GARAGENUM
/
DevOps-Bash-tools
mirror of https://github.com/HariSekhon/DevOps-Bash-tools
13
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
gh-pages
ccmenu
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '71b5d91899'
${ noResults }
DevOps-Bash-tools/aws_s3_bucket.sh

128 lines
3.7 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# vim:ts=4:sts=4:sw=4:et
# args: haritest-terraform-state
#
# Author: Hari Sekhon
# Date: 2022-05-27 18:03:32 +0100 (Fri, 27 May 2022)
#
# https://github.com/HariSekhon/DevOps-Bash-tools
#
# License: see accompanying Hari Sekhon LICENSE file
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
#
# https://www.linkedin.com/in/HariSekhon
#
set -euo pipefail
[ -n "${DEBUG:-}" ] && set -x
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck disable=SC1090
. "$srcdir/lib/aws.sh"
# shellcheck disable=SC2034,SC2154
usage_description="
Creates an S3 bucket with the following optimizations:
- Blocks Public Access
- Enables Versioning
- Enables Server Side Encryption
- Creates Bucket Policy to lock out any given user/group/role ARNs (optional)
Idempotent: skips bucket creation if already exists, applies versioning, encryption, blocks public access and applies bucket policy if none exists of if \$OVERWRITE_BUCKET_POLICY is set to any value
Region: will create the bucket in your configured region, to override locally set \$AWS_DEFAULT_REGION
$usage_aws_cli_required
"
# used by usage() in lib/utils.sh
# shellcheck disable=SC2034
usage_args="<bucket_name> [<ARNs_to_block_access_from>]"
help_usage "$@"
min_args 1 "$@"
bucket="$1"
shift || :
arns_to_block=("$@")
export AWS_DEFAULT_OUTPUT=json
if aws s3 ls "s3://$bucket" &>/dev/null; then
timestamp "Bucket '$bucket' already exists"
else
timestamp "Creating S3 bucket: $bucket"
aws s3 mb "s3://$bucket" || :
fi
echo >&2
timestamp "Enabling S3 versioning"
aws s3api put-bucket-versioning --bucket "$bucket" --versioning-configuration 'Status=Enabled'
timestamp "Versioning enabled"
echo >&2
#timestamp "Enabling S3 MFA Delete (only works if you are MFA authenticated)"
#if aws s3api put-bucket-versioning --bucket "$bucket" --versioning-configuration 'MFADelete=Enabled,Status=Enabled'; then
# timestamp "MFA Delete enabled"
#else
# timestamp "WARNING: MFA Delete setting failed, must enable manually if not calling this script from an MFA enabled session"
#fi
#echo >&2
timestamp "Enabling S3 server-side encryption"
aws s3api put-bucket-encryption --bucket "$bucket" --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
timestamp "Encryption enabled"
echo >&2
"$srcdir/aws_s3_buckets_block_public_access.sh" "$bucket"
if [ -n "${arns_to_block[*]:-}" ]; then
if [ -z "${OVERWRITE_BUCKET_POLICY:-}" ] && \
timestamp "Checking for existing S3 bucket policy" && \
[ -n "$(aws s3api get-bucket-policy --bucket "$bucket" --query Policy --output text 2>/dev/null)" ]; then
timestamp "WARNING: bucket policy already exists, not overwriting for safety, must edit manually"
else
timestamp "Creating bucket policy to lock out given ARNs:"
echo >&2
for arn in "${arns_to_block[@]}"; do
printf '\t%s\n' "$arn" >&2
done
echo >&2
aws s3api put-bucket-policy --bucket "$bucket" --policy "$(cat <<EOF
{
"Id": "Policy1653672260380",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DisallowedUserGroupRoleArns",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::$bucket",
"arn:aws:s3:::$bucket/*"
],
"Principal": {
"AWS": [
$(
for arn in "${arns_to_block[@]}"; do
# pad by 10 spaces using an empty first arg
printf '%10s"%s",\n' "" "$arn"
done |
sed '$ s/,$//'
)
]
}
}
]
}
EOF
)"
timestamp "Bucket policy created"
fi
fi
Reference in New Issue View Git Blame Copy Permalink