From a084df9053085293f1d7a71000f64622232ae6a5 Mon Sep 17 00:00:00 2001
From: justnom <justnom@users.noreply.github.com>
Date: Mon, 26 Apr 2021 12:32:18 -0400
Subject: [PATCH 1/3] Removing policy attribute for S3 bucket

Fixing a bug where the bucket policy would flip-flop on Terraform apply if `var.policy` and any of `var.allow_ssl_requests_only`, `var.allow_encrypted_uploads_only` were set.
---
 main.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/main.tf b/main.tf
index 4de26537..f888090b 100644
--- a/main.tf
+++ b/main.tf
@@ -10,7 +10,6 @@ resource "aws_s3_bucket" "default" {
   bucket        = local.bucket_name
   acl           = try(length(var.grants), 0) == 0 ? var.acl : null
   force_destroy = var.force_destroy
-  policy        = var.policy
   tags          = module.this.tags
 
   versioning {

From 05d1e0be4fddb15942b1f7b9b10db081525989bc Mon Sep 17 00:00:00 2001
From: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>
Date: Mon, 26 Apr 2021 16:49:30 +0000
Subject: [PATCH 2/3] Auto Format

---
 README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 58abfe46..40641e8a 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,4 @@
+
 <!-- markdownlint-disable -->
 # terraform-aws-s3-bucket [![GitHub Action Tests](https://github.com/cloudposse/terraform-aws-s3-bucket/workflows/test/badge.svg?branch=master)](https://github.com/cloudposse/terraform-aws-s3-bucket/actions) [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-s3-bucket.svg)](https://github.com/cloudposse/terraform-aws-s3-bucket/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
 <!-- markdownlint-restore -->
@@ -37,7 +38,6 @@ We do not recommend creating IAM users this way for any other purpose.
 It blocks public access to the bucket by default.
 https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
 
-
 ---
 
 This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps.
@@ -68,7 +68,6 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are
 
 
 
-
 ## Security & Compliance [<img src="https://cloudposse.com/wp-content/uploads/2020/11/bridgecrew.svg" width="250" align="right" />](https://bridgecrew.io/)
 
 Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.

From afd823d7028e7f7323d430e3d8b0442afd7ea589 Mon Sep 17 00:00:00 2001
From: justnom <justnom@users.noreply.github.com>
Date: Mon, 26 Apr 2021 17:33:52 -0400
Subject: [PATCH 3/3] Add BC check skip for at-rest encryption check

---
 main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/main.tf b/main.tf
index f888090b..4efcd3c4 100644
--- a/main.tf
+++ b/main.tf
@@ -6,6 +6,7 @@ resource "aws_s3_bucket" "default" {
   #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` because we do not have good defaults
   #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
   #bridgecrew:skip=BC_AWS_S3_16:Skipping `Ensure S3 bucket versioning is enabled` because dynamic blocks are not supported by checkov
+  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` because variables are not understood
   count         = module.this.enabled ? 1 : 0
   bucket        = local.bucket_name
   acl           = try(length(var.grants), 0) == 0 ? var.acl : null