From 7a0b04dea126eb800e711be609dcb9b36c9affbf Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Thu, 1 Jun 2023 17:57:20 +0300 Subject: [PATCH] precommit/terraform --- .github/workflows/release-branch.yml | 1 + .github/workflows/release-published.yml | 2 +- examples/complete/main.tf | 2 +- examples/complete/outputs.tf | 4 +-- examples/complete/privileged-principals.tf | 14 ++++---- lifecycle.tf | 2 +- main.tf | 42 +++++++++++----------- outputs.tf | 16 ++++----- 8 files changed, 42 insertions(+), 41 deletions(-) diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 3f8fe623..b30901ea 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -10,6 +10,7 @@ on: - 'docs/**' - 'examples/**' - 'test/**' + - 'README.*' permissions: contents: write diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml index f86352b3..b31232b6 100644 --- a/.github/workflows/release-published.yml +++ b/.github/workflows/release-published.yml @@ -11,4 +11,4 @@ permissions: jobs: terraform-module: - uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main + uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 62c3391f..034de87d 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -21,7 +21,7 @@ module "s3_bucket" { bucket_name = var.bucket_name object_lock_configuration = var.object_lock_configuration s3_replication_enabled = local.s3_replication_enabled - s3_replica_bucket_arn = join("", module.s3_bucket_replication_target.*.bucket_arn) + s3_replica_bucket_arn = one(module.s3_bucket_replication_target[*].bucket_arn) s3_replication_rules = local.s3_replication_rules privileged_principal_actions = var.privileged_principal_actions privileged_principal_arns = local.privileged_principal_arns diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf index 266a2f26..cc71263b 100644 --- a/examples/complete/outputs.tf +++ b/examples/complete/outputs.tf @@ -24,12 +24,12 @@ output "bucket_arn" { } output "replication_bucket_id" { - value = local.s3_replication_enabled ? join("", module.s3_bucket_replication_target.*.bucket_id) : null + value = local.s3_replication_enabled ? one(module.s3_bucket_replication_target[*].bucket_id) : null description = "Replication bucket ID" } output "replication_bucket_arn" { - value = local.s3_replication_enabled ? join("", module.s3_bucket_replication_target.*.bucket_arn) : null + value = local.s3_replication_enabled ? one(module.s3_bucket_replication_target[*].bucket_arn) : null description = "Replication bucket bucket ARN" } diff --git a/examples/complete/privileged-principals.tf b/examples/complete/privileged-principals.tf index 663f8b75..99c5d69e 100644 --- a/examples/complete/privileged-principals.tf +++ b/examples/complete/privileged-principals.tf @@ -41,7 +41,7 @@ data "aws_iam_policy_document" "deployment_iam_policy" { resource "aws_iam_policy" "deployment_iam_policy" { count = var.privileged_principal_enabled ? 1 : 0 - policy = join("", data.aws_iam_policy_document.deployment_iam_policy.*.json) + policy = one(data.aws_iam_policy_document.deployment_iam_policy[*].json) } module "deployment_principal_label" { @@ -58,8 +58,8 @@ module "deployment_principal_label" { resource "aws_iam_role" "deployment_iam_role" { count = var.privileged_principal_enabled ? 1 : 0 - name = join("", module.deployment_principal_label.*.id) - assume_role_policy = join("", data.aws_iam_policy_document.deployment_assume_role.*.json) + name = one(module.deployment_principal_label[*].id) + assume_role_policy = one(data.aws_iam_policy_document.deployment_assume_role[*].json) tags = module.deployment_principal_label.tags } @@ -78,8 +78,8 @@ module "additional_deployment_principal_label" { resource "aws_iam_role" "additional_deployment_iam_role" { count = var.privileged_principal_enabled ? 1 : 0 - name = join("", module.additional_deployment_principal_label.*.id) - assume_role_policy = join("", data.aws_iam_policy_document.deployment_assume_role.*.json) + name = one(module.additional_deployment_principal_label[*].id) + assume_role_policy = one(data.aws_iam_policy_document.deployment_assume_role[*].json) tags = module.additional_deployment_principal_label.tags } @@ -87,6 +87,6 @@ resource "aws_iam_role" "additional_deployment_iam_role" { resource "aws_iam_role_policy_attachment" "additional_deployment_role_attachment" { count = var.privileged_principal_enabled ? 1 : 0 - policy_arn = join("", aws_iam_policy.deployment_iam_policy.*.arn) - role = join("", aws_iam_role.deployment_iam_role.