From 2aea3cf51cedb8e0cca9797c82c14cb4ef34ce5b Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Wed, 7 Apr 2021 14:31:55 +0300 Subject: [PATCH 01/13] Optional Object lock configutarion added --- .../complete/object-lock.us-west-1.tfvars | 26 +++++++++++ examples/complete/variables.tf | 15 +++++++ main.tf | 2 + test/src/examples_complete_test.go | 43 +++++++++++++++++++ variables.tf | 15 +++++++ 5 files changed, 101 insertions(+) create mode 100644 examples/complete/object-lock.us-west-1.tfvars diff --git a/examples/complete/object-lock.us-west-1.tfvars b/examples/complete/object-lock.us-west-1.tfvars new file mode 100644 index 00000000..044f646e --- /dev/null +++ b/examples/complete/object-lock.us-west-1.tfvars @@ -0,0 +1,26 @@ +region = "us-west-1" + +namespace = "eg" + +stage = "test" + +name = "s3-object-lock-test" + +acl = "" + +force_destroy = false + +versioning_enabled = true + +allowed_bucket_actions = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"] + +object_lock_configuration = { + object_lock_enabled = "Enabled" + + rule = { + default_retention = { + mode = "GOVERNANCE" + days = 366 + } + } +} \ No newline at end of file diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 7f4de972..b09feadc 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -178,3 +178,18 @@ variable "bucket_name" { default = null description = "Bucket name. If provided, the bucket will be created with this name instead of generating the name from the context" } + +variable "object_lock_configuration" { + type = object({ + object_lock_enabled = string # Valid value is 'Enabled' + rule = object({ + default_retention = object({ + mode = string # Valid values are GOVERNANCE and COMPLIANCE. + days = number + years = number + }) + }) + }) + default = null + description = "A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely." +} \ No newline at end of file diff --git a/main.tf b/main.tf index 4a2f99fb..5787939a 100644 --- a/main.tf +++ b/main.tf @@ -177,6 +177,8 @@ resource "aws_s3_bucket" "default" { } } } + + object_lock_configuration = var.object_lock_configuration } module "s3_user" { diff --git a/test/src/examples_complete_test.go b/test/src/examples_complete_test.go index f280c545..da3c9ede 100644 --- a/test/src/examples_complete_test.go +++ b/test/src/examples_complete_test.go @@ -96,3 +96,46 @@ func TestExamplesCompleteWithGrants(t *testing.T) { // Verify we're getting back the outputs we expect assert.Equal(t, expectedS3BucketId, s3BucketId) } + +// Test the Terraform module in examples/complete using Terratest for grants. +func TestExamplesCompleteWithObjectLock(t *testing.T) { + rand.Seed(time.Now().UnixNano()) + + attributes := []string{strconv.Itoa(rand.Intn(100000))} + rootFolder := "../../" + terraformFolderRelativeToRoot := "examples/complete" + varFiles := []string{"object-lock.us-west-1.tfvars"} + + tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot) + + terraformOptions := &terraform.Options{ + // The path to where our Terraform code is located + TerraformDir: tempTestFolder, + Upgrade: true, + // Variables to pass to our Terraform code using -var-file options + VarFiles: varFiles, + Vars: map[string]interface{}{ + "attributes": attributes, + }, + } + + // At the end of the test, run `terraform destroy` to clean up any resources that were created + defer terraform.Destroy(t, terraformOptions) + + // This will run `terraform init` and `terraform apply` and fail the test if there are any errors + terraform.InitAndApply(t, terraformOptions) + + // Run `terraform output` to get the value of an output variable + userName := terraform.Output(t, terraformOptions, "user_name") + + expectedUserName := "eg-test-s3-object-lock-test-" + attributes[0] + // Verify we're getting back the outputs we expect + assert.Equal(t, expectedUserName, userName) + + // Run `terraform output` to get the value of an output variable + s3BucketId := terraform.Output(t, terraformOptions, "bucket_id") + + expectedS3BucketId := "eg-test-s3-object-lock-test-" + attributes[0] + // Verify we're getting back the outputs we expect + assert.Equal(t, expectedS3BucketId, s3BucketId) +} diff --git a/variables.tf b/variables.tf index f3589b0b..8f36eb97 100644 --- a/variables.tf +++ b/variables.tf @@ -252,3 +252,18 @@ variable "bucket_name" { default = null description = "Bucket name. If provided, the bucket will be created with this name instead of generating the name from the context" } + +variable "object_lock_configuration" { + type = object({ + object_lock_enabled = string # Valid value is 'Enabled' + rule = object({ + default_retention = object({ + mode = string # Valid values are GOVERNANCE and COMPLIANCE. + days = number + years = number + }) + }) + }) + default = null + description = "A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely." +} \ No newline at end of file From 87ec1894638f15b6f6fdb847c0c5ee149f8b98b7 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Wed, 7 Apr 2021 11:34:38 +0000 Subject: [PATCH 02/13] Auto Format --- README.md | 1 + docs/terraform.md | 1 + examples/complete/variables.tf | 6 +++--- variables.tf | 6 +++--- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index dafd08c1..e4e6b0e4 100644 --- a/README.md +++ b/README.md @@ -250,6 +250,7 @@ Available targets: | [noncurrent\_version\_deeparchive\_transition\_days](#input\_noncurrent\_version\_deeparchive\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier deeparchive access tier | `number` | `60` | no | | [noncurrent\_version\_expiration\_days](#input\_noncurrent\_version\_expiration\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no | | [noncurrent\_version\_glacier\_transition\_days](#input\_noncurrent\_version\_glacier\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier infrequent access tier | `number` | `30` | no | +| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    object_lock_enabled = string # Valid value is 'Enabled'
    rule = object({
      default_retention = object({
        mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
        days  = number
        years = number
      })
    })
  })
| `null` | no | | [policy](#input\_policy) | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy | `string` | `""` | no | | [prefix](#input\_prefix) | Prefix identifying one or more objects to which the rule applies | `string` | `""` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 9c1ad688..57f35d7e 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -77,6 +77,7 @@ | [noncurrent\_version\_deeparchive\_transition\_days](#input\_noncurrent\_version\_deeparchive\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier deeparchive access tier | `number` | `60` | no | | [noncurrent\_version\_expiration\_days](#input\_noncurrent\_version\_expiration\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no | | [noncurrent\_version\_glacier\_transition\_days](#input\_noncurrent\_version\_glacier\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier infrequent access tier | `number` | `30` | no | +| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    object_lock_enabled = string # Valid value is 'Enabled'
    rule = object({
      default_retention = object({
        mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
        days  = number
        years = number
      })
    })
  })
| `null` | no | | [policy](#input\_policy) | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy | `string` | `""` | no | | [prefix](#input\_prefix) | Prefix identifying one or more objects to which the rule applies | `string` | `""` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index b09feadc..059cfb21 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -184,12 +184,12 @@ variable "object_lock_configuration" { object_lock_enabled = string # Valid value is 'Enabled' rule = object({ default_retention = object({ - mode = string # Valid values are GOVERNANCE and COMPLIANCE. - days = number + mode = string # Valid values are GOVERNANCE and COMPLIANCE. + days = number years = number }) }) }) - default = null + default = null description = "A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely." } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 8f36eb97..d99cceed 100644 --- a/variables.tf +++ b/variables.tf @@ -258,12 +258,12 @@ variable "object_lock_configuration" { object_lock_enabled = string # Valid value is 'Enabled' rule = object({ default_retention = object({ - mode = string # Valid values are GOVERNANCE and COMPLIANCE. - days = number + mode = string # Valid values are GOVERNANCE and COMPLIANCE. + days = number years = number }) }) }) - default = null + default = null description = "A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely." } \ No newline at end of file From e470c6de787479301fc1d204abda3e79c2647ade Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Wed, 7 Apr 2021 15:08:30 +0300 Subject: [PATCH 03/13] low bound of provider version upgraded --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index 5b2c49b9..9d8788f2 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.0" + version = ">= 2.33" } } } From 82357592f2c9094e10b68a61db9a185d7e5cb581 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Wed, 7 Apr 2021 12:09:41 +0000 Subject: [PATCH 04/13] Auto Format --- README.md | 4 ++-- docs/terraform.