feat: add the choice to turn on/off block public policy block (#25)

* feat: add the choice to turn on/off block public policy block * [Boldlinksig]: Pre-commit auto updated files on 07-06-2024 13:19:28. --------- Co-authored-by: boldlinksig <boldlinksig@boldlink.io>
boldlink · Jun 7, 2024 · 41871e9 · 41871e9
1 parent 5135dd2
commit 41871e9
Show file tree

Hide file tree

Showing 10 changed files with 29 additions and 13 deletions.
diff --git a/.checkov.yml b/.checkov.yml
@@ -11,3 +11,4 @@ skip-check:
 - CKV_TF_1 #Ensure Terraform module sources use a commit hash
 - CKV_AWS_21 #Ensure all data stored in the S3 bucket have versioning enabled
 - CKV2_AWS_65 #Ensure access control lists for S3 buckets are disabled
+- CKV2_AWS_67 #Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,7 +20,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - feat: Bucket Metric
 - feat: S3 Object Copy
 - feat: S3 Object
-- fix: CKV_TF_1 #"Ensure Terraform module sources use a commit hash"
+- fix: CKV_TF_1 Ensure Terraform module sources use a commit hash
+- fix: CKV2_AWS_67 Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation
+
+
+## [2.5.0] - 2024-06-07
+- feat: Add the option to enable/disable block public access configuration, this is by default disabled.
+- fix: CKV2_AWS_67 Adding exception to fix checkov false positive [CKV2_AWS_67](https://github.com/bridgecrewio/checkov/issues/6294)
 
 ## [2.4.0] - 2024-01-04
 - feat: Added both organizational and non-organizational cloudtrail bucket policy documents to be attached when condition is met
@@ -82,8 +88,8 @@ The following features have now been added as stand-alone resources in this rele
 - Initial commit
 - Included most basic/common settings in module
 
-[Unreleased]: https://github.com/boldlink/terraform-aws-s3/compare/2.4.0...HEAD
-
+[Unreleased]: https://github.com/boldlink/terraform-aws-s3/compare/2.5.0...HEAD
+[2.5.0]: https://github.com/boldlink/terraform-aws-s3/releases/tag/2.5.0
 [2.4.0]: https://github.com/boldlink/terraform-aws-s3/releases/tag/2.4.0
 [2.3.1]: https://github.com/boldlink/terraform-aws-s3/releases/tag/2.3.1
 [2.3.0]: https://github.com/boldlink/terraform-aws-s3/releases/tag/2.3.0

diff --git a/README.md b/README.md
@@ -71,7 +71,7 @@ module "minimum" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.31.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.53.0 |
 
 ## Modules
 
@@ -115,6 +115,7 @@ No modules.
 | <a name="input_bucket_policy"></a> [bucket\_policy](#input\_bucket\_policy) | Attaches a policy to an S3 bucket resource. | `string` | `""` | no |
 | <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. Must be lowercase and less than or equal to 37 characters in length. | `string` | `null` | no |
 | <a name="input_cors_rule"></a> [cors\_rule](#input\_cors\_rule) | A rule of Cross-Origin Resource Sharing. | `any` | `[]` | no |
+| <a name="input_enable_block_public_access"></a> [enable\_block\_public\_access](#input\_enable\_block\_public\_access) | Whether to enable public access block altogether, default is true | `bool` | `true` | no |
 | <a name="input_eventbridge"></a> [eventbridge](#input\_eventbridge) | Whether to enable Amazon EventBridge notifications | `bool` | `false` | no |
 | <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | (Optional, Forces new resource) The account ID of the expected bucket owner. | `string` | `null` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | (Optional, Default:false) A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |

diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -29,10 +29,10 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_archive"></a> [archive](#provider\_archive) | 2.4.1 |
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.31.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.6.0 |
-| <a name="provider_time"></a> [time](#provider\_time) | 0.10.0 |
+| <a name="provider_archive"></a> [archive](#provider\_archive) | 2.4.2 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.53.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.2 |
+| <a name="provider_time"></a> [time](#provider\_time) | 0.11.2 |
 
 ## Modules
 

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -43,7 +43,6 @@ module "s3_notification_lambda" {
   additional_lambda_permissions = local.additional_lambda_permissions
   source_code_hash              = data.archive_file.lambda_zip.output_base64sha256
   tags                          = local.tags
-
   ## Allow lambda invokation s3
   lambda_permissions = [
     {
@@ -264,6 +263,7 @@ module "s3_logging" {
 
 module "bucket_with_log_policies" {
   source                      = "./../../"
+  enable_block_public_access  = false
   bucket                      = "logging-policies-${random_string.bucket.result}"
   force_destroy               = true
   attach_non_org_trail_policy = true

diff --git a/examples/minimum/README.md b/examples/minimum/README.md
@@ -27,7 +27,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.6.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.2 |
 
 ## Modules
 

diff --git a/examples/organization_trail_bucket/README.md b/examples/organization_trail_bucket/README.md
@@ -28,7 +28,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.6.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.2 |
 
 ## Modules
 

diff --git a/examples/replication_configuration/README.md b/examples/replication_configuration/README.md
@@ -27,8 +27,8 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.31.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.53.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.2 |
 
 ## Modules
 

diff --git a/main.tf b/main.tf
@@ -15,6 +15,7 @@ resource "aws_s3_bucket_policy" "main" {
 }
 
 resource "aws_s3_bucket_public_access_block" "main" {
+  count                   = var.enable_block_public_access ? 1 : 0
   bucket                  = aws_s3_bucket.main.bucket
   block_public_acls       = var.block_public_acls
   block_public_policy     = var.block_public_policy

diff --git a/variables.tf b/variables.tf
@@ -168,3 +168,10 @@ variable "eventbridge" {
   description = "Whether to enable Amazon EventBridge notifications"
   default     = false
 }
+
+variable "enable_block_public_access" {
+  type        = bool
+  description = "Whether to enable public access block altogether, default is true"
+  default     = true
+
+}