precommit/terraform

.github/workflows/release-branch.yml

@@ -10,6 +10,7 @@ on:
       - 'docs/**'
       - 'examples/**'
       - 'test/**'
+      - 'README.*'
 
 permissions:
   contents: write

.github/workflows/release-published.yml

@@ -11,4 +11,4 @@ permissions:
 
 jobs:
   terraform-module:
-    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main
+    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main

examples/complete/main.tf

@@ -21,7 +21,7 @@ module "s3_bucket" {
   bucket_name                   = var.bucket_name
   object_lock_configuration     = var.object_lock_configuration
   s3_replication_enabled        = local.s3_replication_enabled
-  s3_replica_bucket_arn         = join("", module.s3_bucket_replication_target.*.bucket_arn)
+  s3_replica_bucket_arn         = one(module.s3_bucket_replication_target[*].bucket_arn)
   s3_replication_rules          = local.s3_replication_rules
   privileged_principal_actions  = var.privileged_principal_actions
   privileged_principal_arns     = local.privileged_principal_arns

examples/complete/outputs.tf

@@ -24,12 +24,12 @@ output "bucket_arn" {
 }
 
 output "replication_bucket_id" {
-  value       = local.s3_replication_enabled ? join("", module.s3_bucket_replication_target.*.bucket_id) : null
+  value       = local.s3_replication_enabled ? one(module.s3_bucket_replication_target[*].bucket_id) : null
   description = "Replication bucket ID"
 }
 
 output "replication_bucket_arn" {
-  value       = local.s3_replication_enabled ? join("", module.s3_bucket_replication_target.*.bucket_arn) : null
+  value       = local.s3_replication_enabled ? one(module.s3_bucket_replication_target[*].bucket_arn) : null
   description = "Replication bucket bucket ARN"
 }
 

examples/complete/privileged-principals.tf

@@ -41,7 +41,7 @@ data "aws_iam_policy_document" "deployment_iam_policy" {
 resource "aws_iam_policy" "deployment_iam_policy" {
   count = var.privileged_principal_enabled ? 1 : 0
 
-  policy = join("", data.aws_iam_policy_document.deployment_iam_policy.*.json)
+  policy = one(data.aws_iam_policy_document.deployment_iam_policy[*].json)
 }
 
 module "deployment_principal_label" {
@@ -58,8 +58,8 @@ module "deployment_principal_label" {
 resource "aws_iam_role" "deployment_iam_role" {
   count = var.privileged_principal_enabled ? 1 : 0
 
-  name               = join("", module.deployment_principal_label.*.id)
-  assume_role_policy = join("", data.aws_iam_policy_document.deployment_assume_role.*.json)
+  name               = one(module.deployment_principal_label[*].id)
+  assume_role_policy = one(data.aws_iam_policy_document.deployment_assume_role[*].json)
 
   tags = module.deployment_principal_label.tags
 }
@@ -78,15 +78,15 @@ module "additional_deployment_principal_label" {
 resource "aws_iam_role" "additional_deployment_iam_role" {
   count = var.privileged_principal_enabled ? 1 : 0
 
-  name               = join("", module.additional_deployment_principal_label.*.id)
-  assume_role_policy = join("", data.aws_iam_policy_document.deployment_assume_role.*.json)
+  name               = one(module.additional_deployment_principal_label[*].id)
+  assume_role_policy = one(data.aws_iam_policy_document.deployment_assume_role[*].json)
 
   tags = module.additional_deployment_principal_label.tags
 }
 
 resource "aws_iam_role_policy_attachment" "additional_deployment_role_attachment" {
   count = var.privileged_principal_enabled ? 1 : 0
 
-  policy_arn = join("", aws_iam_policy.deployment_iam_policy.*.arn)
-  role       = join("", aws_iam_role.deployment_iam_role.*.name)
+  policy_arn = one(aws_iam_policy.deployment_iam_policy[*].arn)
+  role       = one(aws_iam_role.deployment_iam_role[*].name)
 }

lifecycle.tf

@@ -156,7 +156,7 @@ locals {
 
 resource "aws_s3_bucket_lifecycle_configuration" "default" {
   count  = local.enabled && length(local.lc_rules) > 0 ? 1 : 0
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   dynamic "rule" {
     for_each = local.lc_rules

main.tf

@@ -1,14 +1,14 @@
 locals {
   enabled   = module.this.enabled
-  partition = join("", data.aws_partition.current.*.partition)
+  partition = one(data.aws_partition.current[*].partition)
 
   object_lock_enabled           = local.enabled && var.object_lock_configuration != null
   replication_enabled           = local.enabled && var.s3_replication_enabled
   versioning_enabled            = local.enabled && var.versioning_enabled
   transfer_acceleration_enabled = local.enabled && var.transfer_acceleration_enabled
 
   bucket_name = var.bucket_name != null && var.bucket_name != "" ? var.bucket_name : module.this.id
-  bucket_arn  = "arn:${local.partition}:s3:::${join("", aws_s3_bucket.default.*.id)}"
+  bucket_arn  = "arn:${local.partition}:s3:::${one(aws_s3_bucket.default[*].id)}"
 
   public_access_block_enabled = var.block_public_acls || var.block_public_policy || var.ignore_public_acls || var.restrict_public_buckets
 