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index e4e6b0e4..0fffdcd7 100644 --- a/README.md +++ b/README.md @@ -177,13 +177,13 @@ Available targets: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.0 | -| [aws](#requirement\_aws) | >= 2.0 | +| [aws](#requirement\_aws) | >= 2.33 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 2.0 | +| [aws](#provider\_aws) | >= 2.33 | ## Modules diff --git a/docs/terraform.md b/docs/terraform.md index 57f35d7e..a96075db 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -4,13 +4,13 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.0 | -| [aws](#requirement\_aws) | >= 2.0 | +| [aws](#requirement\_aws) | >= 2.33 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 2.0 | +| [aws](#provider\_aws) | >= 2.33 | ## Modules From f152645b95c0a1a36da202a845d1a6e30dc827c2 Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Wed, 7 Apr 2021 16:31:57 +0300 Subject: [PATCH 05/13] variables fixed --- examples/complete/main.tf | 1 + examples/complete/object-lock.us-west-1.tfvars | 10 ++-------- examples/complete/variables.tf | 11 +++-------- main.tf | 14 +++++++++++++- variables.tf | 11 +++-------- 5 files changed, 22 insertions(+), 25 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index a949d680..59e99856 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -13,6 +13,7 @@ module "s3_bucket" { allow_encrypted_uploads_only = var.allow_encrypted_uploads_only allowed_bucket_actions = var.allowed_bucket_actions bucket_name = var.bucket_name + object_lock_configuration = var.object_lock_configuration context = module.this.context } diff --git a/examples/complete/object-lock.us-west-1.tfvars b/examples/complete/object-lock.us-west-1.tfvars index 044f646e..a6d5a907 100644 --- a/examples/complete/object-lock.us-west-1.tfvars +++ b/examples/complete/object-lock.us-west-1.tfvars @@ -15,12 +15,6 @@ versioning_enabled = true allowed_bucket_actions = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"] object_lock_configuration = { - object_lock_enabled = "Enabled" - - rule = { - default_retention = { - mode = "GOVERNANCE" - days = 366 - } - } + mode = "GOVERNANCE" + days = 366 } \ No newline at end of file diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 059cfb21..d9702320 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -181,14 +181,9 @@ variable "bucket_name" { variable "object_lock_configuration" { type = object({ - object_lock_enabled = string # Valid value is 'Enabled' - rule = object({ - default_retention = object({ - mode = string # Valid values are GOVERNANCE and COMPLIANCE. - days = number - years = number - }) - }) + mode = string # Valid values are GOVERNANCE and COMPLIANCE. + days = number + years = number }) default = null description = "A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely." diff --git a/main.tf b/main.tf index 5787939a..130a4a74 100644 --- a/main.tf +++ b/main.tf @@ -178,7 +178,19 @@ resource "aws_s3_bucket" "default" { } } - object_lock_configuration = var.object_lock_configuration + dynamic "object_lock_configuration" { + for_each = var.object_lock_configuration != null ? [1] : [] + content { + object_lock_enabled = "Enabled" + rule { + default_retention { + mode = var.object_lock_configuration.mode + days = var.object_lock_configuration.days + years = var.object_lock_configuration.years + } + } + } + } } module "s3_user" { diff --git a/variables.tf b/variables.tf index d99cceed..2374ad2c 100644 --- a/variables.tf +++ b/variables.tf @@ -255,14 +255,9 @@ variable "bucket_name" { variable "object_lock_configuration" { type = object({ - object_lock_enabled = string # Valid value is 'Enabled' - rule = object({ - default_retention = object({ - mode = string # Valid values are GOVERNANCE and COMPLIANCE. - days = number - years = number - }) - }) + mode = string # Valid values are GOVERNANCE and COMPLIANCE. + days = number + years = number }) default = null description = "A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely." From 04c8708fddb85b6e7a93a56c32697385432eb7c3 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Wed, 7 Apr 2021 13:33:02 +0000 Subject: [PATCH 06/13] Auto Format --- README.md | 2 +- docs/terraform.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0fffdcd7..3274d1ad 100644 --- a/README.md +++ b/README.md @@ -250,7 +250,7 @@ Available targets: | [noncurrent\_version\_deeparchive\_transition\_days](#input\_noncurrent\_version\_deeparchive\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier deeparchive access tier | `number` | `60` | no | | [noncurrent\_version\_expiration\_days](#input\_noncurrent\_version\_expiration\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no | | [noncurrent\_version\_glacier\_transition\_days](#input\_noncurrent\_version\_glacier\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier infrequent access tier | `number` | `30` | no | -| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    object_lock_enabled = string # Valid value is 'Enabled'
    rule = object({
      default_retention = object({
        mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
