diff --git a/infrastructure/modules/s3-bucket/context.tf b/infrastructure/modules/s3-bucket/context.tf new file mode 100644 index 0000000..5eb0bc6 --- /dev/null +++ b/infrastructure/modules/s3-bucket/context.tf @@ -0,0 +1,365 @@ +# +# ONLY EDIT THIS FILE IN github.com/NHSDigital/screening-terraform-modules-aws/infrastructure/modules/tags +# All other instances of this file should be a copy of that one +# +# +# Copy this file from https://github.com/NHSDigital/screening-terraform-modules-aws/blob/master/infrastructure/modules/tags/exports/context.tf +# and then place it in your Terraform module to automatically get +# tag module standard configuration inputs suitable for passing +# to other modules. +# +# curl -sL https://raw.githubusercontent.com/NHSDigital/screening-terraform-modules-aws/master/infrastructure/modules/tags/exports/context.tf -o context.tf +# +# Modules should access the whole context as `module.this.context` +# to get the input variables with nulls for defaults, +# for example `context = module.this.context`, +# and access individual variables as `module.this.`, +# with final values filled in. +# +# For example, when using defaults, `module.this.context.delimiter` +# will be null, and `module.this.delimiter` will be `-` (hyphen). +# + +module "this" { + source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/tags?ref=feature/BCSS-23189-add-new-modules-to-suppport-bcss" + + service = var.service + project = var.project + region = var.region + environment = var.environment + stack = var.stack + workspace = var.workspace + name = var.name + delimiter = var.delimiter + attributes = var.attributes + tags = var.tags + additional_tag_map = var.additional_tag_map + label_order = var.label_order + regex_replace_chars = var.regex_replace_chars + id_length_limit = var.id_length_limit + label_key_case = var.label_key_case + label_value_case = var.label_value_case + descriptor_formats = var.descriptor_formats + labels_as_tags = var.labels_as_tags + + context = var.context +} + +# Copy contents of screening-terraform-modules-aws/tags/variables.tf here +# tflint-ignore: terraform_unused_declarations +variable "aws_region" { + type = string + description = "The AWS region" + default = "eu-west-2" + validation { + condition = contains(["eu-west-1", "eu-west-2", "us-east-1"], var.aws_region) + error_message = "AWS Region must be one of eu-west-1, eu-west-2, us-east-1" + } +} + +variable "context" { + type = any + default = { + enabled = true + service = null + project = null + region = null + environment = null + stack = null + workspace = null + delimiter = null + attributes = [] + tags = {} + additional_tag_map = {} + regex_replace_chars = null + label_order = [] + id_length_limit = null + label_key_case = null + label_value_case = null + descriptor_formats = {} + # Note: we have to use [] instead of null for unset lists due to + # https://github.com/hashicorp/terraform/issues/28137 + # which was not fixed until Terraform 1.0.0, + # but we want the default to be all the labels in `label_order` + # and we want users to be able to prevent all tag generation + # by setting `labels_as_tags` to `[]`, so we need + # a different sentinel to indicate "default" + labels_as_tags = ["unset"] + } + description = <<-EOT + Single object for setting entire context at once. + See description of individual variables for details. + Leave string and numeric variables as `null` to use default value. + Individual variable settings (non-null) override settings in context object, + except for attributes, tags, and additional_tag_map, which are merged. + EOT + + validation { + condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`." + } + + validation { + condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } +} + +variable "enabled" { + type = bool + default = null + description = "Set to false to prevent the module from creating any resources" +} + +variable "service" { + type = string + default = null + description = "ID element. Usually an abbreviation of your service directorate name, e.g. 'bcss' or 'csms', to help ensure generated IDs are globally unique" +} + +variable "region" { + type = string + default = null + description = "ID element _(Rarely used, not included by default)_. Usually an abbreviation of the selected AWS region e.g. 'uw2', 'ew2' or 'gbl' for resources like IAM roles that have no region" +} + +variable "project" { + type = string + default = null + description = "ID element. A project identifier, indicating the name or role of the project the resource is for, such as `website` or `api`" +} +variable "stack" { + type = string + default = null + description = "ID element. The name of the stack/component, e.g. `database`, `web`, `waf`, `eks`" +} +variable "workspace" { + type = string + default = null + description = "ID element. The Terraform workspace, to help ensure generated IDs are unique across workspaces" +} +variable "environment" { + type = string + default = null + description = "ID element. Usually used to indicate role, e.g. 