aws: Customized S3 buckets
Currently GET creates the S3 buckets that are needed by GitLab and creates them using a simple aws_s3_bucket
resource with no extra configuration. For organizations that have policy around infrastructure, they will need to customize the options when creating the S3 buckets. An example of this is providing encryption, making the bucket private.
An example of such configuration would be:
private_destroy = false
acl = "private"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
Additionally the lifecycle associated with the S3 buckets (especially the backup bucket), is something we want to be able to manage externally outside of GET. Currently if a TF destroy were to be executed on the GitLab module, the S3 buckets would also be deleted. While organizations should put things in place to prevent it, anything is always possible!!
While GET allows for customized s3 bucket names in the configuration, the TF code doesn't really support externally created buckets due to the way the S3 buckets and associated IAM policies are created.
gitlab_object_storage_artifacts_bucket: "{{ prefix }}-artifacts"
gitlab_object_storage_backups_bucket: "{{ prefix }}-backups"
gitlab_object_storage_dependency_proxy_bucket: "{{ prefix }}-dependency-proxy"
See https://gitlab.com/gitlab-org/quality/gitlab-environment-toolkit/-/blob/master/terraform/modules/gitlab_ref_arch_aws/storage.tf#L1 and https://gitlab.com/gitlab-org/quality/gitlab-environment-toolkit/-/blob/master/terraform/modules/gitlab_ref_arch_aws/storage.tf#L40
This is somewhat related to #271 (closed) that talks about how GET can provide for more customization of Terraform options for various resources.