        days  = number
        years = number
      })
    })
  })
| `null` | no | +| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
| `null` | no | | [policy](#input\_policy) | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy | `string` | `""` | no | | [prefix](#input\_prefix) | Prefix identifying one or more objects to which the rule applies | `string` | `""` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index a96075db..4e89d720 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -77,7 +77,7 @@ | [noncurrent\_version\_deeparchive\_transition\_days](#input\_noncurrent\_version\_deeparchive\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier deeparchive access tier | `number` | `60` | no | | [noncurrent\_version\_expiration\_days](#input\_noncurrent\_version\_expiration\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no | | [noncurrent\_version\_glacier\_transition\_days](#input\_noncurrent\_version\_glacier\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier infrequent access tier | `number` | `30` | no | -| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    object_lock_enabled = string # Valid value is 'Enabled'
    rule = object({
      default_retention = object({
        mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
        days  = number
        years = number
      })
    })
  })
| `null` | no | +| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
| `null` | no | | [policy](#input\_policy) | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy | `string` | `""` | no | | [prefix](#input\_prefix) | Prefix identifying one or more objects to which the rule applies | `string` | `""` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | From a6b6f46082c2e4f4f870d2deb02e8b04b9a1aa0f Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Wed, 7 Apr 2021 16:51:30 +0300 Subject: [PATCH 07/13] variable values fix --- examples/complete/object-lock.us-west-1.tfvars | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/complete/object-lock.us-west-1.tfvars b/examples/complete/object-lock.us-west-1.tfvars index a6d5a907..59d0f7c4 100644 --- a/examples/complete/object-lock.us-west-1.tfvars +++ b/examples/complete/object-lock.us-west-1.tfvars @@ -17,4 +17,5 @@ allowed_bucket_actions = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3 object_lock_configuration = { mode = "GOVERNANCE" days = 366 + years = null } \ No newline at end of file From e72fadf94d4ce00c23d7c0a77e036df827b77ed7 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Wed, 7 Apr 2021 13:52:33 +0000 Subject: [PATCH 08/13] Auto Format --- examples/complete/object-lock.us-west-1.tfvars | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/complete/object-lock.us-west-1.tfvars b/examples/complete/object-lock.us-west-1.tfvars index 59d0f7c4..3567d1a3 100644 --- a/examples/complete/object-lock.us-west-1.tfvars +++ b/examples/complete/object-lock.us-west-1.tfvars @@ -15,7 +15,7 @@ versioning_enabled = true allowed_bucket_actions = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"] object_lock_configuration = { - mode = "GOVERNANCE" - days = 366 + mode = "GOVERNANCE" + days = 366 years = null } \ No newline at end of file From 5447bd8b90bf2a458e0a9684fe03607d7f72aa3c Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Wed, 7 Apr 2021 18:50:51 +0300 Subject: [PATCH 09/13] variable acl fix --- examples/complete/object-lock.us-west-1.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/complete/object-lock.us-west-1.tfvars b/examples/complete/object-lock.us-west-1.tfvars index 59d0f7c4..18ef6c71 100644 --- a/examples/complete/object-lock.us-west-1.tfvars +++ b/examples/complete/object-lock.us-west-1.tfvars @@ -6,7 +6,7 @@ stage = "test" name = "s3-object-lock-test" -acl = "" +acl = "private" force_destroy = false From 8f111408431bd9d6ba637fecfe14c2d83b28d631 Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Thu, 8 Apr 2021 16:08:44 +0300 Subject: [PATCH 10/13] bridgecrew skip added for versioning check --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 130a4a74..c07dbacd 100644 --- a/main.tf +++ b/main.tf @@ -5,6 +5,7 @@ locals { resource "aws_s3_bucket" "default" { #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629). + #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure all data stored in the S3 bucket have versioning enabled` due to bug with evaluation of variable default value. count = module.this.enabled ? 1 : 0 bucket = local.bucket_name acl = try(length(var.grants), 0) == 0 ? var.acl : null From 7fbd6b4a89dd92fc3d3c0cc9796ec6a06ddf587e Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Thu, 8 Apr 2021 16:09:52 +0300 Subject: [PATCH 11/13] bridgecrew skip removed for versioning check --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index c07dbacd..130a4a74 100644 --- a/main.tf +++ b/main.tf @@ -5,7 +5,6 @@ locals { resource "aws_s3_bucket" "default" { #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629). - #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure all data stored in the S3 bucket have versioning enabled` due to bug with evaluation of variable default value. count = module.this.enabled ? 