Skip to content

Commit

Permalink
feat: add expected_bucket_owner variable (cloudposse#238)
Browse files Browse the repository at this point in the history
* 226: Add Expected Bucket Owner

* Update variables.tf

Co-authored-by: Matt Gowie <[email protected]>

* fix: commit make results

---------

Co-authored-by: John McCall <[email protected]>
Co-authored-by: Matt Gowie <[email protected]>
Co-authored-by: John McCall <[email protected]>
  • Loading branch information
4 people authored Jul 30, 2024
1 parent 19b011a commit 42320bf
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 4 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,7 @@ Available targets:
| <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br> format = string<br> labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner. <br>More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.<br>THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
| <a name="input_grants"></a> [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.<br>Conflicts with `acl`. Set `acl` to `null` to use this.<br>Deprecated by AWS in favor of bucket policies.<br>Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | <pre>list(object({<br> id = string<br> type = string<br> permissions = list(string)<br> uri = string<br> }))</pre> | `[]` | no |
| <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
Expand Down
1 change: 1 addition & 0 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@
| <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br> format = string<br> labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner. <br>More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.<br>THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
| <a name="input_grants"></a> [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.<br>Conflicts with `acl`. Set `acl` to `null` to use this.<br>Deprecated by AWS in favor of bucket policies.<br>Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | <pre>list(object({<br> id = string<br> type = string<br> permissions = list(string)<br> uri = string<br> }))</pre> | `[]` | no |
| <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
Expand Down
12 changes: 8 additions & 4 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ resource "aws_s3_bucket_accelerate_configuration" "default" {
resource "aws_s3_bucket_versioning" "default" {
count = local.enabled ? 1 : 0

bucket = local.bucket_id
bucket = local.bucket_id
expected_bucket_owner = var.expected_bucket_owner

versioning_configuration {
status = local.versioning_enabled ? "Enabled" : "Suspended"
Expand All @@ -66,7 +67,8 @@ moved {
resource "aws_s3_bucket_logging" "default" {
for_each = toset(local.enabled && length(var.logging) > 0 ? ["enabled"] : [])

bucket = local.bucket_id
bucket = local.bucket_id
expected_bucket_owner = var.expected_bucket_owner

target_bucket = var.logging[0]["bucket_name"]
target_prefix = var.logging[0]["prefix"]
Expand All @@ -77,7 +79,8 @@ resource "aws_s3_bucket_logging" "default" {
resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
count = local.enabled ? 1 : 0

bucket = local.bucket_id
bucket = local.bucket_id
expected_bucket_owner = var.expected_bucket_owner

rule {
bucket_key_enabled = var.bucket_key_enabled
Expand Down Expand Up @@ -166,7 +169,8 @@ resource "aws_s3_bucket_cors_configuration" "default" {
resource "aws_s3_bucket_acl" "default" {
count = local.enabled && var.s3_object_ownership != "BucketOwnerEnforced" ? 1 : 0

bucket = local.bucket_id
bucket = local.bucket_id
expected_bucket_owner = var.expected_bucket_owner

# Conflicts with access_control_policy so this is enabled if no grants
acl = try(length(local.acl_grants), 0) == 0 ? var.acl : null
Expand Down
9 changes: 9 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -457,3 +457,12 @@ variable "bucket_key_enabled" {
EOT
nullable = false
}

variable "expected_bucket_owner" {
type = string
default = null
description = <<-EOT
Account ID of the expected bucket owner.
More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html
EOT
}

0 comments on commit 42320bf

Please sign in to comment.