@@ -46,14 +46,14 @@ resource "aws_s3_bucket" "default" {
 
 resource "aws_s3_bucket_accelerate_configuration" "default" {
   count  = local.transfer_acceleration_enabled ? 1 : 0
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
   status = "Enabled"
 }
 
 # Ensure the resource exists to track drift, even if the feature is disabled
 resource "aws_s3_bucket_versioning" "default" {
   count  = local.enabled ? 1 : 0
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   versioning_configuration {
     status = local.versioning_enabled ? "Enabled" : "Suspended"
@@ -62,7 +62,7 @@ resource "aws_s3_bucket_versioning" "default" {
 
 resource "aws_s3_bucket_logging" "default" {
   count  = local.enabled && var.logging != null ? 1 : 0
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   target_bucket = var.logging["bucket_name"]
   target_prefix = var.logging["prefix"]
@@ -72,7 +72,7 @@ resource "aws_s3_bucket_logging" "default" {
 # https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#enable-default-server-side-encryption
 resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
   count  = local.enabled ? 1 : 0
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   rule {
     bucket_key_enabled = var.bucket_key_enabled
@@ -86,7 +86,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 
 resource "aws_s3_bucket_website_configuration" "default" {
   count  = local.enabled && (try(length(var.website_configuration), 0) > 0) ? 1 : 0
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   dynamic "index_document" {
     for_each = try(length(var.website_configuration[0].index_document), 0) > 0 ? [true] : []
@@ -129,7 +129,7 @@ resource "aws_s3_bucket_website_configuration" "default" {
 // any trying to switch from one to the other will cause a conflict.
 resource "aws_s3_bucket_website_configuration" "redirect" {
   count  = local.enabled && (try(length(var.website_redirect_all_requests_to), 0) > 0) ? 1 : 0
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   redirect_all_requests_to {
     host_name = var.website_redirect_all_requests_to[0].host_name
@@ -141,7 +141,7 @@ resource "aws_s3_bucket_website_configuration" "redirect" {
 resource "aws_s3_bucket_cors_configuration" "default" {
   count = local.enabled && try(length(var.cors_configuration), 0) > 0 ? 1 : 0
 
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   dynamic "cors_rule" {
     for_each = var.cors_configuration
@@ -158,7 +158,7 @@ resource "aws_s3_bucket_cors_configuration" "default" {
 
 resource "aws_s3_bucket_acl" "default" {
   count  = local.enabled && var.s3_object_ownership != "BucketOwnerEnforced" ? 1 : 0
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   # Conflicts with access_control_policy so this is enabled if no grants
   acl = try(length(local.acl_grants), 0) == 0 ? var.acl : null
@@ -181,7 +181,7 @@ resource "aws_s3_bucket_acl" "default" {
       }
 
       owner {
-        id = join("", data.aws_canonical_user_id.default.*.id)
+        id = one(data.aws_canonical_user_id.default[*].id)
       }
     }
   }
@@ -191,7 +191,7 @@ resource "aws_s3_bucket_acl" "default" {
 resource "aws_s3_bucket_replication_configuration" "default" {
   count = local.replication_enabled ? 1 : 0
 
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
   role   = aws_iam_role.replication[0].arn
 
   dynamic "rule" {
@@ -303,7 +303,7 @@ resource "aws_s3_bucket_replication_configuration" "default" {
 resource "aws_s3_bucket_object_lock_configuration" "default" {
   count = local.object_lock_enabled ? 1 : 0
 
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   object_lock_enabled = "Enabled"
 
@@ -322,7 +322,7 @@ module "s3_user" {
 
   enabled      = local.enabled && var.user_enabled
   s3_actions   = var.allowed_bucket_actions
-  s3_resources = ["${join("", aws_s3_bucket.default.*.arn)}/*", join("", aws_s3_bucket.default.*.arn)]
+  s3_resources = ["${one(aws_s3_bucket.default[*].arn)}/*", one(aws_s3_bucket.default[*].arn)]
 
   create_iam_access_key = var.access_key_enabled
   ssm_enabled           = var.store_access_key_in_ssm
@@ -442,8 +442,8 @@ data "aws_iam_policy_document" "bucket_policy" {
       sid     = "AllowPrivilegedPrincipal[${statement.key}]" # add indices to Sid
       actions = var.privileged_principal_actions
       resources = distinct(flatten([
-        "arn:${local.partition}:s3:::${join("", aws_s3_bucket.default.*.id)}",
-        formatlist("arn:${local.partition}:s3:::${join("", aws_s3_bucket.default.*.id)}/%s*", values(statement.value)[0]),
+        "arn:${local.partition}:s3:::${one(aws_s3_bucket.default[*].id)}",
+        formatlist("arn:${local.partition}:s3:::${one(aws_s3_bucket.default[*].id)}/%s*", values(statement.value)[0]),
       ]))
       principals {
         type        = "AWS"
@@ -456,14 +456,14 @@ data "aws_iam_policy_document" "bucket_policy" {
 data "aws_iam_policy_document" "aggregated_policy" {
   count = local.enabled ? 1 : 0
 