1 : 0 bucket = local.bucket_name acl = try(length(var.grants), 0) == 0 ? var.acl : null From 49c3bf1e1093174174f7d79908307eb3328ec7ba Mon Sep 17 00:00:00 2001 From: Maxim Mironenko Date: Thu, 8 Apr 2021 20:37:37 +0300 Subject: [PATCH 12/13] wording/formatting updates due to PR review --- examples/complete/object-lock.us-west-1.tfvars | 11 ++++++++++- examples/complete/variables.tf | 2 +- variables.tf | 2 +- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/examples/complete/object-lock.us-west-1.tfvars b/examples/complete/object-lock.us-west-1.tfvars index 0fd0cd39..791bd2d2 100644 --- a/examples/complete/object-lock.us-west-1.tfvars +++ b/examples/complete/object-lock.us-west-1.tfvars @@ -12,7 +12,16 @@ force_destroy = false versioning_enabled = true -allowed_bucket_actions = ["s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:GetBucketLocation", "s3:AbortMultipartUpload"] +allowed_bucket_actions = [ + "s3:PutObject", + "s3:PutObjectAcl", + "s3:GetObject", + "s3:DeleteObject", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:GetBucketLocation", + "s3:AbortMultipartUpload" +] object_lock_configuration = { mode = "GOVERNANCE" diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index d9702320..4748cf74 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -186,5 +186,5 @@ variable "object_lock_configuration" { years = number }) default = null - description = "A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely." + description = "A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely." } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 2374ad2c..9ff8ed53 100644 --- a/variables.tf +++ b/variables.tf @@ -260,5 +260,5 @@ variable "object_lock_configuration" { years = number }) default = null - description = "A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely." + description = "A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely." } \ No newline at end of file From d208b9ffbd80fbfa2986ce344c0ba40f010cb715 Mon Sep 17 00:00:00 2001 From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> Date: Thu, 8 Apr 2021 17:38:28 +0000 Subject: [PATCH 13/13] Auto Format --- README.md | 2 +- docs/terraform.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3274d1ad..8d0ec745 100644 --- a/README.md +++ b/README.md @@ -250,7 +250,7 @@ Available targets: | [noncurrent\_version\_deeparchive\_transition\_days](#input\_noncurrent\_version\_deeparchive\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier deeparchive access tier | `number` | `60` | no | | [noncurrent\_version\_expiration\_days](#input\_noncurrent\_version\_expiration\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no | | [noncurrent\_version\_glacier\_transition\_days](#input\_noncurrent\_version\_glacier\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier infrequent access tier | `number` | `30` | no | -| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
| `null` | no | +| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
| `null` | no | | [policy](#input\_policy) | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy | `string` | `""` | no | | [prefix](#input\_prefix) | Prefix identifying one or more objects to which the rule applies | `string` | `""` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | diff --git a/docs/terraform.md b/docs/terraform.md index 4e89d720..6da65e76 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -77,7 +77,7 @@ | [noncurrent\_version\_deeparchive\_transition\_days](#input\_noncurrent\_version\_deeparchive\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier deeparchive access tier | `number` | `60` | no | | [noncurrent\_version\_expiration\_days](#input\_noncurrent\_version\_expiration\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no | | [noncurrent\_version\_glacier\_transition\_days](#input\_noncurrent\_version\_glacier\_transition\_days) | Number of days to persist in the standard storage tier before moving to the glacier infrequent access tier | `number` | `30` | no | -| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration of S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
| `null` | no | +| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
| `null` | no | | [policy](#input\_policy) | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy | `string` | `""` | no | | [prefix](#input\_prefix) | Prefix identifying one or more objects to which the rule applies | `string` | `""` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |