From 20a2e3dd62a02e60b1913d3c83b5238dc5fba450 Mon Sep 17 00:00:00 2001 From: d3adb5 Date: Tue, 21 Mar 2023 19:44:13 -0700 Subject: [PATCH 1/5] refactor: use bucket versioning resource instead of block Use the aws_s3_bucket_versioning resource instead of the versioning block in the aws_s3_bucket resource, which has been deprecated in a recent version of the Terraform AWS provider. --- README.md | 2 ++ bucket_replication.tf | 13 +++++++++---- main.tf | 16 +++++++++++----- variables.tf | 12 ++++++++++++ 4 files changed, 34 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index ab31746..3601bc1 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,8 @@ No modules. | [label\_order](#input\_label\_order) | The naming order of the id output and Name tag | `list(string)` | `[]` | no | | [logging](#input\_logging) | Bucket access logging configuration. | 
object({
    bucket_name = string
    prefix      = string
  })
| `null` | no | | [mfa\_delete](#input\_mfa\_delete) | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `false` | no | +| [mfa\_serial](#input\_mfa\_serial) | The serial number of the MFA device to use when deleting versions of S3 objects. Necessary if `mfa_delete` is true. | `string` | `""` | no | +| [mfa\_secret](#input\_mfa\_secret) | The number displayed on the MFA device. Necessary if `mfa_delete` is true. | `string` | `""` | no | | [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `"terraform"` | no | | [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `""` | no | | [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units | `number` | `5` | no | diff --git a/bucket_replication.tf b/bucket_replication.tf index f994fa5..9157514 100644 --- a/bucket_replication.tf +++ b/bucket_replication.tf @@ -4,10 +4,6 @@ resource "aws_s3_bucket" "replication_bucket" { provider = aws.secondary bucket = format("%s-%s-%s-%s", var.namespace, var.stage, var.name, var.bucket_replication_name) - versioning { - enabled = true - } - server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { @@ -22,6 +18,15 @@ resource "aws_s3_bucket" "replication_bucket" { } } +resource "aws_s3_bucket_versioning" "replication_bucket" { + count = var.bucket_replication_enabled ? 1 : 0 + bucket = aws_s3_bucket.replication_bucket[0].id + + versioning_configuration { + status = "Enabled" + } +} + resource "aws_s3_bucket_public_access_block" "replication_bucket" { count = var.bucket_replication_enabled ? 1 : 0 diff --git a/main.tf b/main.tf index 7390641..bcdc8c2 100644 --- a/main.tf +++ b/main.tf @@ -5,11 +5,6 @@ resource "aws_s3_bucket" "default" { acl = var.acl force_destroy = var.force_destroy - versioning { - enabled = true - mfa_delete = var.mfa_delete - } - server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { @@ -52,6 +47,17 @@ resource "aws_s3_bucket" "default" { depends_on = [aws_s3_bucket.replication_bucket] } +resource "aws_s3_bucket_versioning" "default" { + bucket = aws_s3_bucket.default.id + + versioning_configuration { + status = "Enabled" + mfa_delete = var.mfa_delete ? "Enabled" : "Disabled" + } + + mfa = var.mfa_delete ? "${var.mfa_serial} ${var.mfa_secret}" : null +} + resource "aws_s3_bucket_public_access_block" "default" { provider = aws.primary bucket = aws_s3_bucket.default.id diff --git a/variables.tf b/variables.tf index 3087081..92c91b1 100644 --- a/variables.tf +++ b/variables.tf @@ -88,6 +88,18 @@ variable "mfa_delete" { default = false } +variable "mfa_serial" { + type = string + description = "The serial number of the MFA device to use. Necessary when mfa_delete is true." + default = "" +} + +variable "mfa_secret" { + type = string + description = "The numbers displayed on the MFA device when applying. Necessary when mfa_delete is true." + default = "" +} + variable "enable_server_side_encryption" { type = bool description = "Enable DynamoDB server-side encryption" From 8b2b82f9358059597e541eafcfc176d554219aaf Mon Sep 17 00:00:00 2001 From: d3adb5 Date: Tue, 21 Mar 2023 19:48:20 -0700 Subject: [PATCH 2/5] refactor: use s3 sse config resource instead of block Use the aws_s3_bucket_server_side_encryption_configuration resource instead of the now deprecated server_side_encryption_configuration block. --- bucket_replication.tf | 19 +++++++++++-------- main.tf | 18 ++++++++++-------- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/bucket_replication.tf b/bucket_replication.tf index 9157514..a523314 100644 --- a/bucket_replication.tf +++ b/bucket_replication.tf @@ -4,20 +4,23 @@ resource "aws_s3_bucket" "replication_bucket" { provider = aws.secondary bucket = format("%s-%s-%s-%s", var.namespace, var.stage, var.name, var.bucket_replication_name) - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } - } - tags = { Terraform = "true" Environment = var.stage } } +resource "aws_s3_bucket_server_side_encryption_configuration" "replication_bucket" { + count = var.bucket_replication_enabled ? 