cloudposse · denissimonovski · Jul 4, 2022 · Jul 4, 2022 · Jul 4, 2022 · Jul 4, 2022
@@ -164,20 +164,21 @@ Available targets:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.21.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.21.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_cache_bucket"></a> [cache\_bucket](#module\_cache\_bucket) | cloudposse/s3-bucket/aws | 2.0.3 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
@@ -191,7 +192,6 @@ Available targets:
 | [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.combined_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

@@ -4,20 +4,21 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.21.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.21.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_cache_bucket"></a> [cache\_bucket](#module\_cache\_bucket) | cloudposse/s3-bucket/aws | 2.0.3 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
@@ -31,7 +32,6 @@
 | [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.combined_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

@@ -288,13 +288,13 @@ variable "logs_config" {
 }
 
 variable "extra_permissions" {
-  type        = list
+  type        = list(any)
-  type        = list(any)
+  type        = list(string)
-  type        = list(any)
+  type        = list(string)
   default     = []
   description = "List of action strings which will be added to IAM service account permissions."
 }
 
 # Log tracker
 variable "log_tracker" {
-  type    = map
+  type    = map(any)
   default = {}
 }
@@ -2,53 +2,44 @@ data "aws_caller_identity" "default" {}
 
 data "aws_region" "default" {}
 
-resource "aws_s3_bucket" "cache_bucket" {
+module "cache_bucket" {
   #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
   #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
   #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
-  count         = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0
-  bucket        = local.cache_bucket_name_normalised
-  acl           = "private"
-  force_destroy = true
-  tags          = module.this.tags
-
-  versioning {
-    enabled = var.versioning_enabled
+  source  = "cloudposse/s3-bucket/aws"
+  version = "2.0.3"
+
+  count       = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0
+  bucket_name = local.cache_bucket_name_normalised
+
+  acl                = true
-  acl                = true
+  acl                = "private"
-  acl                = true
+  acl                = "private"
+  force_destroy      = true
+  tags               = module.this.tags
+  versioning_enabled = var.versioning_enabled
+  logging = {
+    bucket_name = var.access_log_bucket_name
+    prefix      = "logs/${module.this.id}/"
   }
-
-  dynamic "logging" {
-    for_each = var.access_log_bucket_name != "" ? [1] : []
-    content {
-      target_bucket = var.access_log_bucket_name
-      target_prefix = "logs/${module.this.id}/"
-    }
-  }
-
-  lifecycle_rule {
-    id      = "codebuildcache"
-    enabled = true
-
-    prefix = "/"
-    tags   = module.this.tags
-
-    expiration {
-      days = var.cache_expiration_days
-    }
-  }
-
-  dynamic "server_side_encryption_configuration" {
-    for_each = var.encryption_enabled ? ["true"] : []
-
-    content {
-      rule {
-        apply_server_side_encryption_by_default {
-          sse_algorithm = "AES256"
-        }
+  lifecycle_configuration_rules = [
+    # Be sure to cover https://github.com/cloudposse/terraform-aws-s3-bucket/issues/137
+    {
+      enabled                                = true
+      id                                     = "codebuildcache"
+      abort_incomplete_multipart_upload_days = 1
+      prefix                                 = "/"
-      prefix                                 = "/"
-      prefix                                 = "/"
+      tags                                   = module.this.tags
+      filter_and                             = {}
+      noncurrent_version_expiration          = {}
+      noncurrent_version_transition          = []
+      transition                             = [{}]
+      expiration = {
+        days                         = var.cache_expiration_days
+        expired_object_delete_marker = null
       }
     }
-  }
+  ]
+  bucket_key_enabled = true
 }
-
 resource "random_string" "bucket_prefix" {
   count   = module.this.enabled ? 1 : 0
   length  = 12
@@ -71,7 +62,7 @@ locals {
 
   s3_cache_enabled       = var.cache_type == "S3"
   create_s3_cache_bucket = local.s3_cache_enabled && var.s3_cache_bucket_name == null
-  s3_bucket_name         = local.create_s3_cache_bucket ? join("", aws_s3_bucket.cache_bucket.*.bucket) : var.s3_cache_bucket_name
+  s3_bucket_name         = local.create_s3_cache_bucket ? join("", module.cache_bucket.*.bucket) : var.s3_cache_bucket_name
 
   ## This is the magic where a map of a list of maps is generated
   ## and used to conditionally add the cache bucket option to the
@@ -265,8 +256,8 @@ data "aws_iam_policy_document" "permissions_cache_bucket" {
     effect = "Allow"
 
     resources = [
-      join("", aws_s3_bucket.cache_bucket.*.arn),
-      "${join("", aws_s3_bucket.cache_bucket.*.arn)}/*",
+      join("", module.cache_bucket.*.bucket_arn),
+      "${join("", module.cache_bucket.*.bucket_arn)}/*",
     ]
   }
 }

@@ -20,12 +20,12 @@ output "role_arn" {
 
 output "cache_bucket_name" {
   description = "Cache S3 bucket name"
-  value       = module.this.enabled && local.s3_cache_enabled ? join("", aws_s3_bucket.cache_bucket.*.bucket) : "UNSET"
+  value       = module.this.enabled && local.s3_cache_enabled ? join("", module.cache_bucket.*.bucket) : "UNSET"
 }
 
 output "cache_bucket_arn" {
   description = "Cache S3 bucket ARN"
-  value       = module.this.enabled && local.s3_cache_enabled ? join("", aws_s3_bucket.cache_bucket.*.arn) : "UNSET"
+  value       = module.this.enabled && local.s3_cache_enabled ? join("", module.cache_bucket.*.bucket_arn) : "UNSET"
 }
 
 output "badge_url" {

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 2.0"
+      version = ">= 4.21.0"
     }
     random = {
       source  = "hashicorp/random"