add BucketOwnerPreferred ownership controls to buckets w/ aws_s3_buck…

…et_acl resources (#170) * add BucketOwnerPreferred ownership controls to buckets with aws_s3_bucket_acl resources * remove duplicate acl entry * don't use iterables for depends_on aws_s3_bucket_ownership_controls
18F · Apr 19, 2023 · 53fd480 · 53fd480
1 parent bcadc2a
commit 53fd480
Show file tree

Hide file tree

Showing 7 changed files with 79 additions and 6 deletions.
diff --git a/elb_access_logs_bucket/main.tf b/elb_access_logs_bucket/main.tf
@@ -62,9 +62,19 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
   }
 }
 
+resource "aws_s3_bucket_ownership_controls" "logs" {
+  bucket = aws_s3_bucket.logs.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_acl" "logs" {
   bucket = aws_s3_bucket.logs.id
   acl    = "log-delivery-write"
+
+  depends_on = [aws_s3_bucket_ownership_controls.logs]
 }
 
 resource "aws_s3_bucket_policy" "logs" {

diff --git a/git2s3_artifacts/main.tf b/git2s3_artifacts/main.tf
@@ -91,11 +91,22 @@ resource "aws_s3_bucket" "artifact_bucket" {
   }
 }
 
+resource "aws_s3_bucket_ownership_controls" "artifact_bucket" {
+  bucket = aws_s3_bucket.artifact_bucket.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_acl" "artifact_bucket" {
   bucket = aws_s3_bucket.artifact_bucket.id
   acl    = "private"
+
+  depends_on = [aws_s3_bucket_ownership_controls.artifact_bucket]
 }
 
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "artifact_bucket" {
   bucket = aws_s3_bucket.artifact_bucket.id
 

diff --git a/guardduty/main.tf b/guardduty/main.tf
@@ -206,9 +206,19 @@ resource "aws_s3_bucket" "guardduty" {
   force_destroy = true
 }
 
+resource "aws_s3_bucket_ownership_controls" "guardduty" {
+  bucket = aws_s3_bucket.guardduty.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_acl" "guardduty" {
   bucket = aws_s3_bucket.guardduty.id
   acl    = "private"
+
+  depends_on = [aws_s3_bucket_ownership_controls.guardduty]
 }
 
 resource "aws_s3_bucket_policy" "guardduty" {

diff --git a/s3_bucket_block/main.tf b/s3_bucket_block/main.tf
@@ -44,10 +44,21 @@ resource "aws_s3_bucket" "bucket" {
   force_destroy = lookup(each.value, "force_destroy", true)
 }
 
+resource "aws_s3_bucket_ownership_controls" "bucket" {
+  for_each = var.bucket_data
+  bucket   = aws_s3_bucket.bucket[each.key]
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_acl" "bucket" {
   for_each = var.bucket_data
   bucket   = aws_s3_bucket.bucket[each.key]
   acl      = lookup(each.value, "acl", "private")
+
+  depends_on = [aws_s3_bucket_ownership_controls.bucket]
 }
 
 resource "aws_s3_bucket_policy" "bucket" {

diff --git a/slo_lambda/main.tf b/slo_lambda/main.tf
@@ -141,11 +141,11 @@ resource "aws_cloudwatch_dashboard" "sli" {
           ]
           "region" : data.aws_region.current.name
           "title" : "${v.description != null ? v.description : k} over last ${var.window_days} days"
-          "stat": "Average"
+          "stat" : "Average"
           "period" : 24 * 60 * 60
-          "yAxis": {
-            "left": {
-              "showUnits": false
+          "yAxis" : {
+            "left" : {
+              "showUnits" : false
             }
           }
         }

diff --git a/ssm/main.tf b/ssm/main.tf
@@ -102,9 +102,19 @@ resource "aws_s3_bucket_versioning" "ssm_logs" {
   }
 }
 
+resource "aws_s3_bucket_ownership_controls" "ssm_logs" {
+  bucket = aws_s3_bucket.ssm_logs.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_acl" "ssm_logs" {
   bucket = aws_s3_bucket.ssm_logs.id
   acl    = "private"
+
+  depends_on = [aws_s3_bucket_ownership_controls.ssm_logs]
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "ssm_logs" {

diff --git a/state_bucket/main.tf b/state_bucket/main.tf
@@ -97,9 +97,19 @@ resource "aws_s3_bucket_versioning" "s3-access-logs" {
   }
 }
 
+resource "aws_s3_bucket_ownership_controls" "s3-access-logs" {
+  bucket = aws_s3_bucket.s3-access-logs.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_acl" "s3-access-logs" {
   bucket = aws_s3_bucket.s3-access-logs.id
   acl    = "log-delivery-write"
+
+  depends_on = [aws_s3_bucket_ownership_controls.s3-access-logs]
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "s3-access-logs" {
@@ -154,10 +164,21 @@ resource "aws_s3_bucket_versioning" "tf-state" {
   }
 }
 
+resource "aws_s3_bucket_ownership_controls" "tf-state" {
+  count  = var.remote_state_enabled
+  bucket = data.aws_s3_bucket.tf-state[count.index].id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 resource "aws_s3_bucket_acl" "tf-state" {
   count  = var.remote_state_enabled
   bucket = data.aws_s3_bucket.tf-state[count.index].id
   acl    = "private"
+
+  depends_on = [aws_s3_bucket_ownership_controls.tf-state]
 }
 
 resource "aws_s3_bucket_logging" "tf-state" {
@@ -214,8 +235,8 @@ resource "aws_s3_bucket_public_access_block" "inventory" {
 }
 
 module "s3_config" {
-  for_each   = var.remote_state_enabled == 1 ? toset(["s3-access-logs", "tf-state"]) : toset(["s3-access-logs"])
-  source     = "github.com/18F/identity-terraform//s3_config?ref=91f5c8a84c664fc5116ef970a5896c2edadff2b1"
+  for_each = var.remote_state_enabled == 1 ? toset(["s3-access-logs", "tf-state"]) : toset(["s3-access-logs"])
+  source   = "github.com/18F/identity-terraform//s3_config?ref=91f5c8a84c664fc5116ef970a5896c2edadff2b1"
   #source = "../s3_config"
   depends_on = [aws_s3_bucket.s3-access-logs]