From 2cdab38d65c9f59ed97d6108f4dd5ae627fadf9e Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 11 May 2023 00:21:37 -0700
Subject: [PATCH] Updates to current AWS provider, S3 defaults (#133)
* Update Terraform cloudposse/s3-log-storage/aws to v1
* Updates for S3 default ACL disabled
---
README.md | 15 +++--
docs/terraform.md | 15 +++--
examples/complete/versions.tf | 4 +-
main.tf | 116 +++++++++++++++++++++++-----------
versions.tf | 4 +-
5 files changed, 106 insertions(+), 48 deletions(-)
diff --git a/README.md b/README.md
index 821ef44..df6e90a 100644
--- a/README.md
+++ b/README.md
@@ -248,15 +248,15 @@ Available targets:
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13.0 |
-| [aws](#requirement\_aws) | >= 2.0 |
+| [terraform](#requirement\_terraform) | >= 1.1.0 |
+| [aws](#requirement\_aws) | >= 4.9.0 |
| [local](#requirement\_local) | >= 1.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.0 |
+| [aws](#provider\_aws) | >= 4.9.0 |
| [local](#provider\_local) | >= 1.3 |
## Modules
@@ -264,7 +264,7 @@ Available targets:
| Name | Source | Version |
|------|--------|---------|
| [dynamodb\_table\_label](#module\_dynamodb\_table\_label) | cloudposse/label/null | 0.25.0 |
-| [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 0.26.0 |
+| [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 1.1.0 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
## Resources
@@ -277,7 +277,14 @@ Available targets:
| [aws_iam_role.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_replication_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [local_file.terraform_backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [aws_iam_policy_document.prevent_unencrypted_uploads](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/docs/terraform.md b/docs/terraform.md
index 546f950..dd4a8ef 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -3,15 +3,15 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13.0 |
-| [aws](#requirement\_aws) | >= 2.0 |
+| [terraform](#requirement\_terraform) | >= 1.1.0 |
+| [aws](#requirement\_aws) | >= 4.9.0 |
| [local](#requirement\_local) | >= 1.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 2.0 |
+| [aws](#provider\_aws) | >= 4.9.0 |
| [local](#provider\_local) | >= 1.3 |
## Modules
@@ -19,7 +19,7 @@
| Name | Source | Version |
|------|--------|---------|
| [dynamodb\_table\_label](#module\_dynamodb\_table\_label) | cloudposse/label/null | 0.25.0 |
-| [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 0.26.0 |
+| [log\_storage](#module\_log\_storage) | cloudposse/s3-log-storage/aws | 1.1.0 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
## Resources
@@ -32,7 +32,14 @@
| [aws_iam_role.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_replication_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [local_file.terraform_backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [aws_iam_policy_document.prevent_unencrypted_uploads](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
index 2080158..9924e24 100644
--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.13.0"
+ required_version = ">= 1.1.0"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 2.0"
+ version = "= 4.9.0"
}
local = {
source = "hashicorp/local"
diff --git a/main.tf b/main.tf
index 3c19190..dd6d591 100644
--- a/main.tf
+++ b/main.tf
@@ -140,7 +140,7 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
module "log_storage" {
source = "cloudposse/s3-log-storage/aws"
- version = "0.26.0"
+ version = "1.1.0"
enabled = local.logging_bucket_enabled
access_log_bucket_prefix = local.logging_prefix_default
@@ -158,53 +158,70 @@ resource "aws_s3_bucket" "default" {
#bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until Bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
#bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` check due to issues operating with `mfa_delete` in terraform
+ #bridgecrew:skip=BC_AWS_NETWORKING_52: Skipping `Ensure S3 Bucket has public access blocks` because we have chosen to make it configurable
+ #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure AWS S3 object versioning is enabled` because we have it enabled, but Bridgecrew doesn't recognize it
bucket = substr(local.bucket_name, 0, 63)
- acl = var.acl
force_destroy = var.force_destroy
- policy = local.policy
- versioning {
- enabled = true
- mfa_delete = var.mfa_delete
