AWS S3 Bucket
Amazon S3 (Simple Storage Service) is an object storage service that offers industry-leading scalability, data availability, security, and performance. It can be used for a variety of use cases, such as storing and retrieving data, hosting static websites, and more.
In this task, you will learn how to create and manage S3 buckets in AWS.
Task
1. Create an S3 bucket using Terraform.
resource "aws_s3_bucket" "my_bucket" {
bucket = "<unique_bucket_name>"
}
The declaration of aws_s3_bucket resource results in the creation of a new S3 bucket. The identifier "my_bucket" uniquely represents this resource within your Terraform code and can be customized to suit your preference. Initialize the working directory and download necessary providers by executing the terraform init command.
Generate an execution plan with terraform plan to analyze the changes required for achieving the desired infrastructure state.
Apply the changes using terraform apply to create or update resources as necessary.
The S3 bucket has been successfully created.
2. Configure the bucket to allow public read access.
Step-01: Begin by creating a new file named "public_access.tf" and insert the following Terraform code:
resource "aws_s3_bucket_public_access_block" "example" {
bucket = aws_s3_bucket.devops_name_bucket_1.id
block_public_acls = false
block_public_policy = false
ignore_public_acls = false
restrict_public_buckets = false
}
resource "aws_s3_bucket_acl" "bucket_acl" {
bucket = aws_s3_bucket.devops_name_bucket_1.id
acl = "public-read"
}
In this Terraform configuration:
The
aws_s3_bucket_public_access_block
resource configures the control of public access to the "devops_name_bucket_1" S3 bucket. It explicitly allows public ACLs, public policies, and public bucket access.The
aws_s3_bucket_acl
resource defines an Access Control List (ACL) for the "devops_name_bucket_1" S3 bucket, setting it to "public-read." This setup grants public read access to objects within the bucket.
Step-02: Proceed to the AWS S3 bucket, navigate to Permissions, and enable ACLs by editing object permissions.
Note- This is done so that we do not get access denied error.
Step-03: Apply the Terraform code using the command:
terraform apply
Step-04: Check the AWS Console to verify that the S3 bucket is now public as intended
3. Enable versioning on the S3 bucket.
The versioning configuration is specified, with the "enabled" attribute set to true. This activates versioning for the S3 bucket, ensuring that multiple versions of each object stored in the bucket are retained.
Versioning for the bucket has been successfully enabled.
4. Create an S3 bucket policy that allows read-only access to a specific IAM user.
resource "aws_s3_bucket_policy" "bucket_policy" {
bucket = aws_s3_bucket.my_bucket.id
policy = data.aws_iam_policy_document.allow_read_only_access.json
}
data "aws_iam_policy_document" "allow_read_only_access" {
statement {
principals {
type = "AWS"
identifiers = ["683633011377"]
}
actions = [
"s3:GetObject",
"s3:ListBucket",
]
resources = [
aws_s3_bucket.my_bucket.arn,
"${aws_s3_bucket.my_bucket.arn}/*",
]
}
}
To grant read-only access to a designated IAM user or role, the configuration establishes an S3 bucket policy through the "aws_s3_bucket_policy" resource. This policy is linked to the S3 bucket resource "aws_s3_bucket.my_bucket" using the "bucket" parameter, while the "policy" parameter references the Terraform data source "data.aws_iam_policy_document.allow_read_only_access.json," defining the policy document.
The policy document creation involves the "data" block, constituting a Terraform data source. Within "data.aws_iam_policy_document.allow_read_only_access," the policy document outlines permissions in JSON syntax, allowing read-only access to the specified S3 bucket for a designated IAM user or role.
This policy document features a single "statement" block, detailing the permissions granted. Specifically, it permits "s3:GetObject" and "s3:ListBucket" actions for the designated bucket and its objects. The "principals" block identifies the AWS user or role, with the "identifiers" field specifying the AWS account ID of the recipient of read-only access.
Execute terraform apply
to implement the configuration.
A tailored S3 bucket policy has been established, granting read-only access to the specified IAM user. Check in Permissions panel > Bucket Policy
Thanks for reading until here. See you in the next one.