go.sum diff --git a/.github/labels.yaml b/.github/labels.yaml deleted file mode 100644 index bc0cd30..0000000 --- a/.github/labels.yaml +++ /dev/null @@ -1,34 +0,0 @@ -- name: 'bump:major' - color: ef6bb4 - description: 'Attach to PR to automatically bump major version on merge' - aliases: [ ] - -- name: 'bump:minor' - color: ef6bb4 - description: 'Attach to PR to automatically bump minor version on merge' - aliases: [ ] - -- name: 'bump:patch' - color: ef6bb4 - description: 'Attach to PR to automatically bump patch version on merge' - aliases: [ ] - -- name: 'automation' - color: 3ddd1b - description: 'Removing manual tasks by automating them' - aliases: [ ] - -- name: 'bug' - color: d73a4a - description: 'Something is not working' - aliases: [ ] - -- name: 'documentation' - color: 0075ca - description: 'Improvements or additions to documentation' - aliases: [ ] - -- name: 'enhancement' - color: a2eeef - description: 'New feature or request' - aliases: [ ] diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9f31c92..a66b5c7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,7 +1,7 @@ --- -#################################### -## Draft releases on Push to main ## -#################################### +##################### +## Create releases ## +##################### # # Documentation: @@ -13,9 +13,8 @@ on: push: branches: [ main ] tags: [ 'v*.*.*' ] - -permissions: - contents: write + pull_request: + types: [ labeled ] ################# # Start the job # @@ -26,6 +25,7 @@ jobs: ############### create-release: name: Create Release + if: github.event.action != 'labeled' runs-on: ubuntu-latest timeout-minutes: 10 steps: @@ -75,3 +75,22 @@ jobs: tag_name: ${{ steps.tag.outputs.value }} draft: false prerelease: false + + ########################### + # Release preview comment # + ########################### + release-check: + if: github.event.action == 'labeled' + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ####################### + # Post status comment # + ####################### + - name: Post bumpr status comment + uses: haya14busa/action-bumpr@v1 diff --git a/.github/workflows/sync-templates.yaml b/.github/workflows/sync-templates.yaml index 30bdab5..dfa10ab 100644 --- a/.github/workflows/sync-templates.yaml +++ b/.github/workflows/sync-templates.yaml @@ -10,7 +10,9 @@ name: Sync templates on: - workflow_dispatch: + workflow_dispatch: # Trigger manually + schedule: + - cron: "0 0 1 * *" # Run at 00:00 on the first day of every month ########################## # Prevent duplicate jobs # @@ -36,7 +38,7 @@ jobs: - name: Sync labels uses: EndBug/label-sync@v2.3.1 with: - config-file: https://raw.githubusercontent.com/geekcell/template-terraform-module/main/.github/labels.yaml + config-file: https://gist.githubusercontent.com/Ic3w0lf/f5520c5f19d7098966f692c120f7a197/raw/75b134f76fbc55e2e64bd66f04e571d6d74b815e/terraform-aws-module-labels.yaml ####################### # Sync template files # @@ -50,33 +52,12 @@ jobs: ############################ - name: Checkout Code uses: actions/checkout@v3.1.0 - with: - token: ${{ secrets.GEEKCELL_PAT_WORKFLOWS }} - - ######################## - # Patch template files # - ######################## - - name: Force patching of template files - run: | - yes y | make setup/update-template - - #################### - # Update README.md # - #################### - - name: Terraform docs - uses: terraform-docs/gh-actions@v1.0.0 - with: - config-file: .terraform-docs.yml - git-push: false - ############# - # Create PR # - ############# - - name: Create PR - uses: peter-evans/create-pull-request@v4.2.0 + ####################### + # Sync template files # + ####################### + - name: actions-template-sync + uses: AndreasAugustin/actions-template-sync@v0.7.3 with: - token: ${{ secrets.GEEKCELL_PAT_WORKFLOWS }} - title: Updated template files - commit-message: Update template files from main repo - branch: update-template-files - delete-branch: true + github_token: ${{ secrets.GITHUB_TOKEN }} + source_repo_path: geekcell/terraform-aws-module-template diff --git a/.terraform-docs.yml b/.terraform-docs.yml index c0f674c..3fec781 100644 --- a/.terraform-docs.yml +++ b/.terraform-docs.yml @@ -1,10 +1,14 @@ formatter: "md table" header-from: main.tf +recursive: + # Enable this if your module has submodules + enabled: false + content: |- - {{ include "docs/logo.md" }} + {{ include "docs/10-header.md" }} - {{ include "docs/badges.md" }} + {{ include "docs/20-badges.md" }} {{ .Header }} diff --git a/README.md b/README.md index f193585..b68b655 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/template-terraform-module/main/docs/assets/logo.svg)](https://www.geekcell.io/) +[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/) ### Code Quality [![License](https://img.shields.io/github/license/geekcell/terraform-aws-s3-access-log-bucket)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/blob/master/LICENSE) @@ -8,6 +8,9 @@ [![Validate](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml) [![Lint](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml) + + # Terraform AWS S3 Access Log Bucket This Terraform module provides a preconfigured solution for setting up S3 @@ -56,12 +61,16 @@ tracking activity in your ALB or Cognito. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [deny\_non\_secure\_transport](#input\_deny\_non\_secure\_transport) | Whether to attach a policy to the bucket to deny all non-SSL requests. | `bool` | `true` | no | | [expiration](#input\_expiration) | The number of days after which to expunge the objects. | `number` | `365` | no | +| [mfa](#input\_mfa) | MFA device ARN including a TOTP token to enable MFA delete. | `string` | `null` | no | +| [mfa\_delete](#input\_mfa\_delete) | Specifies whether MFA delete is enabled in the bucket. | `string` | `"Disabled"` | no | | [name](#input\_name) | The name of the bucket. | `string` | n/a | yes | | [noncurrent\_version\_expiration](#input\_noncurrent\_version\_expiration) | The number of days after which to delete the noncurrent object. | `number` | `90` | no | | [noncurrent\_version\_transitions](#input\_noncurrent\_version\_transitions) | Transition to another storage class for noncurrent\_versions. | 
list(object({
    noncurrent_days = number
    storage_class   = string
  }))
| 
[
  {
    "noncurrent_days": 30,
    "storage_class": "STANDARD_IA"
  }
]
| no | | [tags](#input\_tags) | Tags to add to the AWS Customer Managed Key. | `map(any)` | `{}` | no | | [transitions](#input\_transitions) | Transition to another storage class. | 
list(object({
    days          = number
    storage_class = string
  }))
| 
[
  {
    "days": 30,
    "storage_class": "STANDARD_IA"
  },
  {
    "days": 60,
    "storage_class": "GLACIER"
  },
  {
    "days": 180,
    "storage_class": "DEEP_ARCHIVE"
  }
]
| no | +| [versioning](#input\_versioning) | Enables versioning of objects in the bucket. | `string` | `"Enabled"` | no | ## Outputs @@ -79,11 +88,12 @@ tracking activity in your ALB or Cognito. ## Resources - resource.aws_s3_bucket.main (main.tf#21) -- resource.aws_s3_bucket_lifecycle_configuration.main (main.tf#52) -- resource.aws_s3_bucket_metric.main (main.tf#85) -- resource.aws_s3_bucket_policy.main (main.tf#27) -- resource.aws_s3_bucket_public_access_block.main (main.tf#32) -- resource.aws_s3_bucket_server_side_encryption_configuration.main (main.tf#41) +- resource.aws_s3_bucket_lifecycle_configuration.main (main.tf#62) +- resource.aws_s3_bucket_metric.main (main.tf#95) +- resource.aws_s3_bucket_policy.main (main.tf#37) +- resource.aws_s3_bucket_public_access_block.main (main.tf#42) +- resource.aws_s3_bucket_server_side_encryption_configuration.main (main.tf#51) +- resource.aws_s3_bucket_versioning.main (main.tf#27) - data source.aws_elb_service_account.main (data.tf#1) - data source.aws_iam_policy_document.main (data.tf#3) diff --git a/data.tf b/data.tf index 3af9452..7a9da82 100644 --- a/data.tf +++ b/data.tf @@ -2,22 +2,45 @@ data "aws_elb_service_account" "main" {} data "aws_iam_policy_document" "main" { - statement { - sid = "AllowElasticLoadBalancerToWriteAccessLogs" + dynamic "statement" { + for_each = var.deny_non_secure_transport ? [1] : [] - effect = "Allow" + content { + actions = ["s3:*"] + effect = "Deny" + sid = "DenyNonSecureTransport" - principals { - type = "AWS" - identifiers = [data.aws_elb_service_account.main.arn] + resources = [ + aws_s3_bucket.main.arn, + "${aws_s3_bucket.main.arn}/*" + ] + + principals { + type = "*" + identifiers = ["*"] + } + + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } } + } + + statement { + actions = ["s3:PutObject"] + effect = "Allow" + sid = "AllowElasticLoadBalancerToWriteAccessLogs" - actions = [ - "s3:PutObject" - ] resources = [ "${aws_s3_bucket.main.arn}/*" ] + + principals { + type = "AWS" + identifiers = [data.aws_elb_service_account.main.arn] + } } } diff --git a/docs/10-header.md b/docs/10-header.md new file mode 100644 index 0000000..3843bbf --- /dev/null +++ b/docs/10-header.md @@ -0,0 +1 @@ +[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/) diff --git a/docs/badges.md b/docs/20-badges.md similarity index 99% rename from docs/badges.md rename to docs/20-badges.md index 314cba9..588f6b9 100644 --- a/docs/badges.md +++ b/docs/20-badges.md @@ -5,6 +5,9 @@ [![Validate](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/validate.yaml) [![Lint](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-s3-access-log-bucket/actions/workflows/linter.yaml) + diff --git a/docs/assets/logo.svg b/docs/assets/logo.svg deleted file mode 100644 index 16494af..0000000 --- a/docs/assets/logo.svg +++ /dev/null @@ -1,22 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/logo.md b/docs/logo.md deleted file mode 100644 index 50e69d6..0000000 --- a/docs/logo.md +++ /dev/null @@ -1 +0,0 @@ -[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/template-terraform-module/main/docs/assets/logo.svg)](https://www.geekcell.io/) diff --git a/main.tf b/main.tf index 3abb6b1..05807cb 100644 --- a/main.tf +++ b/main.tf @@ -24,6 +24,16 @@ resource "aws_s3_bucket" "main" { tags = var.tags } +resource "aws_s3_bucket_versioning" "main" { + bucket = aws_s3_bucket.main.id + mfa = var.mfa + + versioning_configuration { + status = var.versioning + mfa_delete = var.mfa_delete + } +} + resource "aws_s3_bucket_policy" "main" { bucket = aws_s3_bucket.main.id policy = data.aws_iam_policy_document.main.json diff --git a/variables.tf b/variables.tf index 0c665dd..022406c 100644 --- a/variables.tf +++ b/variables.tf @@ -58,3 +58,27 @@ variable "transitions" { storage_class = string })) } + +variable "versioning" { + default = "Enabled" + description = "Enables versioning of objects in the bucket." + type = string +} + +variable "mfa_delete" { + default = "Disabled" + description = "Specifies whether MFA delete is enabled in the bucket." + type = string +} + +variable "mfa" { + default = null + description = "MFA device ARN including a TOTP token to enable MFA delete." + type = string +} + +variable "deny_non_secure_transport" { + default = true + description = "Whether to attach a policy to the bucket to deny all non-SSL requests." + type = bool +}