'prd', 'dev', 'test', 'preprod', 'prod', 'uat'" +} + +variable "name" { + type = string + default = null + description = <<-EOT + ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. + This is the only ID element not also included as a `tag`. + The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. + EOT +} + +variable "delimiter" { + type = string + default = null + description = <<-EOT + Delimiter to be used between ID elements. + Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. + EOT +} + +variable "attributes" { + type = list(string) + default = [] + description = <<-EOT + ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, + in the order they appear in the list. New attributes are appended to the + end of the list. The elements of the list are joined by the `delimiter` + and treated as a single ID element. + EOT +} + +variable "labels_as_tags" { + type = set(string) + default = ["default"] + description = <<-EOT + Set of labels (ID elements) to include as tags in the `tags` output. + Default is to include all labels. + Tags with empty values will not be included in the `tags` output. + Set to `[]` to suppress all generated tags. + **Notes:** + The value of the `name` tag, if included, will be the `id`, not the `name`. + Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be + changed in later chained modules. Attempts to change it will be silently ignored. + EOT +} + +variable "tags" { + type = map(string) + default = {} + description = <<-EOT + Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). + Neither the tag keys nor the tag values will be modified by this module. + EOT +} + +variable "additional_tag_map" { + type = map(string) + default = {} + description = <<-EOT + Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. + This is for some rare cases where resources want additional configuration of tags + and therefore take a list of maps with tag key, value, and additional configuration. + EOT +} + +variable "label_order" { + type = list(string) + default = null + description = <<-EOT + The order in which the labels (ID elements) appear in the `id`. + Defaults to ["namespace", "environment", "stage", "name", "attributes"]. + You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. + EOT +} + +variable "regex_replace_chars" { + type = string + default = null + description = <<-EOT + Terraform regular expression (regex) string. + Characters matching the regex will be removed from the ID elements. + If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. + EOT +} + +variable "id_length_limit" { + type = number + default = null + description = <<-EOT + Limit `id` to this many characters (minimum 6). + Set to `0` for unlimited length. + Set to `null` for keep the existing setting, which defaults to `0`. + Does not affect `id_full`. + EOT + validation { + condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0 + error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length." + } +} + +variable "label_key_case" { + type = string + default = null + description = <<-EOT + Controls the letter case of the `tags` keys (label names) for tags generated by this module. + Does not affect keys of tags passed in via the `tags` input. + Possible values: `lower`, `title`, `upper`. + Default value: `title`. + EOT + + validation { + condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case) + error_message = "Allowed values: `lower`, `title`, `upper`." + } +} + +variable "label_value_case" { + type = string + default = null + description = <<-EOT + Controls the letter case of ID elements (labels) as included in `id`, + set as tag values, and output by this module individually. + Does not affect values of tags passed in via the `tags` input. + Possible values: `lower`, `title`, `upper` and `none` (no transformation). + Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs. + Default value: `lower`. + EOT + + validation { + condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } +} + +variable "descriptor_formats" { + type = any + default = {} + description = <<-EOT + Describe additional descriptors to be output in the `descriptors` output map. + Map of maps. Keys are names of descriptors. Values are maps of the form + `{ + format = string + labels = list(string) + }` + (Type is `any` so the map values can later be enhanced to provide additional options.) + `format` is a Terraform format string to be passed to the `format()` function. + `labels` is a list of labels, in order, to pass to `format()` function. + Label values will be normalized