Terraform
Get up and running with Terraform
- Providers are used to define the resources to build. These abstract the underlying API calls made to build, modify, and destroy resources by wrapping this into HCL syntax. In other words, you just worry about writing Terraform code without having to understand and work with the underlying APIs.
1
# Installing via Homebrew on MacOS
2
brew tap hashicorp/tap
3
brew install hashicorp/tap/terraform
4
brew update
5
brew upgrade hashicorp/tap/terraformh
6
7
# Enabling tab completion
8
terraform -install-autocomplete
9
10
# Restarting shell
11
. ~/.zshrc # bash is ~/.bashrc
- Initialize the directory where Terraform files are stored:
terraform init
- Verify the Terraform syntax is correct:
terraform validate
- View the resources the code would build if run:
terraform plan
- Build the resources:
terraform apply
- Destroy the resources created with Terraform:
terraform destroy
- Typically, Terraform code is defined in a
main.tf
file and variables found in that file can be declared invariables.tf
- Variables are not required and you could hard code everything into
main.tf
if desired.
main.tf
1
# Create the bucket
2
resource "aws_s3_bucket" "s3-bucket-1" {
3
bucket = var.mybucketname
4
}
5
6
# Enable server-side encryption
7
resource "aws_s3_bucket_server_side_encryption_configuration" "s3-encryption-config" {
8
bucket = aws_s3_bucket.s3-bucket-1.bucket # defines bucket name
9
10
rule {
11
apply_server_side_encryption_by_default {
12
sse_algorithm = var.sse-algorithm # defines encryption type
13
}
14
}
15
16
depends_on = [
17
aws_s3_bucket.s3-bucket-1 # ensures bucket is created before trying to apply encryption
18
]
19
}
20
21
# Configure bucket policy, set to deny HTTP requests
22
resource "aws_s3_bucket_policy" "s3-bucket-policy" {
23
bucket = aws_s3_bucket.s3-bucket-1.id
24
25
# defines bucket policy below, SecureTransport false means it blocks HTTP access
26
policy = <<POLICY
27
{
28
"Version": "2012-10-17",
29
"Statement": [
30
{
31
"Effect": "Deny",
32
"Principal": "*",
33
"Action": "s3:*",
34
"Resource": "arn:aws:s3:::${var.mybucketname}/*",
35
"Condition": {
36
"Bool": {
37
"aws:SecureTransport": "false"
38
}
39
}
40
}
41
]
42
}
43
POLICY
44
}
45
46
# Block public access to the bucket
47
resource "aws_s3_bucket_public_access_block" "s3-bucket-access-control" {
48
bucket = aws_s3_bucket.s3-bucket-1.id
49
50
block_public_acls = var.s3-bucket-ac["block_public_acls"]
51
block_public_policy = var.s3-bucket-ac["block_public_policy"]
52
ignore_public_acls = var.s3-bucket-ac["ignore_public_acls"]
53
restrict_public_buckets = var.s3-bucket-ac["restrict_public_buckets"]
54
}
variables.tf
1
variable "mybucketname" {
2
description = "Set a unique bucket name"
3
type = string
4
}
5
6
variable "sse-algorithm" {
7
description = "Specify the encryption type to use"
8
type = string
9
default = "AES256"
10
}
11
12
variable "s3-bucket-ac" {
13
description = "Block public access"
14
type = map(any)
15
default = {
16
block_public_acls = "true"
17
block_public_policy = "true"
18
ignore_public_acls = "true"
19
restrict_public_buckets = "true"
20
}
21
}
Last modified 30d ago