Dropshare Connection - AWS S3

Terraform Module to create resources for a Dropshare Connection with AWS S3 and AWS CloudFront.

Table of Contents

• Dropshare Connection: AWS S3
  • Table of Contents
  • Overview
  • Usage
    • Dropshare
    • Inputs
    • Outputs
  • Notes
  • Author Information
  • License

Overview

This Terraform Module creates the required resources to create an S3 Connection for Dropshare.

  graph TD;
    dns_a[DNS Record, type A] --> tls;
    dns_aaaa[DNS Record, type AAAA] --> tls;
    tls[TLS Certificate] --> cloudfront;

    cloudfront[CloudFront Distribution];

    bucket[S3 Bucket] --> cloudfront;

    user[IAM User] --> bucket;

Loading

Usage

This section contains the input and output values of this module as well as information on how to configure Dropshare.

Dropshare

To configure Dropshare, start from basic example available in ./examples/basic.

Modify the input values bucket_name, keybase_user, routed53_zone_id and route53_record_subdomain to reflect your infrastructure.

Next, carry out a Terraform run, executing the terraform plan, and terraform apply.

When the apply process finishes, Terraform will present the required outputs to configure Dropshare:

Outputs:

access_key_id              = "AKIAIOSFODNN7EXAMPLE"
bucket_name                = "aws-ia-dropshare"
domain_alias               = "aws-ia-dropshare.svcs.dev"
region                     = "us-west-1"
secret_key                 = "wcB...A=="
secret_key_decrypt_command = "terraform output -raw secret_key | base64 --decode | keybase pgp decrypt"

Note that the secret_key output is the encrypted value of the AWS IAM Secret Access Key. To decrypt it, run the decryption command presented in the secret_key_decrypt_command output.

Using the outputs, you can configure a Dropshare Connection for AWS S3:

For additional examples, see the /examples directory.

Inputs

Name	Description	Type	Default	Required
keybase_user	KeyBase username for use in the encrypted_secret output attribute.	string	n/a	yes
route53_record_subdomain	Subdomain Record to create in the Route53 Hosted Zone.	string	n/a	yes
routed53_zone_id	ID of the Route53 Hosted Zone.	string	n/a	yes
bucket_index_file	Path to template file to use as Index for Bucket.	string	"files/index.html"	no
bucket_name	Name of the S3 Bucket. When left empty, a random name will be generated.	string	""	no
bucket_robotstxt_file	Path to template file to use as robots.txt for Bucket.	string	"files/robots.txt"	no
bucket_storage_class	The class of storage used to store the object.	string	"ONEZONE_IA"	no
caller_ip_address	IP Address to constrain IAM Policy to. If left empty, this will be replaced with the caller's public IP address.	string	""	no
cloudfront_cache_policy_id	ID of AWS-managed Cache Policy.	string	"658327ea-f89d-4fab-a63d-7e88639e58f6"	no
cloudfront_comment	Comment to assign to CloudFront resources.	string	"Terraform-managed Resource for Dropshare Connection"	no
cloudfront_minimum_protocol_version	The minimum version of the TLS protocol that you want CloudFront to use for HTTPS connections.	string	"TLSv1.2_2021"	no
cloudfront_origin_request_policy_id	ID of AWS-managed Origin Request Policy.	string	"59781a5b-3903-41f3-afcb-af62929ccde1"	no
cloudfront_response_headers_policy_id	ID of AWS-managed Response Headers Policy.	string	"67f7725c-6f97-4210-82d7-5512b31e9d03"	no
cloudfront_zone_id	ID of the CloudFront Route53 Hosted Zone.	string	"Z2FDTNDATAQYW2"	no
create_index_file	Boolean Toggle to enable creation of Index File (var.bucket_index_file) in Bucket.	bool	true	no
create_robotstxt_file	Boolean Toggle to enable creation of Robots File (var.bucket_robotstxt_file) in Bucket.	bool	true	no
iam_group_path	IAM Group Path for Service Accounts.	string	"/services/"	no
iam_ip_address_retrieval_service	URL for (Public) IP Address Retrieval Service.	string	"https://checkip.amazonaws.com/"	no
lock_policy_to_ip_address	Toggle to enable constraining of IAM Policy to user-provided IP Address.	bool	true	no

Outputs

Name	Description
access_key_id	IAM Access Key.
bucket_id	S3 Bucket ARN.
bucket_name	S3 Bucket Name.
domain_alias	Domain Alias for CloudFront Distribution.
region	S3 Bucket Region.
secret_key	(encrypted) IAM Secret Key.
secret_key_decrypt_command_append	Appended part of Command to decrypt IAM Secret Key.
secret_key_decrypt_command_prepend	Prepended part of Command to decrypt IAM Secret Key.

Notes

This section contains notes for this module.

Public IP Retrieval Services

In iam.tf, an HTTP data source is used to retrieve the caller's public IP address. This IP address is then used as a constraint for the module-created IAM policy.

Allowing a remote service to provide a string for constraining IAM Access to a specific source IP provides a limited, but non-zero security concern.

Should you wish to provide a different IP retrieval service, you can update the iam_ip_address_retrieval_service variable with the URL to a service you trust. See variables.tf and iam.tf for more information.

The HTTP data source may display a warning if the underlying retrieval services not expose a Content-Type that is compatible with the data source.

Code Linting

This repository makes use of GitHub Actions to provide support for a variety of linting tools.

To use Snyk IaC scanning, a GitHub Actions Secret named SNYK_TOKEN must be created.

Author Information

This repository is maintained by the contributors listed on GitHub.

License

Licensed under the Apache License, Version 2.0 (the "License").

You may obtain a copy of the License at apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" basis, without WARRANTIES or conditions of any kind, either express or implied.

See the License for the specific language governing permissions and limitations under the License.