feat(modules): s3 sub-module

Author: saumitra-dev

modules/s3-bucket/.header.md

@@ -0,0 +1,17 @@
+# s3-bucket
+
+This sub-module creates an S3 bucket with optional S3 bucket policies to attach.
+
+## Presets
+
+### S3 Bucket
+
+- The `force_destroy` is set to `false` as the default option (which prevents the deletion of the S3 bucket if it has objects in it), and can be overridden to be `true`.
+
+### S3 Bucket Policy
+
+- The `effect` under `statement` in the `aws_iam_policy_document.this` data source is set to `Allow` as the default option (which grants the principal the defined permissions), and can be overridden to be `Deny`.
+
+## Notes
+
+- The S3 bucket policies are attached only if at least one policy is specified. Otherwise, no bucket policies are attached.

modules/s3-bucket/main.tf

@@ -0,0 +1,54 @@
+locals {
+  # S3 Bucket Policy
+  create_s3_bucket_policy = length(var.bucket_policies) > 0
+}
+
+################################################################################
+# S3 Bucket
+################################################################################
+
+resource "aws_s3_bucket" "this" {
+  bucket              = var.bucket
+  force_destroy       = var.bucket_force_destroy
+  object_lock_enabled = var.bucket_object_lock_enabled
+
+  tags = var.tags
+}
+
+################################################################################
+# S3 Bucket Policy
+################################################################################
+
+data "aws_iam_policy_document" "this" {
+  for_each = local.create_s3_bucket_policy ? var.bucket_policies : {}
+
+  policy_id = each.value.id
+  version   = each.value.version
+
+  dynamic "statement" {
+    for_each = each.value.statements
+
+    content {
+      actions   = statement.value.actions
+      effect    = statement.value.effect
+      resources = statement.value.resources
+
+      dynamic "principals" {
+        for_each = statement.value.principals
+        iterator = principal
+
+        content {
+          identifiers = principal.value.identifiers
+          type        = principal.value.type
+        }
+      }
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  for_each = local.create_s3_bucket_policy ? data.aws_iam_policy_document.this : {}
+
+  bucket = aws_s3_bucket.this.id
+  policy = each.value.json
+}

modules/s3-bucket/outputs.tf

@@ -0,0 +1,13 @@
+################################################################################
+# S3 Bucket
+################################################################################
+
+output "bucket_id" {
+  description = "Name of the bucket."
+  value       = aws_s3_bucket.this.id
+}
+
+output "bucket_arn" {
+  description = "ARN of the bucket."
+  value       = aws_s3_bucket.this.arn
+}

modules/s3-bucket/variables.tf

@@ -0,0 +1,53 @@
+################################################################################
+# S3 Bucket
+################################################################################
+
+variable "bucket" {
+  description = "(Optional, Forces new resource) Name of the bucket."
+  type        = string
+  default     = null
+}
+
+variable "bucket_force_destroy" {
+  description = "(Optional, Default:false) Boolean that indicates all objects (including any locked objects) should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error."
+  type        = bool
+  nullable    = false
+  default     = false
+}
+
+variable "bucket_object_lock_enabled" {
+  description = "(Optional, Forces new resource) Indicates whether this bucket has an Object Lock configuration enabled."
+  type        = bool
+  nullable    = false
+  default     = false
+}
+
+variable "tags" {
+  description = "(Optional) Map of tags to assign to the bucket."
+  type        = map(string)
+  nullable    = false
+  default     = {}
+}
+
+################################################################################
+# S3 Bucket Policy
+################################################################################
+
+variable "bucket_policies" {
+  description = "(Optional) Map of bucket policies to attach to the S3 bucket."
+  type = map(object({
+    id      = optional(string, null)
+    version = optional(string, null)
+    statements = optional(list(object({
+      actions   = optional(set(string), [])
+      effect    = optional(string, "Allow")
+      resources = optional(set(string), [])
+      principals = optional(list(object({
+        identifiers = set(string)
+        type        = string
+      })), [])
+    })), [])
+  }))
+  nullable = false
+  default  = {}
+}