before being passed to `format()` so they will be + identical to how they appear in `id`. + Default is `{}` (`descriptors` output will be empty). + EOT +} + +variable "owner" { + type = string + description = "The name and or NHS.net email address of the service owner" + default = "None" +} + +variable "tag_version" { + type = string + description = "Used to identify the tagging version in use" + default = "1.0" +} + +variable "data_classification" { + type = string + description = "Used to identify the data classification of the resource, e.g 1-5" + default = "n/a" + validation { + condition = contains(["n/a", "1", "2", "3", "4", "5"], var.data_classification) + error_message = "Data Classification must be \"n/a\" or between 1-5" + } +} + +variable "data_type" { + type = string + description = "The tag data_type" + default = "None" + validation { + condition = contains(["None", "PCD", "PID", "Anonymised", "UserAccount", "Audit"], var.data_type) + error_message = "Data Type must be one of None, PCD, PID, Anonymised, UserAccount, Audit" + } +} + + +variable "public_facing" { + type = bool + description = "Whether this resource is public facing" + default = false +} + +variable "service_category" { + type = string + description = "The tag service_category" + default = "n/a" + validation { + condition = contains(["n/a", "Bronze", "Silver", "Gold", "Platinum"], var.service_category) + error_message = "The Service Category must be one of n/a, Bronze, Silver, Gold, Platinum" + } +} +variable "on_off_pattern" { + type = string + description = "Used to turn resources on and off based on a time pattern" + default = "n/a" +} + +variable "application_role" { + type = string + description = "The role the application is performing" + default = "General" +} + +variable "tool" { + type = string + description = "The tool used to deploy the resource" + default = "Terraform" +} + +#### End of copy of screening-terraform-modules-aws/tags/variables.tf diff --git a/infrastructure/modules/s3-bucket/locals.tf b/infrastructure/modules/s3-bucket/locals.tf new file mode 100644 index 0000000..7fd28fc --- /dev/null +++ b/infrastructure/modules/s3-bucket/locals.tf @@ -0,0 +1,40 @@ +################################################################ +# Local values +# +# Bucket names are globally unique. Compose from the context id +# and the current AWS region to reduce the chance of collisions +# across accounts and regions. Callers can override the entire +# name via `var.bucket_name`. +################################################################ + +data "aws_region" "current" {} + +locals { + region_suffix = data.aws_region.current.region + + default_bucket_name = format("%s-%s", module.this.id, local.region_suffix) + + bucket_name = coalesce(var.bucket_name, local.default_bucket_name) + + # Versioning is enabled by default. Callers can suspend it by + # setting `var.versioning_enabled = false`. + versioning = { + enabled = var.versioning_enabled + } + + # Default server-side encryption. SSE-S3 (AES256) is applied + # when no KMS key ARN is provided; otherwise SSE-KMS is used. + default_sse_configuration = { + rule = { + apply_server_side_encryption_by_default = var.kms_master_key_arn == null ? { + sse_algorithm = "AES256" + } : { + sse_algorithm = "aws:kms" + kms_master_key_id = var.kms_master_key_arn + } + bucket_key_enabled = true + } + } + + server_side_encryption_configuration = length(var.server_side_encryption_configuration) > 0 ? var.server_side_encryption_configuration : local.default_sse_configuration +} diff --git a/infrastructure/modules/s3-bucket/main.tf b/infrastructure/modules/s3-bucket/main.tf new file mode 100644 index 0000000..b535db8 --- /dev/null +++ b/infrastructure/modules/s3-bucket/main.tf @@ -0,0 +1,86 @@ +################################################################ +# S3 bucket +# +# Thin NHS wrapper around the community S3 bucket module that +# enforces the screening platform's baseline controls: +# +# * Ownership: BucketOwnerEnforced +# * Encryption: SSE enabled by default, denies for unencrypted +# or incorrectly encrypted uploads +# * Transport: TLS-only +# * Versioning: enabled by default +# * Public access: blocked at all four toggles +# * Logging: optional, delivered to a caller-supplied bucket +# +# Naming and tagging are derived from context.tf via module.this. +################################################################ + +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "5.13.0" + + create_bucket = module.this.enabled + + # Naming. Caller can override the full name via var.bucket_name; + # otherwise the name is `-` to keep the + # global S3 namespace collision-free. + bucket = local.bucket_name + + force_destroy = var.force_destroy + + # ---------------------------------------------------------------- + # Ownership: