Dynamic block for versioning added

[nnsense]

what

Enabling versioning on a bucket is a permanent action that cannot be disabled. For this reason, when versioning attribute is added to the s3 resource, the bucket is prepared to be versioned and put in suspended mode. The only way to avoid this and keep the versioning disabled is to not add the versioning attribute at all.

We were discussing this in this bug and @aknysh posted a snipped which is removing the attribute, making it possible to set versioning off instead of enabled but suspended.

I'm just adding that snippet, there's another PR which is apparently changing more than just the versioning and it seems abandoned (opened in February 2021, had no updates from August).

Note: there's a comment into this module's main:

#bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov

But I see that some basic handling for dynamic blocks has been added in checkov
bridgecrewio/checkov#836

So if you're using checkov it would be interesting to remove the comment and see if it works now

why

• In a very quick deployment, where versioning is less important than speed, having a delay before an object can be written could be an issue (See the note here)
• If the buckets are created by terraform and deleted by a script, the versioned bucket's deletion is much more complex than a non-versioned one.
• User's preference

[bridgecrew]

Bridgecrew has found infrastructure configuration errors in this PR ⬇️

[bridgecrew]

⚠️   Due to 86c9124 - Auto Format - 1 new error was added

Change details

Error ID	Change	Path	Resource
BC_AWS_NETWORKING_52	Added	/main.tf	aws_s3_bucket.default

[aknysh]

/test all

[aknysh]

thanks @nnsense

[nnsense]

hashicorp/terraform-provider-aws#4494