1 : 0 + bucket = aws_s3_bucket.replication_bucket[0].id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + resource "aws_s3_bucket_versioning" "replication_bucket" { count = var.bucket_replication_enabled ? 1 : 0 bucket = aws_s3_bucket.replication_bucket[0].id diff --git a/main.tf b/main.tf index bcdc8c2..8bf38c3 100644 --- a/main.tf +++ b/main.tf @@ -5,14 +5,6 @@ resource "aws_s3_bucket" "default" { acl = var.acl force_destroy = var.force_destroy - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } - } - dynamic "replication_configuration" { for_each = var.bucket_replication_enabled ? ["true"] : [] content { @@ -47,6 +39,16 @@ resource "aws_s3_bucket" "default" { depends_on = [aws_s3_bucket.replication_bucket] } +resource "aws_s3_bucket_server_side_encryption_configuration" "default" { + bucket = aws_s3_bucket.default.id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + resource "aws_s3_bucket_versioning" "default" { bucket = aws_s3_bucket.default.id From f53cc10932d4a684ce302af0ff417a2e3a67c1a5 Mon Sep 17 00:00:00 2001 From: d3adb5 Date: Tue, 21 Mar 2023 19:54:36 -0700 Subject: [PATCH 3/5] docs: update readme to reflect new resource usage Update the README to reflect the usage of new resources that exist only starting with version 4 of the AWS provider. --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3601bc1..57267d8 100644 --- a/README.md +++ b/README.md @@ -32,14 +32,14 @@ We have a tfstate S3 Bucket per account | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.9 | -| [aws](#requirement\_aws) | ~> 3.0 | +| [aws](#requirement\_aws) | ~> 4.0 | ## Providers | Name | Version | |------|---------| -| [aws.primary](#provider\_aws.primary) | ~> 3.0 | -| [aws.secondary](#provider\_aws.secondary) | ~> 3.0 | +| [aws.primary](#provider\_aws.primary) | ~> 4.0 | +| [aws.secondary](#provider\_aws.secondary) | ~> 4.0 | | [time](#provider\_time) | n/a | ## Modules From d935092f95146bf6bab12d3244b9ae1b7e8442fa Mon Sep 17 00:00:00 2001 From: d3adb5 Date: Tue, 21 Mar 2023 21:00:37 -0700 Subject: [PATCH 4/5] refactor: use s3 acl resource instead of acl arg Use the aws_s3_bucket_acl resource instead of the acl argument to the aws_s3_bucket resource, which has been deprecated in version 4 of the Terraform AWS provider. --- main.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 8bf38c3..a74ca36 100644 --- a/main.tf +++ b/main.tf @@ -2,7 +2,6 @@ resource "aws_s3_bucket" "default" { provider = aws.primary bucket = format("%s-%s-%s", var.namespace, var.stage, var.name) - acl = var.acl force_destroy = var.force_destroy dynamic "replication_configuration" { @@ -39,6 +38,11 @@ resource "aws_s3_bucket" "default" { depends_on = [aws_s3_bucket.replication_bucket] } +resource "aws_s3_bucket_acl" "default" { + bucket = aws_s3_bucket.default.id + acl = var.acl +} + resource "aws_s3_bucket_server_side_encryption_configuration" "default" { bucket = aws_s3_bucket.default.id From 7b2c9c483d088cf01601a8f8ea2e607359854854 Mon Sep 17 00:00:00 2001 From: d3adb5 Date: Tue, 21 Mar 2023 21:29:25 -0700 Subject: [PATCH 5/5] fix: use aws.primary in v4 resources instead of inherited provider Use the aws.provider in the new S3 bucket resources instead of relying on the inherited provider, which could have been set to a completely different provider. --- main.tf | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index a74ca36..a7668f7 100644 --- a/main.tf +++ b/main.tf @@ -39,12 +39,14 @@ resource "aws_s3_bucket" "default" { } resource "aws_s3_bucket_acl" "default" { - bucket = aws_s3_bucket.default.id - acl = var.acl + provider = aws.primary + bucket = aws_s3_bucket.default.id + acl = var.acl } resource "aws_s3_bucket_server_side_encryption_configuration" "default" { - bucket = aws_s3_bucket.default.id + provider = aws.primary + bucket = aws_s3_bucket.default.id rule { apply_server_side_encryption_by_default { @@ -54,7 +56,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { } resource "aws_s3_bucket_versioning" "default" { - bucket = aws_s3_bucket.default.id + provider = aws.primary + bucket = aws_s3_bucket.default.id versioning_configuration { status = "Enabled"