Skip to content

Commit

Permalink
Support AWS Provider V5 (cloudposse#284)
Browse files Browse the repository at this point in the history
* Support AWS Provider V5

* Update versions.tf

* Update versions.tf

* Update versions.tf

* Support AWS Provider V5

* bump provider

* Support AWS Provider V5

* Support AWS Provider V5

* Support AWS Provider V5

* Support AWS Provider V5

* upd

* upd

* upd

* upd

* upd

* upd

* upd

* upd

* upd

* upd

* upd

* upd

* upd

* Add policy

* use ACL for logging s3-bucket access

* make readme

* Removed unused locals, use updated bucket acl pattern, enable logging by local

* allow public policy for test bucket

* tf fmt

* set BucketOwnerEnforced

* set acl with string, not grant

* set logs ownership to ObjectWriter

* set s3_object_ownership for test buckets

* set logs bucket to BucketOwnerPreferred

* Set bucket-owner-full-control

* reset to grant

* Update main.tf

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* set log-delivery-write for test bucekts

* set ownership on test bucket

* set BucketOwnerPreferred with grant list for test buckets

* reset tests, set ownership to BucketOwnerPreferred

* setting s3_object_ownership

* dependency for bucket settings before cdn

* Update examples/complete/main.tf

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* dependency for tweaks

* added more wait ons for bucket settings

* added more wait ons for bucket settings

* set ownership on test bucket, set acl null of s3

* set BucketOwnerEnforced

* set grants

* set grants

* Set policy after bucket settings

* Set block_origin_public_access_enabled

* revert s3-origins test

* set BucketOwnerEnforced

* sleep for eventual consistency

* Set acl for s3-origin tests

* replace s3-website module with s3-bucket for tests

* corrected bucket name input

* corrected bucket name input

* bridgecrew issues resolved

---------

Co-authored-by: milldr <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
  • Loading branch information
3 people authored and abeluck committed Aug 11, 2023
1 parent da545da commit 0e0b33e
Show file tree
Hide file tree
Showing 17 changed files with 1,040 additions and 454 deletions.
1 change: 1 addition & 0 deletions .github/workflows/release-branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:
- 'docs/**'
- 'examples/**'
- 'test/**'
- 'README.*'

permissions:
contents: write
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-published.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ permissions:

jobs:
terraform-module:
uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main
uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main
12 changes: 4 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,10 +88,6 @@ We highly recommend that in your code you pin the version to the exact version y
using so that your infrastructure remains stable, and update versions in a
systematic way so that they do not catch you by surprise.

Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)),
the registry shows many of our inputs as required when in fact they are optional.
The table below correctly indicates which inputs are required.



For a complete example, see [examples/complete](examples/complete).
Expand Down Expand Up @@ -387,7 +383,7 @@ module "lambda_at_edge" {
EOT
filename = "index.js"
}]
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "origin-response"
include_body = false
Expand Down Expand Up @@ -436,15 +432,15 @@ Available targets:
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.2 |
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.7 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.2 |
| <a name="provider_time"></a> [time](#provider\_time) | >= 0.7 |

Expand All @@ -453,7 +449,7 @@ Available targets:
| Name | Source | Version |
|------|--------|---------|
| <a name="module_dns"></a> [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.13.0 |
| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.26.0 |
| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 1.4.2 |
| <a name="module_origin_label"></a> [origin\_label](#module\_origin\_label) | cloudposse/label/null | 0.25.0 |
| <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |

Expand Down
2 changes: 1 addition & 1 deletion README.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,7 @@ usage: |-
EOT
filename = "index.js"
}]
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "origin-response"
include_body = false
Expand Down
6 changes: 3 additions & 3 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.2 |
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.7 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.2 |
| <a name="provider_time"></a> [time](#provider\_time) | >= 0.7 |

Expand All @@ -21,7 +21,7 @@
| Name | Source | Version |
|------|--------|---------|
| <a name="module_dns"></a> [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.13.0 |
| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.26.0 |
| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 1.4.2 |
| <a name="module_origin_label"></a> [origin\_label](#module\_origin\_label) | cloudposse/label/null | 0.25.0 |
| <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |

