fixes to match BridgeCrew compliance checks (#51)

* fixes to match BridgeCrew compliance checks * Update README.yaml Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]> * Updated README.md Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]> Co-authored-by: actions-bot <[email protected]>
cloudposse · Jan 26, 2021 · ce9a7b4 · ce9a7b4
1 parent cd7b3d7
commit ce9a7b4
Show file tree

Hide file tree

Showing 7 changed files with 13 additions and 13 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,7 @@
 *.tfstate
 *.tfstate.backup
 *.terraform.tfstate*
+**/.terraform.lock.hcl
 
 # Module directory
 .terraform

diff --git a/README.md b/README.md
@@ -27,7 +27,8 @@
 
 -->
 
-Terraform module to provision S3-backed Websites
+Terraform module to provision S3-backed Websites.
+**IMPORTANT:** This module provisions a globally accessible S3 bucket for unauthenticated users because it is designed for hosting public static websites. Normally, AWS recommends that S3 buckets should not publicly accessible in order to protect S3 data from unauthorized users.
 
 
 ---
@@ -137,7 +138,6 @@ Available targets:
 | terraform | >= 0.12.26 |
 | aws | >= 2.0 |
 | local | >= 1.2 |
-| null | >= 2.0 |
 
 ## Providers
 
@@ -186,7 +186,7 @@ Available targets:
 | routing\_rules | A json array containing routing rules describing redirect behavior and when redirects are applied | `string` | `""` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
-| versioning\_enabled | Enable or disable versioning | `bool` | `false` | no |
+| versioning\_enabled | Enable or disable versioning | `bool` | `true` | no |
 
 ## Outputs
 

diff --git a/README.yaml b/README.yaml
@@ -50,7 +50,8 @@ related:
     url: "https://github.com/cloudposse/terraform-aws-lb-s3-bucket"
 # Short description of this project
 description: |-
-  Terraform module to provision S3-backed Websites
+  Terraform module to provision S3-backed Websites.
+  **IMPORTANT:** This module provisions a globally accessible S3 bucket for unauthenticated users because it is designed for hosting public static websites. Normally, AWS recommends that S3 buckets should not publicly accessible in order to protect S3 data from unauthorized users.
 # How to use this project
 usage: |-
   #### Create s3 website bucket

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -6,7 +6,6 @@
 | terraform | >= 0.12.26 |
 | aws | >= 2.0 |
 | local | >= 1.2 |
-| null | >= 2.0 |
 
 ## Providers
 
@@ -55,7 +54,7 @@
 | routing\_rules | A json array containing routing rules describing redirect behavior and when redirects are applied | `string` | `""` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
-| versioning\_enabled | Enable or disable versioning | `bool` | `false` | no |
+| versioning\_enabled | Enable or disable versioning | `bool` | `true` | no |
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -29,14 +29,17 @@ module "logs" {
 
 module "default_label" {
   source     = "cloudposse/label/null"
-  version    = "0.22.0"
+  version    = "0.22.1"
   attributes = ["origin"]
   context    = module.this.context
 }
 
 resource "aws_s3_bucket" "default" {
-  bucket        = var.hostname
+  #bridgecrew:skip=BC_AWS_S3_1:The bucket used for a public static website. (https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone)
+  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
+  #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue using `mfa_delete` by terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
   acl           = "public-read"
+  bucket        = var.hostname
   tags          = module.default_label.tags
   force_destroy = var.force_destroy
 

diff --git a/variables.tf b/variables.tf
@@ -113,7 +113,7 @@ variable "noncurrent_version_expiration_days" {
 
 variable "versioning_enabled" {
   type        = bool
-  default     = false
+  default     = true
   description = "Enable or disable versioning"
 }
 

diff --git a/versions.tf b/versions.tf
@@ -10,9 +10,5 @@ terraform {
       source  = "hashicorp/local"
       version = ">= 1.2"
     }
-    null = {
-      source  = "hashicorp/null"
-      version = ">= 2.0"
-    }
   }
 }