Note: Scroll down this article to download the terrafom files in zip format.


Terraform AWS S3 Bucket for Network Configuration Files

This Terraform module provisions an Amazon S3 bucket designed to securely host network configuration files. It automatically uploads specified JSON and PAC files, making them accessible only from a list of predefined IP addresses.

This infrastructure is ideal for hosting configuration files for network appliances or services that need to fetch rules and settings from a central, secure HTTP endpoint.

Features

  • S3 Bucket Creation: Provisions a new S3 bucket with a user-defined name.
  • Secure Access Policy: Attaches a bucket policy that restricts all S3 actions (s3:*) to a list of allowed IP addresses (allowed_ips). All other traffic is implicitly denied.
  • Modern Ownership Controls: Disables ACLs by setting object ownership to BucketOwnerEnforced, which is the modern recommended practice for S3.
  • Public Access Settings: Configured to block public ACLs but allows the bucket policy to grant access, ensuring the IP-based restrictions work as intended.
  • Default Encryption: Enforces server-side encryption (AES256) for all objects stored in the bucket.
  • Automatic File Uploads: Uploads the following four configuration files to the root of the bucket:
    • privateAccessPeersConfig.json
    • outboundFwRules.json
    • proxyBypassRulesFile.json
    • proxyBypassPac.pac
  • URL Outputs: Provides the final HTTPS URLs for each uploaded file as Terraform outputs for easy access.

Prerequisites

Before you begin, ensure you have the following installed and configured:

  • Terraform: Version 1.0 or later.
  • AWS CLI: Configured with credentials that have permissions to create S3 buckets, manage policies, and upload objects.

Configuration and Deployment

Follow these steps to deploy the S3 bucket and its configuration files.

Step 1: Customize Configuration Files

First, edit the provided configuration files with your specific settings. These files are templates that you must populate.

  • privateAccessPeersConfig.json: Update the file with your peer configurations. The provided file is a placeholder.
  • outboundFwRules.json: Update the file with your outbound firewall rules. The provided file is a placeholder.
  • proxyBypassRulesFile.json: Add the internal and external domains you wish to bypass the proxy for.
  • proxyBypassPac.pac: Modify the JavaScript logic to suit your proxy and bypass requirements.

Step 2: Define Input Variables

Open the terraform.auto.tfvars file and update the values for your environment.

  • bucket_name: The globally unique name for your S3 bucket (e.g., "mycompany-network-configs").
  • aws_region: The AWS region where the S3 bucket will be created (e.g., "us-east-1").
  • allowed_ips: A list of public IP addresses and CIDR blocks that are permitted to access the files in the bucket.

Example terraform.auto.tfvars:

# terraform.auto.tfvars
bucket_name = "pricpa-fw-bypass-prod"

aws_region = "us-east-1"

allowed_ips = [
  "192.51.10.0/29",      # CSC Subnet Site A
  "200.200.200.200",     # CSC PriCPA Azure
  "200.1.1.1",           # CSC Zscaler AWS
  "200.1.2.1",
  "8.8.8.8"              # Example: A specific admin IP
]
Tf

Step 3: Deploy with Terraform

Once your variables and configuration files are set, run the standard Terraform commands from your terminal in the project's root directory.

  1. Initialize the Terraform workspace:
    terraform init
    Sh
  2. Review the execution plan:
    terraform plan
    Sh
  3. Apply the configuration and create the resources:
    terraform apply
    Sh
    Enter yes when prompted to confirm the action.

Security Model

The security of this solution is based on an S3 bucket policy.

  • The policy principal is set to "*" (everyone), but this is immediately restricted by a Condition block.
  • The Condition statement aws:SourceIp ensures that access is only granted if the request originates from an IP address listed in the var.allowed_ips variable.
  • Any request from an IP address not on this list will be denied.

File Descriptions

  • main.tf: Contains the core Terraform logic for creating the S3 bucket, its configuration, policy, and file uploads.
  • variables.tf: Defines the input variables used by the module (bucket_nameaws_regionallowed_ips).
  • terraform.auto.tfvars: User-defined values for the input variables.
  • privateAccessPeersConfig.json: Template file for private access peer configurations.
  • outboundFwRules.json: Template file for outbound firewall rules.
  • proxyBypassRulesFile.json: Defines domains and IPs to bypass a proxy.
  • proxyBypassPac.pac: A Proxy Auto-Configuration (PAC) file used by browsers to determine how to handle web traffic.

Cleanup

To remove all resources created by this Terraform module, run the destroy command:

terraform destroy
Sh

Enter yes when prompted to confirm the deletion.

Copyright © 2025 Maidenhead Bridge Limited