feat(aws): add possibility to setup s3 redirects buckets

aws/s3-bucket-website-configuration/.tflint.hcl

@@ -0,0 +1,10 @@
+plugin "terraform" {
+  enabled = true
+  preset  = "recommended"
+}
+
+plugin "aws" {
+  enabled = true
+  version = "0.17.1"
+  source  = "github.com/terraform-linters/tflint-ruleset-aws"
+}

aws/s3-bucket-website-configuration/README.md

@@ -0,0 +1,46 @@
+# AWS S3 bucket policy
+
+This module creates a S3 bucket policy
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.30.0, < 5.0.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1, < 1.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.30.0, < 5.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket_website_configuration.website-config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_bucket_id"></a> [bucket\_id](#input\_bucket\_id) | ID of the bucket to apply the lifecycle configuration | `string` | n/a | yes |
+| <a name="input_customer"></a> [customer](#input\_customer) | Customer for the current deployment | `string` | `""` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment for the current deployment | `string` | `""` | no |
+| <a name="input_error_document"></a> [error\_document](#input\_error\_document) | error document for the website configuration | `any` | `null` | no |
+| <a name="input_index_document"></a> [index\_document](#input\_index\_document) | index document for the website configuration | `any` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name to be used on all the resources as identifier | `string` | n/a | yes |
+| <a name="input_redirect_all_requests_to"></a> [redirect\_all\_requests\_to](#input\_redirect\_all\_requests\_to) | mandatory redirect for the website configuration | `any` | `null` | no |
+| <a name="input_routing_rules"></a> [routing\_rules](#input\_routing\_rules) | routing rules in JSON format | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Default tags to add to resources | `map(any)` | `{}` | no |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

aws/s3-bucket-website-configuration/main.tf

@@ -0,0 +1,3 @@
+locals {
+  # the s3 website configuration does not support tags (yet)
+}

aws/s3-bucket-website-configuration/providers.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws",
+      version = ">= 4.30.0, < 5.0.0"
+    }
+    time = {
+      source  = "hashicorp/time",
+      version = ">= 0.9.1, < 1.0.0"
+    }
+  }
+  required_version = "~> 1.3"
+}

aws/s3-bucket-website-configuration/variables.tf

@@ -0,0 +1,65 @@
+# tflint-ignore: terraform_unused_declarations
+variable "name" {
+  description = "Name to be used on all the resources as identifier"
+  type        = string
+}
+
+# tflint-ignore: terraform_unused_declarations
+variable "customer" {
+  description = "Customer for the current deployment"
+  type        = string
+  default     = ""
+}
+
+# tflint-ignore: terraform_unused_declarations
+variable "environment" {
+  description = "Environment for the current deployment"
+  type        = string
+  default     = ""
+}
+
+# tflint-ignore: terraform_unused_declarations
+variable "tags" {
+  description = "Default tags to add to resources"
+  type        = map(any)
+  default     = {}
+}
+
+# module specific variables
+
+variable "bucket_id" {
+  description = "ID of the bucket to apply the lifecycle configuration"
+  type        = string
+}
+
+# example index document
+# { suffix = "index.html" }
+variable "index_document" {
+  description = "index document for the website configuration"
+  type        = any
+  default     = null
+}
+
+variable "error_document" {
+  description = "error document for the website configuration"
+  type        = any
+  default     = null
+}
+
+variable "redirect_all_requests_to" {
+  description = "mandatory redirect for the website configuration"
+  type        = any
+  default     = null
+}
+
+# variable "routing_rule" {
+#   description = "routing rule block"
+#   type = any
+#   default = null
+# }
+
+variable "routing_rules" {
+  description = "routing rules in JSON format"
+  type        = string
+  default     = null
+}

