You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
128 lines
3.6 KiB
Bash
128 lines
3.6 KiB
Bash
#!/usr/bin/env bash
|
|
# vim:ts=4:sts=4:sw=4:et
|
|
# args: haritest-terraform-state
|
|
#
|
|
# Author: Hari Sekhon
|
|
# Date: 2022-05-27 18:03:32 +0100 (Fri, 27 May 2022)
|
|
#
|
|
# https://github.com/HariSekhon/DevOps-Bash-tools
|
|
#
|
|
# License: see accompanying Hari Sekhon LICENSE file
|
|
#
|
|
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
|
#
|
|
# https://www.linkedin.com/in/HariSekhon
|
|
#
|
|
|
|
set -euo pipefail
|
|
[ -n "${DEBUG:-}" ] && set -x
|
|
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# shellcheck disable=SC1090
|
|
. "$srcdir/lib/aws.sh"
|
|
|
|
# shellcheck disable=SC2034,SC2154
|
|
usage_description="
|
|
Creates an S3 bucket with the following optimizations:
|
|
|
|
- Blocks Public Access
|
|
- Enables Versioning
|
|
- Enables Server Side Encryption
|
|
- Creates Bucket Policy to lock out any given user/group/role ARNs (optional)
|
|
|
|
Idempotent: skips bucket creation if already exists, applies versioning, encryption, blocks public access and applies bucket policy if none exists of if \$OVERWRITE_BUCKET_POLICY is set to any value
|
|
|
|
Region: will create the bucket in your configured region, to override locally set \$AWS_DEFAULT_REGION
|
|
|
|
|
|
$usage_aws_cli_required
|
|
"
|
|
|
|
# used by usage() in lib/utils.sh
|
|
# shellcheck disable=SC2034
|
|
usage_args="<bucket_name> [<ARNs_to_block_access_from>]"
|
|
|
|
help_usage "$@"
|
|
|
|
min_args 1 "$@"
|
|
|
|
bucket="$1"
|
|
shift || :
|
|
|
|
arns_to_block=("$@")
|
|
|
|
export AWS_DEFAULT_OUTPUT=json
|
|
|
|
if aws s3 ls "s3://$bucket" &>/dev/null; then
|
|
timestamp "Bucket '$bucket' already exists"
|
|
else
|
|
timestamp "Creating S3 bucket: $bucket"
|
|
aws s3 mb "s3://$bucket" || :
|
|
fi
|
|
echo >&2
|
|
|
|
timestamp "Enabling S3 versioning"
|
|
aws s3api put-bucket-versioning --bucket "$bucket" --versioning-configuration 'Status=Enabled'
|
|
timestamp "Versioning enabled"
|
|
echo >&2
|
|
|
|
#timestamp "Enabling S3 MFA Delete (only works if you are MFA authenticated)"
|
|
#if aws s3api put-bucket-versioning --bucket "$bucket" --versioning-configuration 'MFADelete=Enabled,Status=Enabled'; then
|
|
# timestamp "MFA Delete enabled"
|
|
#else
|
|
# timestamp "WARNING: MFA Delete setting failed, must enable manually if not calling this script from an MFA enabled session"
|
|
#fi
|
|
#echo >&2
|
|
|
|
timestamp "Enabling S3 server-side encryption"
|
|
aws s3api put-bucket-encryption --bucket "$bucket" --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
|
|
timestamp "Encryption enabled"
|
|
echo >&2
|
|
|
|
"$srcdir/aws_s3_buckets_block_public_access.sh" "$bucket"
|
|
|
|
if [ -n "${arns_to_block[*]:-}" ]; then
|
|
if [ -z "${OVERWRITE_BUCKET_POLICY:-}" ] && \
|
|
timestamp "Checking for existing S3 bucket policy" && \
|
|
[ -n "$(aws s3api get-bucket-policy --bucket "$bucket" --query Policy --output text 2>/dev/null)" ]; then
|
|
timestamp "WARNING: bucket policy already exists, not overwriting for safety, must edit manually"
|
|
else
|
|
timestamp "Creating bucket policy to lock out given ARNs:"
|
|
echo >&2
|
|
for arn in "${arns_to_block[@]}"; do
|
|
printf '\t%s\n' "$arn" >&2
|
|
done
|
|
echo >&2
|
|
aws s3api put-bucket-policy --bucket "$bucket" --policy "$(cat <<EOF
|
|
{
|
|
"Id": "Policy1653672260380",
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "DisallowedUserGroupRoleArns",
|
|
"Action": "s3:*",
|
|
"Effect": "Deny",
|
|
"Resource": [
|
|
"arn:aws:s3:::$bucket",
|
|
"arn:aws:s3:::$bucket/*"
|
|
],
|
|
"Principal": {
|
|
"AWS": [
|
|
$(
|
|
for arn in "${arns_to_block[@]}"; do
|
|
# pad by 10 spaces using an empty first arg
|
|
printf '%10s"%s",\n' "" "$arn"
|
|
done |
|
|
sed '$ s/,$//'
|
|
)
|
|
]
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
)"
|
|
timestamp "Bucket policy created"
|
|
fi
|
|
fi
|