Releases: k9securityio/terraform-aws-s3-bucket
Support new permissions for S3 buckets and objects
Incremental update to support new permissions for S3 buckets and objects:
administer-resource
s3:PutBucketOwnershipControls
s3:PutIntelligentTieringConfiguration
read-config
s3:GetIntelligentTieringConfiguration
s3:GetObjectAttributes
s3:GetObjectVersionAttributes
write-data
s3:InitiateReplication
Scope DenyEveryoneElse to all AWS accounts and IAM
- Scope Principals element of DenyEveryoneElse Statement to all AWS accounts & IAM
- Permit IAM principals with administer-resource to s3:DeleteBucket
Trim unsupported actions from policy
Trim actions & permissions that are not supported in bucket policy
- s3:BypassGovernanceRetention
- s3:ListBucketByTags
Support read-config k9 access capability
Add support for the read-config k9 access capability:
- read-config is documented at https://k9security.io/docs/k9-access-capability-model/
- reclassify many read-data and some administer-resource actions to read-config
Rename repository to publish to Terraform Registry
v0.6.1 Update to new repository name: terraform-aws-s3-bucket
Improve scoping of access controls
This release improves scoping of the access controls:
- The DenyEveryoneElse statement scopes its coverage to the account's IAM users instead of all IAM principals, enabling use provisioned by an AWS service via KMS key grants, e.g. DynamoDB
- Use Like within the Deny when an Allow statement has done so
Upgrade module to Terraform 0.12 and HCL2
Upgrade module to Terraform 0.12 and HCL2 to to make the module more natural to use with Terraform 0.12 and later.
Map full set of S3 API actions for bucket and object resources
Map full set of S3 API actions for bucket and object resources from k9 access capabilities
Support full k9 tagging model and custom capabilities
This release adds full support for the k9 Security tagging model and enables advanced users to specify custom actions when generating a bucket policy.
Improve safety around destruction and support for arbitrary tags
Only destroy objects in the bucket along with the bucket when force_destroy is true.
Support adding arbitrary additional tags.