-  source_policy_documents   = data.aws_iam_policy_document.bucket_policy.*.json
+  source_policy_documents   = data.aws_iam_policy_document.bucket_policy[*].json
   override_policy_documents = local.source_policy_documents
 }
 
 resource "aws_s3_bucket_policy" "default" {
   count      = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || length(var.privileged_principal_arns) > 0 || length(var.source_policy_documents) > 0) ? 1 : 0
-  bucket     = join("", aws_s3_bucket.default.*.id)
-  policy     = join("", data.aws_iam_policy_document.aggregated_policy.*.json)
+  bucket     = one(aws_s3_bucket.default[*].id)
+  policy     = one(data.aws_iam_policy_document.aggregated_policy[*].json)
   depends_on = [aws_s3_bucket_public_access_block.default]
 }
 
@@ -472,7 +472,7 @@ resource "aws_s3_bucket_policy" "default" {
 # for the nuances of the blocking options
 resource "aws_s3_bucket_public_access_block" "default" {
   count  = module.this.enabled && local.public_access_block_enabled ? 1 : 0
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   block_public_acls       = var.block_public_acls
   block_public_policy     = var.block_public_policy
@@ -483,7 +483,7 @@ resource "aws_s3_bucket_public_access_block" "default" {
 # Per https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
 resource "aws_s3_bucket_ownership_controls" "default" {
   count  = local.enabled ? 1 : 0
-  bucket = join("", aws_s3_bucket.default.*.id)
+  bucket = one(aws_s3_bucket.default[*].id)
 
   rule {
     object_ownership = var.s3_object_ownership

outputs.tf

@@ -1,35 +1,35 @@
 output "bucket_domain_name" {
-  value       = local.enabled ? join("", aws_s3_bucket.default.*.bucket_domain_name) : ""
+  value       = local.enabled ? one(aws_s3_bucket.default[*].bucket_domain_name) : ""
   description = "FQDN of bucket"
 }
 
 output "bucket_regional_domain_name" {
-  value       = local.enabled ? join("", aws_s3_bucket.default.*.bucket_regional_domain_name) : ""
+  value       = local.enabled ? one(aws_s3_bucket.default[*].bucket_regional_domain_name) : ""
   description = "The bucket region-specific domain name"
 }
 
 output "bucket_website_domain" {
-  value       = join("", aws_s3_bucket_website_configuration.default.*.website_domain, aws_s3_bucket_website_configuration.redirect.*.website_domain)
+  value       = one(aws_s3_bucket_website_configuration.default[*].website_domain, aws_s3_bucket_website_configuration.redirect[*].website_domain)
   description = "The bucket website domain, if website is enabled"
 }
 
 output "bucket_website_endpoint" {
-  value       = join("", aws_s3_bucket_website_configuration.default.*.website_endpoint, aws_s3_bucket_website_configuration.redirect.*.website_endpoint)
+  value       = one(aws_s3_bucket_website_configuration.default[*].website_endpoint, aws_s3_bucket_website_configuration.redirect[*].website_endpoint)
   description = "The bucket website endpoint, if website is enabled"
 }
 
 output "bucket_id" {
-  value       = local.enabled ? join("", aws_s3_bucket.default.*.id) : ""
+  value       = local.enabled ? one(aws_s3_bucket.default[*].id) : ""
   description = "Bucket Name (aka ID)"
 }
 
 output "bucket_arn" {
-  value       = local.enabled ? join("", aws_s3_bucket.default.*.arn) : ""
+  value       = local.enabled ? one(aws_s3_bucket.default[*].arn) : ""
   description = "Bucket ARN"
 }
 
 output "bucket_region" {
-  value       = local.enabled ? join("", aws_s3_bucket.default.*.region) : ""
+  value       = local.enabled ? one(aws_s3_bucket.default[*].region) : ""
   description = "Bucket region"
 }
 
@@ -59,7 +59,7 @@ output "user_unique_id" {
 }
 
 output "replication_role_arn" {
-  value       = local.enabled && local.replication_enabled ? join("", aws_iam_role.replication.*.arn) : ""
+  value       = local.enabled && local.replication_enabled ? one(aws_iam_role.replication[*].arn) : ""
   description = "The ARN of the replication IAM Role"
 }