#!/usr/bin/env bash
# vim:ts=4:sts=4:sw=4:et
# args: haritest-terraform-state
#
# Author: Hari Sekhon
# Date: 2022-05-27 18:03:32 +0100 (Fri, 27 May 2022)
#
# https://github.com/HariSekhon/DevOps-Bash-tools
#
# License: see accompanying Hari Sekhon LICENSE file
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
#
# https://www.linkedin.com/in/HariSekhon
#
set -euo pipefail
[ -n " ${ DEBUG :- } " ] && set -x
srcdir = " $( cd " $( dirname " ${ BASH_SOURCE [0] } " ) " && pwd ) "
# shellcheck disable=SC1090
. " $srcdir /lib/aws.sh "
# shellcheck disable=SC2034,SC2154
usage_description = "
Creates an S3 bucket with the following optimizations:
- Blocks Public Access
- Enables Versioning
- Enables Server Side Encryption
- Creates Bucket Policy to lock out any given user/group/role ARNs ( optional)
Idempotent: skips bucket creation if already exists, applies versioning, encryption, blocks public access and applies bucket policy if none exists of if \$ OVERWRITE_BUCKET_POLICY is set to any value
Region: will create the bucket in your configured region, to override locally set \$ AWS_DEFAULT_REGION
$usage_aws_cli_required
"
# used by usage() in lib/utils.sh
# shellcheck disable=SC2034
usage_args = "<bucket_name> [<ARNs_to_block_access_from>]"
help_usage " $@ "
min_args 1 " $@ "
bucket = " $1 "
shift || :
arns_to_block = ( " $@ " )
export AWS_DEFAULT_OUTPUT = json
if aws s3 ls " s3:// $bucket " & >/dev/null; then
timestamp " Bucket ' $bucket ' already exists "
else
timestamp " Creating S3 bucket: $bucket "
aws s3 mb " s3:// $bucket " || :
fi
echo >& 2
timestamp "Enabling S3 versioning"
aws s3api put-bucket-versioning --bucket " $bucket " --versioning-configuration 'Status=Enabled'
timestamp "Versioning enabled"
echo >& 2
#timestamp "Enabling S3 MFA Delete (only works if you are MFA authenticated)"
#if aws s3api put-bucket-versioning --bucket "$bucket" --versioning-configuration 'MFADelete=Enabled,Status=Enabled'; then
# timestamp "MFA Delete enabled"
#else
# timestamp "WARNING: MFA Delete setting failed, must enable manually if not calling this script from an MFA enabled session"
#fi
#echo >&2
timestamp "Enabling S3 server-side encryption"
aws s3api put-bucket-encryption --bucket " $bucket " --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
timestamp "Encryption enabled"
echo >& 2
" $srcdir /aws_s3_buckets_block_public_access.sh " " $bucket "
if [ -n " ${ arns_to_block [*] :- } " ] ; then
if [ -z " ${ OVERWRITE_BUCKET_POLICY :- } " ] && \
timestamp "Checking for existing S3 bucket policy" && \
[ -n " $( aws s3api get-bucket-policy --bucket " $bucket " --query Policy --output text 2>/dev/null) " ] ; then
timestamp "WARNING: bucket policy already exists, not overwriting for safety, must edit manually"
else
timestamp "Creating bucket policy to lock out given ARNs:"
echo >& 2
for arn in " ${ arns_to_block [@] } " ; do
printf '\t%s\n' " $arn " >& 2
done
echo >& 2
aws s3api put-bucket-policy --bucket " $bucket " --policy " $( cat <<EOF
{
"Id" : "Policy1653672260380" ,
"Version" : "2012-10-17" ,
"Statement" : [
{
"Sid" : "DisallowedUserGroupRoleArns" ,
"Action" : "s3:*" ,
"Effect" : "Deny" ,
"Resource" : [
" arn:aws:s3::: $bucket " ,
" arn:aws:s3::: $bucket /* "
] ,
"Principal" : {
"AWS" : [
$(
for arn in " ${ arns_to_block [@] } " ; do
# pad by 10 spaces using an empty first arg
printf '%10s"%s",\n' "" " $arn "
done |
sed '$ s/,$//'
)
]
}
}
]
}
EOF
) "
timestamp "Bucket policy created"
fi
fi