From e39c6a329844cf15a14714f0ad62e6fd68aa64f5 Mon Sep 17 00:00:00 2001 From: Bobby Mackun Date: Wed, 4 Nov 2020 06:48:46 +0000 Subject: [PATCH 1/4] add option to enable kms key rotation --- README.md | 8 ++++++++ kms.tf | 9 +++++---- variables.tf | 6 ++++++ 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 2b301db..412aa5d 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,14 @@ Type: `bool` Default: `false` +### enable\_key\_rotation + +Description: Enable kms key rotation if required + +Type: `bool` + +Default: `false` + ### prevent\_unencrypted\_uploads Description: Attach a bucket policy that requires all uploaded files to be explicitly encrypted. Must set the encrypted flag on the backend config. diff --git a/kms.tf b/kms.tf index 38f923a..9404a61 100644 --- a/kms.tf +++ b/kms.tf @@ -1,8 +1,9 @@ resource "aws_kms_key" "backend" { - count = var.enable_customer_kms_key ? 1 : 0 - description = "Customer key used to encrypt the backend S3 bucket" - policy = data.aws_iam_policy_document.kms[0].json - tags = var.tags + count = var.enable_customer_kms_key ? 1 : 0 + description = "Customer key used to encrypt the backend S3 bucket" + enable_key_rotation = var.enable_key_rotation + policy = data.aws_iam_policy_document.kms[0].json + tags = var.tags } resource "aws_kms_alias" "backend" { diff --git a/variables.tf b/variables.tf index 73ff5f0..5ba137e 100644 --- a/variables.tf +++ b/variables.tf @@ -26,6 +26,12 @@ variable "enable_customer_kms_key" { default = false } +variable "enable_key_rotation" { + type = bool + description = "Enable kms key rotation if required" + default = false +} + variable "tags" { type = map(string) description = "Tags applied to all resources" From 2b12c279c39eb4a1e0006c0044bfca07e117b0fe Mon Sep 17 00:00:00 2001 From: bobmacks Date: Thu, 27 Jan 2022 11:42:11 +1100 Subject: [PATCH 2/4] support for s3 bucket force_destroy option --- s3.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/s3.tf b/s3.tf index 7bed220..0d343ed 100644 --- a/s3.tf +++ b/s3.tf @@ -31,7 +31,8 @@ resource "aws_s3_bucket" "backend" { } } - tags = var.tags + force_destroy = var.force_destroy + tags = var.tags } resource "aws_s3_bucket_public_access_block" "backend" { From 4e061fc271c8afe2a51e3da30f0a5c64ca823b43 Mon Sep 17 00:00:00 2001 From: bobmacks Date: Thu, 27 Jan 2022 11:44:15 +1100 Subject: [PATCH 3/4] Update variables.tf --- variables.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/variables.tf b/variables.tf index 5ba137e..d9f7ca4 100644 --- a/variables.tf +++ b/variables.tf @@ -32,6 +32,12 @@ variable "enable_key_rotation" { default = false } +variable "force_destroy" { + type = boolean + descrption = "Force removal of non-empty backend s3 buckets" + default = false +} + variable "tags" { type = map(string) description = "Tags applied to all resources" From 5c708cafcf280ef2f4b766641acae99a63bc4b61 Mon Sep 17 00:00:00 2001 From: bobmacks Date: Thu, 27 Jan 2022 11:47:09 +1100 Subject: [PATCH 4/4] Update README.md --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 1f98da0..8a0c1ab 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,14 @@ Type: `bool` Default: `false` +### force\_destroy + +Description: Force removal of s3 bucket contents on bucket destruction. + +Type: `bool` + +Default: `false` + ### prevent\_unencrypted\_uploads Description: Attach a bucket policy that requires all uploaded files to be explicitly encrypted. Must set the encrypted flag on the backend config.