- }
+ tags = module.this.tags
+}
- server_side_encryption_configuration {
- rule {
- apply_server_side_encryption_by_default {
- sse_algorithm = "AES256"
- }
- }
+resource "aws_s3_bucket_acl" "default" {
+ count = local.bucket_enabled ? 1 : 0
+ bucket = join("", aws_s3_bucket.default.*.id)
+
+ acl = var.acl
+
+ depends_on = [aws_s3_bucket_ownership_controls.default]
+}
+
+# Per https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
+resource "aws_s3_bucket_ownership_controls" "default" {
+ count = local.bucket_enabled ? 1 : 0
+ bucket = join("", aws_s3_bucket.default.*.id)
+
+ rule {
+ object_ownership = "BucketOwnerPreferred"
}
+}
+
+resource "aws_s3_bucket_policy" "default" {
+ count = local.bucket_enabled ? 1 : 0
+ bucket = join("", aws_s3_bucket.default.*.id)
+ policy = local.policy
+ depends_on = [aws_s3_bucket_public_access_block.default]
+}
- dynamic "replication_configuration" {
- for_each = var.s3_replication_enabled ? toset([var.s3_replica_bucket_arn]) : []
- content {
- role = aws_iam_role.replication[0].arn
-
- rules {
- id = module.this.id
- prefix = ""
- status = "Enabled"
-
- destination {
- bucket = var.s3_replica_bucket_arn
- storage_class = "STANDARD"
- }
- }
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+ count = local.bucket_enabled ? 1 : 0
+ bucket = join("", aws_s3_bucket.default.*.id)
+
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
}
}
+}
- dynamic "logging" {
- for_each = var.logging == null ? [] : [1]
- content {
- target_bucket = local.logging_bucket_name
- target_prefix = local.logging_prefix
- }
+resource "aws_s3_bucket_versioning" "default" {
+ count = local.bucket_enabled ? 1 : 0
+ bucket = join("", aws_s3_bucket.default.*.id)
+
+ versioning_configuration {
+ status = "Enabled"
+ mfa_delete = var.mfa_delete ? "Enabled" : "Disabled"
}
+}
- tags = module.this.tags
+resource "aws_s3_bucket_logging" "default" {
+ count = local.bucket_enabled && var.logging != null ? 1 : 0
+ bucket = join("", aws_s3_bucket.default.*.id)
+
+ target_bucket = local.logging_bucket_name
+ target_prefix = local.logging_prefix
}
+
resource "aws_s3_bucket_public_access_block" "default" {
count = local.bucket_enabled && var.enable_public_access_block ? 1 : 0
bucket = join("", aws_s3_bucket.default.*.id)
@@ -214,6 +231,31 @@ resource "aws_s3_bucket_public_access_block" "default" {
restrict_public_buckets = var.restrict_public_buckets
}
+resource "aws_s3_bucket_replication_configuration" "default" {
+ count = local.bucket_enabled && var.s3_replication_enabled ? 1 : 0
+
+ bucket = join("", aws_s3_bucket.default.*.id)
+ role = aws_iam_role.replication[0].arn
+
+ rule {
+ id = module.this.id
+ status = "Enabled"
+
+ destination {
+ # Prefer newer system of specifying bucket in rule, but maintain backward compatibility with
+ # s3_replica_bucket_arn to specify single destination for all rules
+ bucket = var.s3_replica_bucket_arn
+ storage_class = "STANDARD"
+ }
+ }
+
+ depends_on = [
+ # versioning must be set before replication
+ aws_s3_bucket_versioning.default
+ ]
+}
+
+
module "dynamodb_table_label" {
source = "cloudposse/label/null"
version = "0.25.0"
@@ -223,6 +265,7 @@ module "dynamodb_table_label" {
}
resource "aws_dynamodb_table" "with_server_side_encryption" {
+ #bridgecrew:skip=BC_AWS_GENERAL_44:Skipping `Ensure DynamoDB Tables have Auto Scaling enabled` because we know this is low usage
count = local.dynamodb_enabled && var.enable_server_side_encryption ? 1 : 0
name = local.dynamodb_table_name
billing_mode = var.billing_mode
@@ -249,7 +292,8 @@ resource "aws_dynamodb_table" "with_server_side_encryption" {
}
resource "aws_dynamodb_table" "without_server_side_encryption" {
- count = local.dynamodb_enabled && ! var.enable_server_side_encryption ? 1 : 0
+ #bridgecrew:skip=BC_AWS_GENERAL_44:Skipping `Ensure DynamoDB Tables have Auto Scaling enabled` because we know this is low usage
+ count = local.dynamodb_enabled && !var.enable_server_side_encryption ? 1 : 0
name = local.dynamodb_table_name
billing_mode = var.billing_mode
read_capacity = var.billing_mode == "PROVISIONED" ? var.read_capacity : null
diff --git a/versions.tf b/versions.tf
index 2080158..876cde7 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.13.0"
+ required_version = ">= 1.1.0"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 2.0"
+ version = ">= 4.9.0"
}
local = {
source = "hashicorp/local"