Updates to current AWS provider, S3 defaults (#133)

* Update Terraform cloudposse/s3-log-storage/aws to v1 * Updates for S3 default ACL disabled
cloudposse · May 11, 2023 · 2cdab38 · 2cdab38
1 parent 0df67fb
commit 2cdab38
Show file tree

Hide file tree

Showing 5 changed files with 106 additions and 48 deletions.
diff --git a/README.md b/README.md
@@ -248,23 +248,23 @@ Available targets:
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.3 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | >= 1.3 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_dynamodb_table_label"></a> [dynamodb\_table\_label](#module\_dynamodb\_table\_label) | cloudposse/label/null | 0.25.0 |
-| <a name="module_log_storage"></a> [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 0.26.0 |
+| <a name="module_log_storage"></a> [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 1.1.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
@@ -277,7 +277,14 @@ Available targets:
 | [aws_iam_role.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_replication_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [local_file.terraform_backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [aws_iam_policy_document.prevent_unencrypted_uploads](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -3,23 +3,23 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.3 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | >= 1.3 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_dynamodb_table_label"></a> [dynamodb\_table\_label](#module\_dynamodb\_table\_label) | cloudposse/label/null | 0.25.0 |
-| <a name="module_log_storage"></a> [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 0.26.0 |
+| <a name="module_log_storage"></a> [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 1.1.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
@@ -32,7 +32,14 @@
 | [aws_iam_role.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_replication_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [local_file.terraform_backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [aws_iam_policy_document.prevent_unencrypted_uploads](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.1.0"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 2.0"
+      version = "= 4.9.0"
     }
     local = {
       source  = "hashicorp/local"

diff --git a/main.tf b/main.tf
@@ -140,7 +140,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
 
 module "log_storage" {
   source  = "cloudposse/s3-log-storage/aws"
-  version = "0.26.0"
+  version = "1.1.0"
 
   enabled                  = local.logging_bucket_enabled
   access_log_bucket_prefix = local.logging_prefix_default
@@ -158,53 +158,70 @@ resource "aws_s3_bucket" "default" {
 
   #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until Bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
   #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` check due to issues operating with `mfa_delete` in terraform
+  #bridgecrew:skip=BC_AWS_NETWORKING_52: Skipping `Ensure S3 Bucket has public access blocks` because we have chosen to make it configurable
+  #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure AWS S3 object versioning is enabled` because we have it enabled, but Bridgecrew doesn't recognize it
   bucket        = substr(local.bucket_name, 0, 63)
-  acl           = var.acl
   force_destroy = var.force_destroy
-  policy        = local.policy
 
-  versioning {
-    enabled    = true
-    mfa_delete = var.mfa_delete
-  }
+  tags = module.this.tags
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
-    }
+resource "aws_s3_bucket_acl" "default" {
+  count  = local.bucket_enabled ? 1 : 0
+  bucket = join("", aws_s3_bucket.default.*.id)
+
+  acl = var.acl
+
+  depends_on = [aws_s3_bucket_ownership_controls.default]
+}
+
+# Per https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
+resource "aws_s3_bucket_ownership_controls" "default" {
+  count  = local.bucket_enabled ? 1 : 0
+  bucket = join("", aws_s3_bucket.default.*.id)
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
   }
+}
+
+resource "aws_s3_bucket_policy" "default" {
+  count      = local.bucket_enabled ? 1 : 0
+  bucket     = join("", aws_s3_bucket.default.*.id)
+  policy     = local.policy
+  depends_on = [aws_s3_bucket_public_access_block.default]
+}
 
-  dynamic "replication_configuration" {
-    for_each = var.s3_replication_enabled ? toset([var.s3_replica_bucket_arn]) : []
-    content {
-      role = aws_iam_role.replication[0].arn
-
-      rules {
-        id     = module.this.id
-        prefix = ""
-        status = "Enabled"
-
-        destination {
-          bucket        = var.s3_replica_bucket_arn
-          storage_class = "STANDARD"
-        }
-      }
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+  count  = local.bucket_enabled ? 1 : 0
+  bucket = join("", aws_s3_bucket.default.*.id)
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
     }
   }
+}
 
-  dynamic "logging" {
-    for_each = var.logging == null ? [] : [1]
-    content {
-      target_bucket = local.logging_bucket_name
-      target_prefix = local.logging_prefix
-    }
+resource "aws_s3_bucket_versioning" "default" {
+  count  = local.bucket_enabled ? 1 : 0
+  bucket = join("", aws_s3_bucket.default.*.id)
+
+  versioning_configuration {
+    status     = "Enabled"
+    mfa_delete = var.mfa_delete ? "Enabled" : "Disabled"
   }
+}
 
-  tags = module.this.tags
+resource "aws_s3_bucket_logging" "default" {
+  count  = local.bucket_enabled && var.logging != null ? 1 : 0
+  bucket = join("", aws_s3_bucket.default.*.id)
+
+  target_bucket = local.logging_bucket_name
+  target_prefix = local.logging_prefix
 }
 
+
 resource "aws_s3_bucket_public_access_block" "default" {
   count                   = local.bucket_enabled && var.enable_public_access_block ? 1 : 0
   bucket                  = join("", aws_s3_bucket.default.*.id)
@@ -214,6 +231,31 @@ resource "aws_s3_bucket_public_access_block" "default" {
   restrict_public_buckets = var.restrict_public_buckets
 }
 
+resource "aws_s3_bucket_replication_configuration" "default" {
+  count = local.bucket_enabled && var.s3_replication_enabled ? 1 : 0
+
+  bucket = join("", aws_s3_bucket.default.*.id)
+  role   = aws_iam_role.replication[0].arn
+
+  rule {
+    id     = module.this.id
+    status = "Enabled"
+
+    destination {
+      # Prefer newer system of specifying bucket in rule, but maintain backward compatibility with
+      # s3_replica_bucket_arn to specify single destination for all rules
+      bucket        = var.s3_replica_bucket_arn
+      storage_class = "STANDARD"
+    }
+  }
+
+  depends_on = [
+    # versioning must be set before replication
+    aws_s3_bucket_versioning.default
+  ]
+}
+
+
 module "dynamodb_table_label" {
   source     = "cloudposse/label/null"
   version    = "0.25.0"
@@ -223,6 +265,7 @@ module "dynamodb_table_label" {
 }
 
 resource "aws_dynamodb_table" "with_server_side_encryption" {
+  #bridgecrew:skip=BC_AWS_GENERAL_44:Skipping `Ensure DynamoDB Tables have Auto Scaling enabled` because we know this is low usage
   count          = local.dynamodb_enabled && var.enable_server_side_encryption ? 1 : 0
   name           = local.dynamodb_table_name
   billing_mode   = var.billing_mode
@@ -249,7 +292,8 @@ resource "aws_dynamodb_table" "with_server_side_encryption" {
 }
 
 resource "aws_dynamodb_table" "without_server_side_encryption" {
-  count          = local.dynamodb_enabled && ! var.enable_server_side_encryption ? 1 : 0
+  #bridgecrew:skip=BC_AWS_GENERAL_44:Skipping `Ensure DynamoDB Tables have Auto Scaling enabled` because we know this is low usage
+  count          = local.dynamodb_enabled && !var.enable_server_side_encryption ? 1 : 0
   name           = local.dynamodb_table_name
   billing_mode   = var.billing_mode
   read_capacity  = var.billing_mode == "PROVISIONED" ? var.read_capacity : null

diff --git a/versions.tf b/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.1.0"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 2.0"
+      version = ">= 4.9.0"
     }
     local = {
       source  = "hashicorp/local"