Expand Down
97 changes: 85 additions & 12 deletions examples/complete/custom-origins.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,21 +16,37 @@ locals {
}
additional_custom_origin_primary = local.additional_custom_origins_enabled ? merge(
local.default_custom_origin_configuration, {
domain_name = module.additional_custom_origin.s3_bucket_website_endpoint
origin_id = module.additional_custom_origin.hostname
domain_name = module.additional_custom_origin.bucket_website_endpoint
origin_id = module.additional_custom_origin.bucket_id
}
) : null
additional_custom_origin_secondary = local.additional_custom_origins_enabled ? merge(
local.default_custom_origin_configuration, {
domain_name = module.additional_custom_failover_origin.s3_bucket_website_endpoint
origin_id = module.additional_custom_failover_origin.hostname
domain_name = module.additional_custom_failover_origin.bucket_website_endpoint
origin_id = module.additional_custom_failover_origin.bucket_id
}
) : null
additional_custom_origin_groups = local.additional_custom_origins_enabled ? [{
primary_origin_id = local.additional_custom_origin_primary.origin_id
failover_origin_id = local.additional_custom_origin_secondary.origin_id
failover_criteria = var.origin_group_failover_criteria_status_codes
}] : []
website_configuration = [
{
index_document = "index.html"
error_document = null
routing_rules = []
}
]
cors_configuration = [
{
allowed_headers = ["*"]
allowed_methods = ["GET"]
allowed_origins = ["*"]
expose_headers = ["ETag"]
max_age_seconds = 3600
}
]
}

# additional labels are required because they will be used for the 'hostname' variables for each of the additional website origins.
Expand All @@ -45,16 +61,44 @@ module "additional_custom_origin_label" {
}

module "additional_custom_origin" {
source = "cloudposse/s3-website/aws"
version = "0.16.1"
source = "cloudposse/s3-bucket/aws"
version = "3.1.2"

enabled = local.additional_custom_origins_enabled

force_destroy = true
hostname = format("%s.%s", module.additional_custom_origin_label.id, var.parent_zone_name)
bucket_name = format("%s.%s", module.additional_custom_origin_label.id, var.parent_zone_name)
force_destroy = true
website_configuration = local.website_configuration
cors_configuration = local.cors_configuration

context = module.additional_custom_origin_label.context
}

resource "aws_s3_bucket_public_access_block" "additional_custom_origin" {
count = local.additional_custom_origins_enabled ? 1 : 0

# The bucket used for a public static website.
#bridgecrew:skip=BC_AWS_S3_19:Skipping `Ensure S3 bucket has block public ACLS enabled`
#bridgecrew:skip=BC_AWS_S3_20:Skipping `Ensure S3 Bucket BlockPublicPolicy is set to True`
#bridgecrew:skip=BC_AWS_S3_21:Skipping `Ensure S3 bucket IgnorePublicAcls is set to True`
#bridgecrew:skip=BC_AWS_S3_22:Skipping `Ensure S3 bucket RestrictPublicBucket is set to True`
bucket = module.additional_custom_origin.bucket_id

block_public_acls = false
block_public_policy = false
ignore_public_acls = false
restrict_public_buckets = false
}

resource "aws_s3_bucket_ownership_controls" "additional_custom_origin" {
count = local.additional_custom_origins_enabled ? 1 : 0

bucket = module.additional_custom_origin.bucket_id
rule {
object_ownership = "BucketOwnerEnforced"
}
}

module "additional_custom_failover_origin_label" {
source = "cloudposse/label/null"
version = "0.24.1"
Expand All @@ -66,12 +110,41 @@ module "additional_custom_failover_origin_label" {
}

module "additional_custom_failover_origin" {
source = "cloudposse/s3-website/aws"
version = "0.16.1"
source = "cloudposse/s3-bucket/aws"
version = "3.1.2"

enabled = local.additional_custom_origins_enabled

force_destroy = true
hostname = format("%s.%s", module.additional_custom_failover_origin_label.id, var.parent_zone_name)
bucket_name = format("%s.%s", module.additional_custom_failover_origin_label.id, var.parent_zone_name)
force_destroy = true
website_configuration = local.website_configuration
cors_configuration = local.cors_configuration

context = module.additional_custom_failover_origin_label.context
}

resource "aws_s3_bucket_public_access_block" "additional_custom_failover_origin" {
count = local.additional_custom_origins_enabled ? 1 : 0

