From 42320bf1dfc6a5e43cb61943b9737682d92f2836 Mon Sep 17 00:00:00 2001
From: houserx-ioannis <114307968+houserx-ioannis@users.noreply.github.com>
Date: Tue, 30 Jul 2024 21:26:34 +0200
Subject: [PATCH] feat: add expected_bucket_owner variable (#238)

* 226: Add Expected Bucket Owner

* Update variables.tf

Co-authored-by: Matt Gowie <matt@masterpoint.io>

* fix: commit make results

---------

Co-authored-by: John McCall <129085294+houserx-jmcc@users.noreply.github.com>
Co-authored-by: Matt Gowie <matt@masterpoint.io>
Co-authored-by: John McCall <john.mccall@houserx.com>
---
 README.md         |  1 +
 docs/terraform.md |  1 +
 main.tf           | 12 ++++++++----
 variables.tf      |  9 +++++++++
 4 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 9766b74b..f407dca0 100644
--- a/README.md
+++ b/README.md
@@ -280,6 +280,7 @@ Available targets:
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
+| <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner. <br>More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.<br>THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
 | <a name="input_grants"></a> [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.<br>Conflicts with `acl`. Set `acl` to `null` to use this.<br>Deprecated by AWS in favor of bucket policies.<br>Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | <pre>list(object({<br>    id          = string<br>    type        = string<br>    permissions = list(string)<br>    uri         = string<br>  }))</pre> | `[]` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 9e584898..571a4ffc 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -72,6 +72,7 @@
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
+| <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner. <br>More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.<br>THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
 | <a name="input_grants"></a> [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.<br>Conflicts with `acl`. Set `acl` to `null` to use this.<br>Deprecated by AWS in favor of bucket policies.<br>Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | <pre>list(object({<br>    id          = string<br>    type        = string<br>    permissions = list(string)<br>    uri         = string<br>  }))</pre> | `[]` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
diff --git a/main.tf b/main.tf
index d15faef5..8fb2ab42 100644
--- a/main.tf
+++ b/main.tf
@@ -51,7 +51,8 @@ resource "aws_s3_bucket_accelerate_configuration" "default" {
 resource "aws_s3_bucket_versioning" "default" {
   count = local.enabled ? 1 : 0
 
-  bucket = local.bucket_id
+  bucket                = local.bucket_id
+  expected_bucket_owner = var.expected_bucket_owner
 
   versioning_configuration {
     status = local.versioning_enabled ? "Enabled" : "Suspended"
@@ -66,7 +67,8 @@ moved {
 resource "aws_s3_bucket_logging" "default" {
   for_each = toset(local.enabled && length(var.logging) > 0 ? ["enabled"] : [])
 
-  bucket = local.bucket_id
+  bucket                = local.bucket_id
+  expected_bucket_owner = var.expected_bucket_owner
 
   target_bucket = var.logging[0]["bucket_name"]
   target_prefix = var.logging[0]["prefix"]
@@ -77,7 +79,8 @@ resource "aws_s3_bucket_logging" "default" {
 resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
   count = local.enabled ? 1 : 0
 
-  bucket = local.bucket_id
+  bucket                = local.bucket_id
+  expected_bucket_owner = var.expected_bucket_owner
 
   rule {
     bucket_key_enabled = var.bucket_key_enabled
@@ -166,7 +169,8 @@ resource "aws_s3_bucket_cors_configuration" "default" {
 resource "aws_s3_bucket_acl" "default" {
   count = local.enabled && var.s3_object_ownership != "BucketOwnerEnforced" ? 1 : 0
 
-  bucket = local.bucket_id
+  bucket                = local.bucket_id
+  expected_bucket_owner = var.expected_bucket_owner
 
   # Conflicts with access_control_policy so this is enabled if no grants
   acl = try(length(local.acl_grants), 0) == 0 ? var.acl : null
diff --git a/variables.tf b/variables.tf
index 10eb6b03..316fe91d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -457,3 +457,12 @@ variable "bucket_key_enabled" {
   EOT
   nullable    = false
 }
+
+variable "expected_bucket_owner" {
+  type        = string
+  default     = null
+  description = <<-EOT
+    Account ID of the expected bucket owner. 
+    More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html
+  EOT
+}
\ No newline at end of file