*.name) + policy_arn = one(aws_iam_policy.deployment_iam_policy[*].arn) + role = one(aws_iam_role.deployment_iam_role[*].name) } diff --git a/lifecycle.tf b/lifecycle.tf index a71de14d..05f16282 100644 --- a/lifecycle.tf +++ b/lifecycle.tf @@ -156,7 +156,7 @@ locals { resource "aws_s3_bucket_lifecycle_configuration" "default" { count = local.enabled && length(local.lc_rules) > 0 ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) dynamic "rule" { for_each = local.lc_rules diff --git a/main.tf b/main.tf index f6634930..c08bc99a 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,6 @@ locals { enabled = module.this.enabled - partition = join("", data.aws_partition.current.*.partition) + partition = one(data.aws_partition.current[*].partition) object_lock_enabled = local.enabled && var.object_lock_configuration != null replication_enabled = local.enabled && var.s3_replication_enabled @@ -8,7 +8,7 @@ locals { transfer_acceleration_enabled = local.enabled && var.transfer_acceleration_enabled bucket_name = var.bucket_name != null && var.bucket_name != "" ? var.bucket_name : module.this.id - bucket_arn = "arn:${local.partition}:s3:::${join("", aws_s3_bucket.default.*.id)}" + bucket_arn = "arn:${local.partition}:s3:::${one(aws_s3_bucket.default[*].id)}" public_access_block_enabled = var.block_public_acls || var.block_public_policy || var.ignore_public_acls || var.restrict_public_buckets @@ -46,14 +46,14 @@ resource "aws_s3_bucket" "default" { resource "aws_s3_bucket_accelerate_configuration" "default" { count = local.transfer_acceleration_enabled ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) status = "Enabled" } # Ensure the resource exists to track drift, even if the feature is disabled resource "aws_s3_bucket_versioning" "default" { count = local.enabled ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) versioning_configuration { status = local.versioning_enabled ? "Enabled" : "Suspended" @@ -62,7 +62,7 @@ resource "aws_s3_bucket_versioning" "default" { resource "aws_s3_bucket_logging" "default" { count = local.enabled && var.logging != null ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) target_bucket = var.logging["bucket_name"] target_prefix = var.logging["prefix"] @@ -72,7 +72,7 @@ resource "aws_s3_bucket_logging" "default" { # https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#enable-default-server-side-encryption resource "aws_s3_bucket_server_side_encryption_configuration" "default" { count = local.enabled ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) rule { bucket_key_enabled = var.bucket_key_enabled @@ -86,7 +86,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { resource "aws_s3_bucket_website_configuration" "default" { count = local.enabled && (try(length(var.website_configuration), 0) > 0) ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) dynamic "index_document" { for_each = try(length(var.website_configuration[0].index_document), 0) > 0 ? [true] : [] @@ -129,7 +129,7 @@ resource "aws_s3_bucket_website_configuration" "default" { // any trying to switch from one to the other will cause a conflict. resource "aws_s3_bucket_website_configuration" "redirect" { count = local.enabled && (try(length(var.website_redirect_all_requests_to), 0) > 0) ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) redirect_all_requests_to { host_name = var.website_redirect_all_requests_to[0].host_name @@ -141,7 +141,7 @@ resource "aws_s3_bucket_website_configuration" "redirect" { resource "aws_s3_bucket_cors_configuration" "default" { count = local.enabled && try(length(var.cors_configuration), 0) > 0 ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) dynamic "cors_rule" { for_each = var.cors_configuration @@ -158,7 +158,7 @@ resource "aws_s3_bucket_cors_configuration" "default" { resource "aws_s3_bucket_acl" "default" { count = local.enabled && var.s3_object_ownership != "BucketOwnerEnforced" ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) # Conflicts with access_control_policy so this is enabled if no grants acl = try(length(local.acl_grants), 0) == 0 ? var.acl : null @@ -181,7 +181,7 @@ resource "aws_s3_bucket_acl" "default" { } owner { - id = join("", data.aws_canonical_user_id.default.*.id) + id = one(data.aws_canonical_user_id.default[*].id) } } } @@ -191,7 +191,7 @@ resource "aws_s3_bucket_acl" "default" { resource "aws_s3_bucket_replication_configuration" "default" { count = local.replication_enabled ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) role = aws_iam_role.replication[0].arn dynamic "rule" { @@ -303,7 +303,7 @@ resource "aws_s3_bucket_replication_configuration" "default" { resource "aws_s3_bucket_object_lock_configuration" "default" { count = local.object_lock_enabled ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) object_lock_enabled = "Enabled" @@ -322,7 +322,7 @@ module "s3_user" { enabled = local.enabled && var.user_enabled s3_actions = var.allowed_bucket_actions - s3_resources = ["${join("", aws_s3_bucket.default.*.arn)}/*", join("", aws_s3_bucket.default.