# The bucket used for a public static website.
#bridgecrew:skip=BC_AWS_S3_19:Skipping `Ensure S3 bucket has block public ACLS enabled`
#bridgecrew:skip=BC_AWS_S3_20:Skipping `Ensure S3 Bucket BlockPublicPolicy is set to True`
#bridgecrew:skip=BC_AWS_S3_21:Skipping `Ensure S3 bucket IgnorePublicAcls is set to True`
#bridgecrew:skip=BC_AWS_S3_22:Skipping `Ensure S3 bucket RestrictPublicBucket is set to True`
bucket = module.additional_custom_failover_origin.bucket_id

block_public_acls = false
block_public_policy = false
ignore_public_acls = false
restrict_public_buckets = false
}

resource "aws_s3_bucket_ownership_controls" "additional_custom_failover_origin" {
count = local.additional_custom_origins_enabled ? 1 : 0

bucket = module.additional_custom_failover_origin.bucket_id
rule {
object_ownership = "BucketOwnerEnforced"
}
}

2 changes: 1 addition & 1 deletion examples/complete/deployment.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ locals {
} : {}

our_account_id = local.enabled ? data.aws_caller_identity.current[0].account_id : ""
our_role_arn_prefix = "arn:${join("", data.aws_partition.current.*.partition)}:iam::${local.our_account_id}:role"
our_role_arn_prefix = "arn:${join("", data.aws_partition.current[*].partition)}:iam::${local.our_account_id}:role"
role_names = { for k, v in local.test_deployment_role_prefix_map : k => module.role_labels[k].id }
deployment_principal_arns = { for k, v in local.role_names : format("%v/%v", local.our_role_arn_prefix, v) => local.test_deployment_role_prefix_map[k] }
}
Expand Down
8 changes: 4 additions & 4 deletions examples/complete/lambda-at-edge.tf
Original file line number Diff line number Diff line change
Expand Up @@ -30,22 +30,22 @@ module "lambda_at_edge" {
EOT
filename = "index.js"
}]
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "viewer-request"
include_body = false
},
# Add custom header to the response
viewer_response = {
source_dir = "lib"
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "viewer-response"
include_body = false
},
origin_request = {
source_zip = "origin-request.zip"
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "origin-request"
include_body = false
Expand Down Expand Up @@ -77,7 +77,7 @@ module "lambda_at_edge" {
EOT
filename = "index.js"
}]
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "origin-response"
include_body = false
Expand Down
37 changes: 29 additions & 8 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ data "aws_iam_policy_document" "document" {

actions = ["s3:GetObject"]
resources = [
"arn:${join("", data.aws_partition.current.*.partition)}:s3:::$${bucket_name}$${origin_path}testprefix/*"
"arn:${join("", data.aws_partition.current[*].partition)}:s3:::$${bucket_name}$${origin_path}testprefix/*"
]

principals {
Expand All @@ -36,14 +36,16 @@ data "aws_canonical_user_id" "current" {

module "s3_bucket" {
source = "cloudposse/s3-bucket/aws"
version = "0.36.0"
version = "3.1.2"

acl = null
force_destroy = true
user_enabled = false
versioning_enabled = false
attributes = ["existing-bucket"]
force_destroy = true
user_enabled = false
versioning_enabled = false
block_public_policy = false
attributes = ["existing-bucket"]

acl = null
s3_object_ownership = "BucketOwnerPreferred"
grants = [
{
id = local.enabled ? data.aws_canonical_user_id.current[0].id : ""
Expand All @@ -62,9 +64,27 @@ module "s3_bucket" {
context = module.this.context
}

# Workaround for S3 eventual consistency for settings relating to objects
resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
count = local.enabled ? 1 : 0

create_duration = "30s"
destroy_duration = "30s"

depends_on = [
data.aws_iam_policy_document.document,
module.s3_bucket
]
}

module "cloudfront_s3_cdn" {
source = "../../"

depends_on = [
time_sleep.wait_for_aws_s3_bucket_settings,
time_sleep.wait_for_additional_s3_origins
]

parent_zone_name = var.parent_zone_name
dns_alias_enabled = true
origin_force_destroy = true
Expand All @@ -81,6 +101,7 @@ module "cloudfront_s3_cdn" {

cloudfront_access_logging_enabled = true
cloudfront_access_log_prefix = "logs/cf_access"
s3_object_ownership = "BucketOwnerPreferred"

additional_bucket_policy = local.enabled ? data.aws_iam_policy_document.document[0].json : ""

Expand All @@ -105,7 +126,7 @@ module "cloudfront_s3_cdn" {
context = module.this.context
}

resource "aws_s3_bucket_object" "index" {
resource "aws_s3_object" "index" {
count = local.enabled ? 1 : 0

bucket = module.cloudfront_s3_cdn.s3_bucket
Expand Down
Loading

0 comments on commit 0e0b33e

Please sign in to comment.