modules/s3-bucket/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.6.0"
+}

tests/s3_bucket_unit_tests.tftest.hcl

@@ -0,0 +1,205 @@
+provider "aws" {
+  region = "ap-south-1"
+}
+
+################################################################################
+# S3 Bucket
+################################################################################
+
+run "s3_bucket_attributes_match" {
+  command = plan
+
+  module {
+    source = "./modules/s3-bucket"
+  }
+
+  variables {
+    bucket                     = "example-bucket"
+    bucket_force_destroy       = true
+    bucket_object_lock_enabled = true
+
+    tags = {
+      Example = "Tag"
+    }
+  }
+
+  assert {
+    condition     = aws_s3_bucket.this.bucket == var.bucket
+    error_message = "Bucket mismatch"
+  }
+
+  assert {
+    condition     = aws_s3_bucket.this.force_destroy == var.bucket_force_destroy
+    error_message = "Force destroy mismatch"
+  }
+
+  assert {
+    condition     = aws_s3_bucket.this.object_lock_enabled == var.bucket_object_lock_enabled
+    error_message = "Object lock status mismatch"
+  }
+
+  assert {
+    condition     = aws_s3_bucket.this.tags == var.tags
+    error_message = "Tags mismatch"
+  }
+}
+
+################################################################################
+# IAM Policy Document
+################################################################################
+
+run "does_not_create_iam_policy_document_check" {
+  command = plan
+
+  module {
+    source = "./modules/s3-bucket"
+  }
+
+  variables {}
+
+  assert {
+    condition     = length(data.aws_iam_policy_document.this) == 0
+    error_message = "IAM policy document data source was created"
+  }
+}
+
+run "iam_policy_document_attributes_match" {
+  command = plan
+
+  module {
+    source = "./modules/s3-bucket"
+  }
+
+  variables {
+    bucket_policies = {
+      example-policy = {
+        id      = "example-id"
+        version = "2012-10-17"
+
+        statements = [
+          {
+            actions = [
+              "s3:PutObject"
+            ]
+            effect = "Allow"
+            resources = [
+              "example/*"
+            ]
+
+            principals = [
+              {
+                identifiers = ["delivery.logs.amazonaws.com"]
+                type        = "Service"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  }
+
+  assert {
+    condition     = length(data.aws_iam_policy_document.this) == 1
+    error_message = "IAM policy document data source was not created"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.this["example-policy"].policy_id == var.bucket_policies["example-policy"].id
+    error_message = "Policy id mismatch"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.this["example-policy"].version == var.bucket_policies["example-policy"].version
+    error_message = "Version mismatch"
+  }
+
+  assert {
+    condition     = length(data.aws_iam_policy_document.this["example-policy"].statement) == 1
+    error_message = "Statement count mismatch"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.this["example-policy"].statement[0].actions == var.bucket_policies["example-policy"].statements[0].actions
+    error_message = "Statement actions mismatch"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.this["example-policy"].statement[0].effect == var.bucket_policies["example-policy"].statements[0].effect
+    error_message = "Statement effect mismatch"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.this["example-policy"].statement[0].resources == var.bucket_policies["example-policy"].statements[0].resources
+    error_message = "Statement resources mismatch"
+  }
+
+  assert {
+    condition     = data.aws_iam_policy_document.this["example-policy"].statement[0].principals == toset(var.bucket_policies["example-policy"].statements[0].principals)
+    error_message = "Statement principals mismatch"
+  }
+}
+
+################################################################################
+# S3 Bucket Policy
+################################################################################
+
+run "does_not_create_s3_bucket_policy_check" {
+  command = plan
+
+  module {
+    source = "./modules/s3-bucket"
+  }
+
+  variables {}
+
+  assert {
+    condition     = length(aws_s3_bucket_policy.this) == 0
+    error_message = "S3 bucket policy was created"
+  }
+}
+
+run "s3_bucket_policy_attributes_match" {
+  command = plan
+
+  module {
+    source = "./modules/s3-bucket"
+  }
+
+  variables {
+    bucket_policies = {
+      example-policy = {
+        id      = "example-id"
+        version = "2012-10-17"
+
+        statements = [
+          {
+            actions = [
+              "s3:PutObject"
+            ]
+            effect = "Allow"
+            resources = [
+              "example/*"
+            ]
+
+            principals = [
+              {
+                identifiers = ["delivery.logs.amazonaws.com"]
+                type        = "Service"
+              }
+            ]
+          }
+        ]
+      }
+    }
+  }
+
+  assert {
+    condition     = length(aws_s3_bucket_policy.this) == 1
+    error_message = "S3 bucket policy was not created"
+  }
+
+  assert {
+    condition     = jsondecode(aws_s3_bucket_policy.this["example-policy"].policy) == jsondecode(data.aws_iam_policy_document.this["example-policy"].json)
+    error_message = "Policy mismatch"
+  }
+}