aws/s3-bucket-website-configuration/website-config.tf

@@ -0,0 +1,27 @@
+resource "aws_s3_bucket_website_configuration" "website-config" {
+  bucket = var.bucket_id
+
+  dynamic "index_document" {
+    for_each = var.index_document != null ? { my = var.index_document } : {}
+    content {
+      suffix = try(index_document.value.suffix, null)
+    }
+  }
+
+  dynamic "error_document" {
+    for_each = var.error_document != null ? { my = var.error_document } : {}
+    content {
+      key = try(error_document.value.key, null)
+    }
+  }
+
+  dynamic "redirect_all_requests_to" {
+    for_each = var.redirect_all_requests_to != null ? { my = var.redirect_all_requests_to } : {}
+    content {
+      host_name = try(redirect_all_requests_to.value.host_name, null)
+      protocol  = try(redirect_all_requests_to.value.protocol, null)
+    }
+  }
+
+  routing_rules = var.routing_rules
+}

aws/s3-bucket/README.md

@@ -38,11 +38,17 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_acl"></a> [acl](#input\_acl) | acls | `string` | `"private"` | no |
+| <a name="input_block_public_acls"></a> [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket. Defaults to true. | `bool` | `true` | no |
+| <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket. Defaults to true. | `bool` | `true` | no |
 | <a name="input_customer"></a> [customer](#input\_customer) | Customer for the current deployment | `string` | `""` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment for the current deployment | `string` | `""` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
+| <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. Defaults to true. | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be used on all the resources as identifier | `string` | n/a | yes |
 | <a name="input_object_lock_enabled"></a> [object\_lock\_enabled](#input\_object\_lock\_enabled) | A boolean that indicates whether this bucket has an Object Lock configuration enabled. Enable Object Lock to prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | `bool` | `false` | no |
+| <a name="input_object_ownership"></a> [object\_ownership](#input\_object\_ownership) | The container element for object ownership for a bucket's ownership controls. | `string` | `"BucketOwnerPreferred"` | no |
+| <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for this bucket. Defaults to true. | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Default tags to add to resources | `map(any)` | `{}` | no |
 
 ## Outputs

aws/s3-bucket/bucket.tf

@@ -19,14 +19,13 @@ resource "aws_s3_bucket" "bucket" {
   tags                = local.interpolated_tags
 }
 
-# NOTE: we want the bucket to be secure by default
 resource "aws_s3_bucket_public_access_block" "bucket_public_access" {
   bucket = aws_s3_bucket.bucket.id
 
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
+  block_public_acls       = var.block_public_acls
+  block_public_policy     = var.block_public_policy
+  ignore_public_acls      = var.ignore_public_acls
+  restrict_public_buckets = var.restrict_public_buckets
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
@@ -48,13 +47,15 @@ resource "aws_s3_bucket_versioning" "versioning" {
 }
 
 resource "aws_s3_bucket_ownership_controls" "default" {
+  #checkov:skip=CKV2_AWS_65:this is up to the user
   bucket = aws_s3_bucket.bucket.id
   rule {
-    object_ownership = "BucketOwnerPreferred"
+    object_ownership = var.object_ownership
   }
 }
 
 resource "aws_s3_bucket_acl" "default" {
+  count      = var.acl != null && var.object_ownership != "BucketOwnerEnforced" ? 1 : 0
   depends_on = [aws_s3_bucket_ownership_controls.default]
 
   bucket = aws_s3_bucket.bucket.id

aws/s3-bucket/variables.tf

@@ -33,3 +33,43 @@ variable "object_lock_enabled" {
   type        = bool
   default     = false
 }
+
+# -------------------------------------------------------------------
+# public access config
+# -------------------------------------------------------------------
+variable "block_public_acls" {
+  description = "Whether Amazon S3 should block public ACLs for this bucket. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "block_public_policy" {
+  description = "Whether Amazon S3 should block public bucket policies for this bucket. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "ignore_public_acls" {
+  description = "Whether Amazon S3 should ignore public ACLs for this bucket. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+variable "restrict_public_buckets" {
+  description = "Whether Amazon S3 should restrict public bucket policies for this bucket. Defaults to true."
+  type        = bool
+  default     = true
+}
+
+# object ownership policy
+variable "object_ownership" {
+  description = "The container element for object ownership for a bucket's ownership controls."
+  type        = string
+  default     = "BucketOwnerPreferred"
+}
+
+# acls
+variable "acl" {
+  type    = string
+  default = "private"
+}