BucketOwnerEnforced disables ACLs entirely. + # ---------------------------------------------------------------- + control_object_ownership = true + object_ownership = "BucketOwnerEnforced" + + # ---------------------------------------------------------------- + # Public access block (all four toggles on). + # ---------------------------------------------------------------- + attach_public_policy = true + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + + # ---------------------------------------------------------------- + # Transport: deny non-TLS connections and require the latest TLS. + # ---------------------------------------------------------------- + attach_deny_insecure_transport_policy = true + attach_require_latest_tls_policy = true + + # ---------------------------------------------------------------- + # Encryption: SSE by default; reject unencrypted or + # incorrectly encrypted PutObject requests. + # ---------------------------------------------------------------- + server_side_encryption_configuration = local.server_side_encryption_configuration + + attach_deny_unencrypted_object_uploads = true + attach_deny_incorrect_encryption_headers = true + attach_deny_ssec_encrypted_object_uploads = true + attach_deny_incorrect_kms_key_sse = var.kms_master_key_arn != null + allowed_kms_key_arn = var.kms_master_key_arn + + # ---------------------------------------------------------------- + # Versioning (default: enabled). + # ---------------------------------------------------------------- + versioning = local.versioning + + # ---------------------------------------------------------------- + # Access logging to a caller-supplied target bucket. + # ---------------------------------------------------------------- + logging = var.logging + + # ---------------------------------------------------------------- + # Optional pass-throughs. + # ---------------------------------------------------------------- + lifecycle_rule = var.lifecycle_rule + cors_rule = var.cors_rule + + # Custom bucket policy (merged by the upstream module with the + # generated deny-statements above). + attach_policy = var.policy != null + policy = var.policy + + tags = module.this.tags +} diff --git a/infrastructure/modules/s3-bucket/outputs.tf b/infrastructure/modules/s3-bucket/outputs.tf new file mode 100644 index 0000000..c965884 --- /dev/null +++ b/infrastructure/modules/s3-bucket/outputs.tf @@ -0,0 +1,39 @@ +output "bucket_id" { + description = "The name of the bucket." + value = module.s3_bucket.s3_bucket_id +} + +output "bucket_arn" { + description = "The ARN of the bucket." + value = module.s3_bucket.s3_bucket_arn +} + +output "bucket_domain_name" { + description = "The bucket domain name." + value = module.s3_bucket.s3_bucket_bucket_domain_name +} + +output "bucket_regional_domain_name" { + description = "The bucket region-specific domain name." + value = module.s3_bucket.s3_bucket_bucket_regional_domain_name +} + +output "bucket_region" { + description = "The AWS region this bucket resides in." + value = module.s3_bucket.s3_bucket_region +} + +output "bucket_hosted_zone_id" { + description = "The Route 53 Hosted Zone ID for this bucket's region." + value = module.s3_bucket.s3_bucket_hosted_zone_id +} + +output "bucket_policy" { + description = "The policy of the bucket, if a policy was attached." + value = module.s3_bucket.s3_bucket_policy +} + +output "versioning_status" { + description = "The versioning status of the bucket." + value = module.s3_bucket.aws_s3_bucket_versioning_status +} diff --git a/infrastructure/modules/s3-bucket/readme.md b/infrastructure/modules/s3-bucket/readme.md new file mode 100644 index 0000000..3ac3d94 --- /dev/null +++ b/infrastructure/modules/s3-bucket/readme.md @@ -0,0 +1,96 @@ +# S3 + +NHS Screening wrapper around the community +[`terraform-aws-modules/s3-bucket/aws`](https://registry.terraform.io/modules/terraform-aws-modules/s3-bucket/aws/latest) +module that enforces the platform's baseline controls and consumes +the shared `context.tf` for naming and tagging. + +## What this module enforces + +| Control | How it is enforced | +| ------------------------ | --------------------------------------------------------------------------------- | +| Ownership | `object_ownership = "BucketOwnerEnforced"` (ACLs disabled) | +| Transport (TLS) | `attach_deny_insecure_transport_policy` + `attach_require_latest_tls_policy` | +| Encryption at rest | SSE-S3 by default; SSE-KMS when `kms_master_key_arn` is set | +| Encryption on PUT | Denies unencrypted, incorrect-header, SSEC and wrong-KMS-key PutObject calls | +| Public access | All four S3 public-access-block toggles set to true | +| Versioning | Enabled by default; opt out with `versioning_enabled = false` | +| Globally unique name | Default name is `-` | +| Logging | Optional, delivered to a caller-supplied target bucket via `var.logging` | + +## Usage + +### Minimal bucket (versioning on, SSE-S3, name auto-derived) + +```hcl +module "data_bucket" { + source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/s3?ref=main" + + service = "bcss" + project = "ingest" + environment = "development" + name = "raw-data" +} +``` + +### Bucket with KMS encryption and access logging + +```hcl +module "audit_bucket" { + source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/s3?ref=main" + + service = "bcss" + project = "audit" + environment = "prod" + name = "audit-events" + + kms_master_key_arn = module.audit_kms.key_arn + + logging = { + target_bucket = module.log_bucket.bucket_id + target_prefix = "s3/audit-events/" + } +} +``` + +### Logging-target bucket (receives logs from other buckets) + +```hcl +module "log_bucket" { + source = "git::https://github.com/NHSDigital/screening-terraform-modules-aws.git//infrastructure/modules/s3?ref=main" + + service = "bcss" + project = "platform" + environment = "prod" + name = "s3-access-logs" + + versioning_enabled = false +} +``` + +## Conventions + +* `bucket_name` defaults to `-` so the same Terraform + configuration produces a different bucket in each region without manual + intervention. +* `force_destroy` defaults to `false`. Only set it to `true` for short-lived + buckets that will never hold business data. +* Custom bucket policies provided via `var.policy` are merged by the upstream + module with the platform's deny-non-TLS and deny-unencrypted statements; you + do not need to restate those rules. + +## What this module does NOT do + +* Create a KMS key. Use the `kms` module and pass `key_arn` in via + `kms_master_key_arn`. +* Manage replication, object-lock, intelligent storage classes, website hosting, + inventory, or analytics configurations. Add a dedicated wrapper or use the + upstream module directly if you need those. +* Configure account-level public-access-block. That belongs in an account-scope + module, not a per-bucket one. + + + + + + diff --git a/infrastructure/modules/s3-bucket/variables.tf b/infrastructure/modules/s3-bucket/variables.tf new file mode 100644 index 0000000..91158ab --- /dev/null +++ b/infrastructure/modules/s3-bucket/variables.tf @@ -0,0 +1,67 @@ +################################################################ +# S3-specific inputs. +# +# Naming, tagging and the master `enabled` switch come from +# context.tf via `module.this`. +################################################################ + +variable "bucket_name" { + description = "Optional explicit bucket name. When null, the bucket is named `-` to keep S3's global namespace collision-free." + type = string + default = null +} + +variable "force_destroy" { + description = "Allow deletion of a non-empty bucket. Keep this disabled for any bucket that holds business data." + type = bool + default = false +} + +variable "versioning_enabled" { + description = "Whether object versioning is enabled." + type = bool + default = true +} + +variable "kms_master_key_arn" { + description = "Optional KMS key ARN. When supplied, the default encryption switches from SSE-S3 (AES256) to SSE-KMS using this key, and PutObject calls referencing other KMS keys are denied." + type = string + default = null +} + +variable "server_side_encryption_configuration" { + description = "Optional full server-side encryption configuration map. When non-empty, this overrides the encryption defaults derived from `var.kms_master_key_arn`. See the upstream module's documentation for the expected shape." + type = any + default = {} +} + +variable "logging" { + description = <<-EOT + Map describing access-log delivery to a target bucket. Leave as + `{}` to disable logging. Example: + logging = { + target_bucket = "my-log-bucket" + target_prefix = "s3/access-logs/" + } + EOT + type = any + default = {} +} + +variable "policy" { + description = "Optional custom bucket policy JSON document. The upstream module merges this with the deny-non-TLS and deny-unencrypted statements generated above." + type = string + default = null +} + +variable "lifecycle_rule" { + description = "List of lifecycle rules forwarded to the upstream module." + type = any + default = [] +} + +variable "cors_rule" { + description = "List of CORS rules forwarded to the upstream module." + type = any + default = [] +} diff --git a/infrastructure/modules/s3-bucket/versions.tf b/infrastructure/modules/s3-bucket/versions.tf new file mode 100644 index 0000000..cb30fe5 --- /dev/null +++ b/infrastructure/modules/s3-bucket/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.13" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 6.42" + } + } +}