*.arn)] + s3_resources = ["${one(aws_s3_bucket.default[*].arn)}/*", one(aws_s3_bucket.default[*].arn)] create_iam_access_key = var.access_key_enabled ssm_enabled = var.store_access_key_in_ssm @@ -442,8 +442,8 @@ data "aws_iam_policy_document" "bucket_policy" { sid = "AllowPrivilegedPrincipal[${statement.key}]" # add indices to Sid actions = var.privileged_principal_actions resources = distinct(flatten([ - "arn:${local.partition}:s3:::${join("", aws_s3_bucket.default.*.id)}", - formatlist("arn:${local.partition}:s3:::${join("", aws_s3_bucket.default.*.id)}/%s*", values(statement.value)[0]), + "arn:${local.partition}:s3:::${one(aws_s3_bucket.default[*].id)}", + formatlist("arn:${local.partition}:s3:::${one(aws_s3_bucket.default[*].id)}/%s*", values(statement.value)[0]), ])) principals { type = "AWS" @@ -456,14 +456,14 @@ data "aws_iam_policy_document" "bucket_policy" { data "aws_iam_policy_document" "aggregated_policy" { count = local.enabled ? 1 : 0 - source_policy_documents = data.aws_iam_policy_document.bucket_policy.*.json + source_policy_documents = data.aws_iam_policy_document.bucket_policy[*].json override_policy_documents = local.source_policy_documents } resource "aws_s3_bucket_policy" "default" { count = local.enabled && (var.allow_ssl_requests_only || var.allow_encrypted_uploads_only || length(var.s3_replication_source_roles) > 0 || length(var.privileged_principal_arns) > 0 || length(var.source_policy_documents) > 0) ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) - policy = join("", data.aws_iam_policy_document.aggregated_policy.*.json) + bucket = one(aws_s3_bucket.default[*].id) + policy = one(data.aws_iam_policy_document.aggregated_policy[*].json) depends_on = [aws_s3_bucket_public_access_block.default] } @@ -472,7 +472,7 @@ resource "aws_s3_bucket_policy" "default" { # for the nuances of the blocking options resource "aws_s3_bucket_public_access_block" "default" { count = module.this.enabled && local.public_access_block_enabled ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) block_public_acls = var.block_public_acls block_public_policy = var.block_public_policy @@ -483,7 +483,7 @@ resource "aws_s3_bucket_public_access_block" "default" { # Per https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html resource "aws_s3_bucket_ownership_controls" "default" { count = local.enabled ? 1 : 0 - bucket = join("", aws_s3_bucket.default.*.id) + bucket = one(aws_s3_bucket.default[*].id) rule { object_ownership = var.s3_object_ownership diff --git a/outputs.tf b/outputs.tf index d8bfdd59..7d1a5f7b 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,35 +1,35 @@ output "bucket_domain_name" { - value = local.enabled ? join("", aws_s3_bucket.default.*.bucket_domain_name) : "" + value = local.enabled ? one(aws_s3_bucket.default[*].bucket_domain_name) : "" description = "FQDN of bucket" } output "bucket_regional_domain_name" { - value = local.enabled ? join("", aws_s3_bucket.default.*.bucket_regional_domain_name) : "" + value = local.enabled ? one(aws_s3_bucket.default[*].bucket_regional_domain_name) : "" description = "The bucket region-specific domain name" } output "bucket_website_domain" { - value = join("", aws_s3_bucket_website_configuration.default.*.website_domain, aws_s3_bucket_website_configuration.redirect.*.website_domain) + value = one(aws_s3_bucket_website_configuration.default[*].website_domain, aws_s3_bucket_website_configuration.redirect[*].website_domain) description = "The bucket website domain, if website is enabled" } output "bucket_website_endpoint" { - value = join("", aws_s3_bucket_website_configuration.default.*.website_endpoint, aws_s3_bucket_website_configuration.redirect.*.website_endpoint) + value = one(aws_s3_bucket_website_configuration.default[*].website_endpoint, aws_s3_bucket_website_configuration.redirect[*].website_endpoint) description = "The bucket website endpoint, if website is enabled" } output "bucket_id" { - value = local.enabled ? join("", aws_s3_bucket.default.*.id) : "" + value = local.enabled ? one(aws_s3_bucket.default[*].id) : "" description = "Bucket Name (aka ID)" } output "bucket_arn" { - value = local.enabled ? join("", aws_s3_bucket.default.*.arn) : "" + value = local.enabled ? one(aws_s3_bucket.default[*].arn) : "" description = "Bucket ARN" } output "bucket_region" { - value = local.enabled ? join("", aws_s3_bucket.default.*.region) : "" + value = local.enabled ? one(aws_s3_bucket.default[*].region) : "" description = "Bucket region" } @@ -59,7 +59,7 @@ output "user_unique_id" { } output "replication_role_arn" { - value = local.enabled && local.replication_enabled ? join("", aws_iam_role.replication.*.arn) : "" + value = local.enabled && local.replication_enabled ? one(aws_iam_role.replication[*].arn) : "" description = "The ARN of the replication IAM Role" }