Created
December 15, 2021 11:09
-
-
Save Olgoetz/4dfde2c4829dd9330bc729770995b2ac to your computer and use it in GitHub Desktop.
Bash script to create a non public AWS S3 bucket with 'versioning, bucket policy, tags and KMS encryption"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/env bash | |
| usage() { | |
| echo "****************************************************" | |
| echo "" | |
| echo "Usage: $0 <env> [nonprod|prod]" | |
| echo "" | |
| echo "****************************************************" | |
| exit 0 | |
| } | |
| if test "$#" -ne 1; then | |
| usage | |
| fi | |
| ENV=$1 | |
| if [ $ENV == "nonprod" ]; then | |
| KMS_KEY_ID="" | |
| else | |
| KMS_KEY_ID="" | |
| fi | |
| if [[ ! $ENV =~ (nonprod|prod) ]]; then | |
| echo "Environment must be nonprod|prod." | |
| exit 1 | |
| fi | |
| if [[ -z $KMS_KEY_ID ]]; then | |
| echo "Provide the KMS KEY ID in $0." | |
| exit 1 | |
| fi | |
| echo "Getting account ID ..." | |
| account_id=$(aws sts get-caller-identity --query 'Account' --output text) | |
| echo "Account ID is: $account_id" | |
| BUCKET="tfecli-$account_id" | |
| echo "Creating the bucket..." | |
| aws s3api create-bucket \ | |
| --acl private \ | |
| --bucket $BUCKET \ | |
| --region eu-central-1 \ | |
| --create-bucket-configuration LocationConstraint=eu-central-1 | |
| echo "Putting versioning..." | |
| aws s3api put-bucket-versioning --bucket $BUCKET --versioning-configuration Status=Enabled | |
| echo "Putting encryption..." | |
| cat > encryption.json << EOF | |
| { | |
| "Rules": [ | |
| { | |
| "ApplyServerSideEncryptionByDefault": { | |
| "SSEAlgorithm": "aws:kms", | |
| "KMSMasterKeyID": "$KMS_KEY_ID" | |
| } | |
| } | |
| ] | |
| } | |
| EOF | |
| aws s3api put-bucket-encryption \ | |
| --bucket $BUCKET \ | |
| --server-side-encryption-configuration file://encryption.json | |
| echo "Putting block public access..." | |
| aws s3api put-public-access-block \ | |
| --bucket $BUCKET \ | |
| --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" | |
| echo "Putting policy..." | |
| cat > policy.json << EOF | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Deny", | |
| "Principal": "*", | |
| "Action": "*", | |
| "Resource": "arn:aws:s3:::$BUCKET/*", | |
| "Condition": { | |
| "Bool": { | |
| "aws:SecureTransport": "false" | |
| } | |
| } | |
| }, | |
| { | |
| "Sid": "AllowCloudTrailACL", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "cloudtrail.amazonaws.com" | |
| }, | |
| "Action": "s3:GetBucketAcl", | |
| "Resource": "arn:aws:s3:::$BUCKET" | |
| }, | |
| { | |
| "Sid": "AllowCloudTrailObject", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "cloudtrail.amazonaws.com" | |
| }, | |
| "Action": "s3:PutObject", | |
| "Resource": "arn:aws:s3:::$BUCKET/*", | |
| "Condition": { | |
| "StringEquals": { | |
| "s3:x-amz-acl": "bucket-owner-full-control" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| EOF | |
| aws s3api put-bucket-policy --bucket $BUCKET --policy file://policy.json | |
| if [ $ENV == "nonprod" ]; then | |
| env_tag="Development" | |
| fi | |
| if [ $ENV == "prod" ]; then | |
| env_tag="Production" | |
| fi | |
| echo "Putting tags..." | |
| cat > tags.json << EOF | |
| { | |
| "TagSet": [ | |
| { | |
| "Key": "env", | |
| "Value": "$env_tag" | |
| } | |
| ] | |
| } | |
| EOF | |
| aws s3api put-bucket-tagging --bucket $BUCKET --tagging file://tags.json | |
| echo "Cleaning up..." | |
| rm -f encryption.json | |
| rm -f policy.json | |
| rm -f versioning.json | |
| rm -f tags.json |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment