feat/support directory bucket

Author: magreenbaum

examples/directory-bucket/main.tf

@@ -0,0 +1,111 @@
+locals {
+  region  = "eu-west-1"
+  zone_id = "euw1-az1"
+}
+
+provider "aws" {
+  region = local.region
+
+  # Make it faster by skipping something
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+}
+
+data "aws_caller_identity" "current" {}
+
+module "directory_bucket" {
+  source = "../../modules/directory-bucket"
+
+  bucket_name_prefix   = random_pet.this.id
+  availability_zone_id = local.zone_id
+
+  server_side_encryption_configuration = {
+    sse_algorithm     = "aws:kms"
+    kms_master_key_id = aws_kms_key.objects.id
+  }
+
+  lifecycle_rules = {
+    all = {
+      id     = "test"
+      status = "Enabled"
+      abort_incomplete_multipart_upload = {
+        days_after_initiation = 7
+      }
+      expiration = {
+        days = 7
+      }
+    },
+    logs = {
+      status = "Enabled"
+      expiration = {
+        days = 5
+      }
+      filter = {
+        prefix                = "logs/"
+        object_size_less_than = 10
+      }
+    },
+    other = {
+      id     = "other"
+      status = "Enabled"
+      expiration = {
+        days = 2
+      }
+      filter = {
+        prefix = "other/"
+      }
+    }
+  }
+
+  create_bucket_policy = true
+  policy_statements = {
+    write = {
+      sid    = "ReadWriteAccess"
+      effect = "Allow"
+
+      actions = [
+        "s3express:CreateSession",
+      ]
+
+      principals = [
+        {
+          type        = "AWS"
+          identifiers = [data.aws_caller_identity.current.account_id]
+        }
+      ]
+    }
+    readonly = {
+      sid    = "ReadOnlyAccess"
+      effect = "Allow"
+
+      actions = [
+        "s3express:CreateSession",
+      ]
+
+      principals = [
+        {
+          type        = "AWS"
+          identifiers = [data.aws_caller_identity.current.account_id]
+        }
+      ]
+
+      conditions = [
+        {
+          test     = "StringEquals"
+          values   = ["ReadOnly"]
+          variable = "s3express:SessionMode"
+        }
+      ]
+    }
+  }
+}
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+resource "aws_kms_key" "objects" {
+  description             = "KMS key is used to encrypt bucket objects"
+  deletion_window_in_days = 7
+}

examples/directory-bucket/outputs.tf

@@ -0,0 +1,9 @@
+output "directory_bucket_name" {
+  description = "Name of the directory bucket."
+  value       = module.directory_bucket.directory_bucket_name
+}
+
+output "directory_bucket_arn" {
+  description = "ARN of the directory bucket."
+  value       = module.directory_bucket.directory_bucket_arn
+}

examples/directory-bucket/variables.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.83"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}

examples/directory-bucket/versions.tf

@@ -0,0 +1,144 @@
+locals {
+  bucket_name = "${var.bucket_name_prefix}--${var.availability_zone_id}--x-s3"
+}
+
+resource "aws_s3_directory_bucket" "this" {
+  count = var.create ? 1 : 0
+
+  bucket          = local.bucket_name
+  data_redundancy = var.data_redundancy
+  force_destroy   = var.force_destroy
+  type            = var.type
+
+  location {
+    name = var.availability_zone_id
+    type = var.location_type
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+  count = var.create && length(var.server_side_encryption_configuration) > 0 ? 1 : 0
+
+  bucket = aws_s3_directory_bucket.this[0].bucket
+
+  rule {
+    bucket_key_enabled = true
+
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = var.server_side_encryption_configuration.sse_algorithm
+      kms_master_key_id = try(var.server_side_encryption_configuration.kms_master_key_id, null)
+    }
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "this" {
+  count = var.create && length(var.lifecycle_rules) > 0 ? 1 : 0
+
+  bucket = aws_s3_directory_bucket.this[0].bucket
+
+  dynamic "rule" {
+    for_each = var.lifecycle_rules
+
+    content {
+      id     = try(rule.value.id, rule.key)
+      status = try(rule.value.enabled ? "Enabled" : "Disabled", tobool(rule.value.status) ? "Enabled" : "Disabled", title(lower(rule.value.status)))
+
+      # Max 1 block - abort_incomplete_multipart_upload
+      dynamic "abort_incomplete_multipart_upload" {
+        for_each = try([rule.value.abort_incomplete_multipart_upload_days], [])
+
+        content {
+          days_after_initiation = try(rule.value.abort_incomplete_multipart_upload_days, null)
+        }
+      }
+
+      # Max 1 block - expiration
+      dynamic "expiration" {
+        for_each = try(flatten([rule.value.expiration]), [])
+
+        content {
+          days = try(expiration.value.days, null)
+        }
+      }
+
+      # Max 1 block - filter - with one key argument or a single tag
+      dynamic "filter" {
+        for_each = [for v in try(flatten([rule.value.filter]), []) : v if max(length(keys(v))) == 1]
+
+        content {
+          object_size_greater_than = try(filter.value.object_size_greater_than, null)
+          object_size_less_than    = try(filter.value.object_size_less_than, null)
+          prefix                   = try(filter.value.prefix, null)
+        }
+      }
+
+      # Max 1 block - filter - with more than one key arguments or multiple tags
+      dynamic "filter" {
+        for_each = [for v in try(flatten([rule.value.filter]), []) : v if max(length(keys(v))) > 1]
+
+        content {
+          and {
+            object_size_greater_than = try(filter.value.object_size_greater_than, null)
+            object_size_less_than    = try(filter.value.object_size_less_than, null)
+            prefix                   = try(filter.value.prefix, null)
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  count = var.create && var.create_bucket_policy ? 1 : 0
+
+  bucket = aws_s3_directory_bucket.this[0].bucket
+  policy = data.aws_iam_policy_document.this[0].json
+}
+
+data "aws_iam_policy_document" "this" {
+  count = var.create && var.create_bucket_policy ? 1 : 0
+
+  source_policy_documents   = var.source_policy_documents
+  override_policy_documents = var.override_policy_documents
+
+  dynamic "statement" {
+    for_each = var.policy_statements
+
+    content {
+      sid           = try(statement.value.sid, null)
+      actions       = try(statement.value.actions, null)
+      not_actions   = try(statement.value.not_actions, null)
+      effect        = try(statement.value.effect, null)
+      resources     = try(statement.value.resources, [aws_s3_directory_bucket.this[0].arn])
+      not_resources = try(statement.value.not_resources, null)
+
+      dynamic "principals" {
+        for_each = try(statement.value.principals, [])
+
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+
+      dynamic "not_principals" {
+        for_each = try(statement.value.not_principals, [])
+
+        content {
+          type        = not_principals.value.type
+          identifiers = not_principals.value.identifiers
+        }
+      }
+
+      dynamic "condition" {
+        for_each = try(statement.value.conditions, [])
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
+      }
+    }
+  }
+}

modules/directory-bucket/main.tf

@@ -0,0 +1,9 @@
+output "directory_bucket_name" {
+  description = "Name of the directory bucket."
+  value       = try(aws_s3_directory_bucket.this[0].bucket, null)
+}
+
+output "directory_bucket_arn" {
+  description = "ARN of the directory bucket."
+  value       = try(aws_s3_directory_bucket.this[0].arn, null)
+}

modules/directory-bucket/outputs.tf

@@ -0,0 +1,77 @@
+variable "create" {
+  description = "Whether to create directory bucket resources"
+  type        = bool
+  default     = true
+}
+
+variable "bucket_name_prefix" {
+  description = "Bucket name prefix"
+  type        = string
+  default     = null
+}
+
+variable "data_redundancy" {
+  description = "Data redundancy. Valid values: `SingleAvailabilityZone`"
+  type        = string
+  default     = null
+}
+
+variable "force_destroy" {
+  description = "Boolean that indicates all objects should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. These objects are not recoverable"
+  type        = bool
+  default     = null
+}
+
+variable "type" {
+  description = "Bucket type. Valid values: `Directory`"
+  type        = string
+  default     = "Directory"
+}
+
+variable "availability_zone_id" {
+  description = "Availability Zone ID or Local Zone ID"
+  type        = string
+  default     = null
+}
+
+variable "location_type" {
+  description = "Location type. Valid values: `AvailabilityZone` or `LocalZone`"
+  type        = string
+  default     = null
+}
+
+variable "server_side_encryption_configuration" {
+  description = "Map containing server-side encryption configuration."
+  type        = any
+  default     = {}
+}
+
+variable "lifecycle_rules" {
+  description = "List of maps containing configuration of object lifecycle management."
+  type        = any
+  default     = {}
+}
+
+variable "create_bucket_policy" {
+  description = "Whether to create a directory bucket policy."
+  type        = bool
+  default     = false
+}
+
+variable "source_policy_documents" {
+  description = "List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s"
+  type        = list(string)
+  default     = []
+}
+
+variable "override_policy_documents" {
+  description = "List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`"
+  type        = list(string)
+  default     = []
+}
+
+variable "policy_statements" {
+  description = "A map of IAM policy statements for custom permission usage"
+  type        = any
+  default     = {}
+}

modules/directory-bucket/variables.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.83"
+    }
+  }
+}