refactor: use bucket versioning resource instead of block

Use the aws_s3_bucket_versioning resource instead of the versioning
block in the aws_s3_bucket resource, which has been deprecated in a
recent version of the Terraform AWS provider.

README.md

@@ -87,6 +87,8 @@ No modules.
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The naming order of the id output and Name tag | `list(string)` | `[]` | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Bucket access logging configuration. | <pre>object({<br>    bucket_name = string<br>    prefix      = string<br>  })</pre> | `null` | no |
 | <a name="input_mfa_delete"></a> [mfa\_delete](#input\_mfa\_delete) | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `false` | no |
+| <a name="input_mfa_serial"></a> [mfa\_serial](#input\_mfa\_serial) | The serial number of the MFA device to use when deleting versions of S3 objects. Necessary if `mfa_delete` is true. | `string` | `""` | no |
+| <a name="input_mfa_secret"></a> [mfa\_secret](#input\_mfa\_secret) | The number displayed on the MFA device. Necessary if `mfa_delete` is true. | `string` | `""` | no |
 | <a name="input_name"></a> [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `"terraform"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `""` | no |
 | <a name="input_read_capacity"></a> [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units | `number` | `5` | no |

bucket_replication.tf

@@ -4,10 +4,6 @@ resource "aws_s3_bucket" "replication_bucket" {
   provider = aws.secondary
   bucket   = format("%s-%s-%s-%s", var.namespace, var.stage, var.name, var.bucket_replication_name)
 
-  versioning {
-    enabled = true
-  }
-
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
@@ -22,6 +18,15 @@ resource "aws_s3_bucket" "replication_bucket" {
   }
 }
 
+resource "aws_s3_bucket_versioning" "replication_bucket" {
+  count  = var.bucket_replication_enabled ? 1 : 0
+  bucket = aws_s3_bucket.replication_bucket[0].id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
 resource "aws_s3_bucket_public_access_block" "replication_bucket" {
   count = var.bucket_replication_enabled ? 1 : 0
 

main.tf

@@ -5,11 +5,6 @@ resource "aws_s3_bucket" "default" {
   acl           = var.acl
   force_destroy = var.force_destroy
 
-  versioning {
-    enabled    = true
-    mfa_delete = var.mfa_delete
-  }
-
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
@@ -52,6 +47,17 @@ resource "aws_s3_bucket" "default" {
   depends_on = [aws_s3_bucket.replication_bucket]
 }
 
+resource "aws_s3_bucket_versioning" "default" {
+  bucket = aws_s3_bucket.default.id
+
+  versioning_configuration {
+    status     = "Enabled"
+    mfa_delete = var.mfa_delete ? "Enabled" : "Disabled"
+  }
+
+  mfa = var.mfa_delete ? "${var.mfa_serial} ${var.mfa_secret}" : null
+}
+
 resource "aws_s3_bucket_public_access_block" "default" {
   provider                = aws.primary
   bucket                  = aws_s3_bucket.default.id

variables.tf

@@ -88,6 +88,18 @@ variable "mfa_delete" {
   default     = false
 }
 
+variable "mfa_serial" {
+  type        = string
+  description = "The serial number of the MFA device to use. Necessary when mfa_delete is true."
+  default     = ""
+}
+
+variable "mfa_secret" {
+  type        = string
+  description = "The numbers displayed on the MFA device when applying. Necessary when mfa_delete is true."
+  default     = ""
+}
+
 variable "enable_server_side_encryption" {
   type        = bool
   description = "Enable DynamoDB server-side encryption"