This blueprint describes the deployment of an AWS Simple Storage Service (S3) bucket with:
- Default encryption on.
- Default public access off.
A blueprint is a configurable and reusable infrastructure-as-code artefact. In line with the UNIX philosophy, a blueprint should do one thing and do it well. Practical examples include foundational infrastructure services, such as networking, compute and storage, but may as well be of arbitrary higher-level nature.
Every blueprint supports a set of inputs and a set of outputs, where an output of one blueprint may serve as the input of a dependent blueprint. This way, several blueprints can be composed into an arbitrarily complex system, or as we call it: a stack.
The behavior of a blueprint is determined by its purpose and the set of input parameters. Here is an overview of the inputs and outputs available for this blueprint. Please refer to this example on how to include this blueprint in a stack.
| Name | Version |
|---|---|
| terraform | >= 0.12 |
| Name | Version |
|---|---|
| aws | n/a |
| local | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| block_public_acls | Whether Amazon S3 should block public ACLs for this bucket. Defaults to true. Enabling this setting does not affect existing policies or ACLs. When set to true causes the following behavior: PUT Bucket acl and PUT Object acl calls will fail if the specified ACL allows public access. PUT Object calls will fail if the request includes an object ACL. | string |
true |
no |
| block_public_policy | Whether Amazon S3 should block public bucket policies for this bucket. Defaults to true. Enabling this setting does not affect the existing bucket policy. When set to true causes Amazon S3 to: Reject calls to PUT Bucket policy if the specified bucket policy allows public access. | string |
true |
no |
| bucket_acl | Setup the bucket ACL to private or not. The canned ACL to apply. | string |
"private" |
no |
| bucket_policy | A bucket policy which is applied to the bucket. | string |
"{}" |
no |
| bucket_versioning | Setup the bucket versioninig to be true or false. | bool |
false |
no |
| force_destroy | Defines if all objects in the bucket shall be destroyed so that the bucket can be deleted, or not (for testing). | bool |
false |
no |
| id | A unique identifier. | string |
n/a | yes |
| kms_master_key_id | The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used by default. | string |
"" |
no |
| lifecycle_rule_enabled | Specifies lifecycle rule status. | bool |
false |
no |
| lifecycle_rule_expiration_days | Specifies the number of days after object creation when the specific rule action takes effect. | string |
"1095" |
no |
| lifecycle_rule_noncurrent_version_expiration | Specifies when noncurrent object versions expire. | string |
"1095" |
no |
| name | The name of the bucket. | string |
n/a | yes |
| tags | A map of tag key-value pairs. | map(string) |
{} |
no |
| use_bucket_policy | Defines if a bucket policy shall be applied, or not. | bool |
false |
no |
| Name | Description |
|---|---|
| arn | The ARN of the bucket. |
| id | The id of the bucket. |
| inputs2outputs | all inputs passed to outputs |
| tags | A map of tag key-value pairs. |
Testing the functionality of this blueprint requires the following dependencies: make, tee, ruby, bundler, and terraform. Once installed, run make test from the command line.
Note that, when running tests, blueprints will interact with some cloud provider, such as AWS, Azure or VMware. It is up to you to provide sufficient configuration to enable these interactions, which differs between vendors. Here is an example for AWS that uses environment variables (via Configuring the AWS CLI):
$ export AWS_ACCESS_KEY_ID=...
$ export AWS_SECRET_ACCESS_KEY=...
$ export AWS_DEFAULT_REGION=us-east-1
$ make test
Developing a blueprint basically involves cloning the blueprint skeleton project available at infiaas/blueprint-aws-skeleton into your workspace and adapting it to suit your needs.
Setting up blueprint development guardrails requires the following dependencies: make, tee, ruby, bundler, python, pre-commit terraform, and terraform-docs. Once installed, run make install-dev-deps to install a set of quality improving pre-commit hooks into your local Git repository. Upon a git commit, these hooks will make sure that your code is both syntactically and functionally correct and that your README.md contains up-to-date documentation of your blueprint's supported set of inputs and outputs.
More information on the development flow is available in Confluence.
In case of problems, questions or suggestions, feel free to file an issue with the respective project's repository. Thanks!