This module creates infra to support exporting data from Worklytics to AWS.

It is published in the Terraform Registry.

If it does not meet your needs, feel free to directly copy the main.tf file into your own Terraform configuration and adapt it to your requirements.

from Terraform registry:

module "worklytics-export" {
  source  = "terraform-aws-worklytics-export"
  version = "~> 0.4.0"

  # numeric ID of your Worklytics Tenant SA
  worklytics_tenant_id = "123123123123"
}

via GitHub:

module "worklytics-export" {
  source  = "git::https://github.com/worklytics/terraform-aws-worklytics-export/?ref=v0.4.0"

  # numeric ID of your Worklytics Tenant SA
  worklytics_tenant_id = "123123123123"
}

The Terraform resource created as the export bucket. See aws_s3_bucket for details.

This is useful to compose with the other aws_s3_bucket_* resources to configure retention, encryption, etc. See:

• aws_s3_bucket_lifecycle_configuration
• aws_s3_bucket_service_side_encryption_configuration

The IAM role that your Worklytics Tenant will assume before operating on your AWS infrastructure.

Eg, Worklytics's infra will do the equivalent of aws sts assume-role on this role, authenticated by GCP as the GCP Service Account you identified with worklytics_tenant_id.

See Workload Identity Federation for general idea; this is the reverse direction of that (GCP --> AWS, rather than AWS --> GCP).

This value is useful for a few scenarios:

• if you set a CMEK to encrypt the bucket rather than relying on AWS default, you may need to grant encrypt / data key creation permissions to this role.
• if your AWS account has additional IAM policies which would deny the permissions needed by this role for S3/etc, use this role's ARN to add exceptions to those policies (in AWS IAM logic, explicit deny has precedence over explicit allow)

This module is meant for use with Terraform 1.1+. If you find incompatibilities using Terraform >= 1.1, please open an issue.

If you wish to export Worklytics data to an existing bucket, use a Terraform import as follows:

terraform import module.worklytics_export.aws_s3_bucket.worklytics_export <bucket_name>

By default, we set a restrictive public access block on the bucket. If you need something more permissive, you can disable the default block by setting the variable enable_aws_s3_bucket_public_access_block=false in your terraform.tfvars file and then add your own public access block as follows:

resource "aws_s3_bucket_public_access_block" "worklytics_export" {
  bucket = module.worklytics_export.worklytics_export_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

It's good practice to have a max retention policy on your bucket, even if it's really long. If you have a data pipeline regularly moving data from this bucket into your data warehouse, a value of 30 or 60 days can likely lower your storage costs and reduce risk of having data in more places than it needs to be.

resource "aws_s3_bucket_lifecycle_configuration" "worklytics_export" {
  bucket = module.worklytics_export.worklytics_export_bucket.id

  rule {
    id      = "max_retention_5_years"
    enabled = true

    expiration {
      days = 5*365 # 5 years
    }
  }
}

This module is written and maintained by Worklytics, Co. and intended to guide our customers in setting up their own infra to export data from Worklytics to AWS.

As this is published as a Terraform module, we will strive to follow standard Terraform module structure and style conventions.

See examples/basic/ for a simple example of how to use this module.

(c) 2023 Worklytics, Co