From d208a626342fb61d39f8e6dd9386e93ed26ad098 Mon Sep 17 00:00:00 2001 From: Andrey D Date: Mon, 4 Mar 2024 13:37:57 +0300 Subject: [PATCH] Fixed deprecated aws_s3_bucket attributes (#293) * fix deprecated s3 bucket attributes * add missed quotes * fix readme --- README.md | 5 +++++ docs/terraform.md | 5 +++++ main.tf | 55 ++++++++++++++++++++++++++++++++--------------- variables.tf | 13 ++++++++++- 4 files changed, 60 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 447198c3..51df8a7c 100644 --- a/README.md +++ b/README.md @@ -433,9 +433,13 @@ Available targets: | [aws_cloudfront_distribution.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource | | [aws_cloudfront_origin_access_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource | | [aws_s3_bucket.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_cors_configuration.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource | | [aws_s3_bucket_ownership_controls.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [random_password.referer](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | | [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -461,6 +465,7 @@ Available targets: | [allowed\_methods](#input\_allowed\_methods) | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) for AWS CloudFront | `list(string)` |
[
"DELETE",
"GET",
"HEAD",
"OPTIONS",
"PATCH",
"POST",
"PUT"
]
| no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [block\_origin\_public\_access\_enabled](#input\_block\_origin\_public\_access\_enabled) | When set to 'true' the s3 origin bucket will have public access block enabled | `bool` | `false` | no | +| [bucket\_versioning](#input\_bucket\_versioning) | State of bucket versioning option | `string` | `"Disabled"` | no | | [cache\_policy\_id](#input\_cache\_policy\_id) | The unique identifier of the existing cache policy to attach to the default cache behavior.
If not provided, this module will add a default cache policy using other provided inputs. | `string` | `null` | no | | [cached\_methods](#input\_cached\_methods) | List of cached methods (e.g. GET, PUT, POST, DELETE, HEAD) | `list(string)` |
[
"GET",
"HEAD"
]
| no | | [cloudfront\_access\_log\_bucket\_name](#input\_cloudfront\_access\_log\_bucket\_name) | When `cloudfront_access_log_create_bucket` is `false`, this is the name of the existing S3 Bucket where
Cloudfront Access Logs are to be delivered and is required. IGNORED when `cloudfront_access_log_create_bucket` is `true`. | `string` | `""` | no | diff --git a/docs/terraform.md b/docs/terraform.md index ff4cf8a0..d4f2f718 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -32,9 +32,13 @@ | [aws_cloudfront_distribution.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource | | [aws_cloudfront_origin_access_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource | | [aws_s3_bucket.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_cors_configuration.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource | | [aws_s3_bucket_ownership_controls.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [random_password.referer](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | | [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -60,6 +64,7 @@ | [allowed\_methods](#input\_allowed\_methods) | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) for AWS CloudFront | `list(string)` |
[
"DELETE",
"GET",
"HEAD",
"OPTIONS",
"PATCH",
"POST",
"PUT"
]
| no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [block\_origin\_public\_access\_enabled](#input\_block\_origin\_public\_access\_enabled) | When set to 'true' the s3 origin bucket will have public access block enabled | `bool` | `false` | no | +| [bucket\_versioning](#input\_bucket\_versioning) | State of bucket versioning option | `string` | `"Disabled"` | no | | [cache\_policy\_id](#input\_cache\_policy\_id) | The unique identifier of the existing cache policy to attach to the default cache behavior.
If not provided, this module will add a default cache policy using other provided inputs. | `string` | `null` | no | | [cached\_methods](#input\_cached\_methods) | List of cached methods (e.g. GET, PUT, POST, DELETE, HEAD) | `list(string)` |
[
"GET",
"HEAD"
]
| no | | [cloudfront\_access\_log\_bucket\_name](#input\_cloudfront\_access\_log\_bucket\_name) | When `cloudfront_access_log_create_bucket` is `false`, this is the name of the existing S3 Bucket where
Cloudfront Access Logs are to be delivered and is required. IGNORED when `cloudfront_access_log_create_bucket` is `true`. | `string` | `""` | no | diff --git a/main.tf b/main.tf index 7ba9c1e3..a658b492 100644 --- a/main.tf +++ b/main.tf @@ -254,26 +254,9 @@ resource "aws_s3_bucket" "origin" { count = local.create_s3_origin_bucket ? 1 : 0 bucket = module.origin_label.id - acl = "private" tags = module.origin_label.tags force_destroy = var.origin_force_destroy - dynamic "server_side_encryption_configuration" { - for_each = var.encryption_enabled ? ["true"] : [] - - content { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } - } - } - - versioning { - enabled = var.versioning_enabled - } - dynamic "logging" { for_each = local.s3_access_logging_enabled ? [1] : [] content { @@ -291,6 +274,35 @@ resource "aws_s3_bucket" "origin" { routing_rules = lookup(website.value, "routing_rules", null) } } +} + + +resource "aws_s3_bucket_versioning" "origin" { + count = local.create_s3_origin_bucket ? 1 : 0 + + bucket = one(aws_s3_bucket.origin).id + + versioning_configuration { + status = var.bucket_versioning + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "origin" { + count = var.encryption_enabled && local.create_s3_origin_bucket ? 1 : 0 + + bucket = one(aws_s3_bucket.origin).id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_cors_configuration" "origin" { + count = local.create_s3_origin_bucket ? 1 : 0 + + bucket = one(aws_s3_bucket.origin).id dynamic "cors_rule" { for_each = distinct(compact(concat(var.cors_allowed_origins, var.aliases, var.external_aliases))) @@ -304,6 +316,15 @@ resource "aws_s3_bucket" "origin" { } } +resource "aws_s3_bucket_acl" "origin" { + depends_on = [aws_s3_bucket_ownership_controls.origin] + count = local.create_s3_origin_bucket ? 1 : 0 + + bucket = one(aws_s3_bucket.origin).id + acl = "private" +} + + resource "aws_s3_bucket_public_access_block" "origin" { count = (local.create_s3_origin_bucket || local.override_origin_bucket_policy) ? 1 : 0 diff --git a/variables.tf b/variables.tf index 256a445b..8eb42800 100644 --- a/variables.tf +++ b/variables.tf @@ -679,4 +679,15 @@ variable "http_version" { type = string default = "http2" description = "The maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3 and http3" -} \ No newline at end of file +} + +variable "bucket_versioning" { + type = string + default = "Disabled" + description = "State of bucket versioning option" + + validation { + condition = contains(["Enabled", "Disabled", "Suspended"], var.bucket_versioning) + error_message = "Please choose one of 'Enabled', 'Disabled', or 'Suspended'" + } +}