Skip to content

fix: use count instead of var.enabled for secure-bucket module #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nozaq merged 1 commit into from
Feb 12, 2022
Merged

fix: use count instead of var.enabled for secure-bucket module #262

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 12 additions & 12 deletions bucket.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
locals {
use_external_bucket = var.use_external_audit_log_bucket

audit_log_bucket_id = local.use_external_bucket ? data.aws_s3_bucket.external[0].id : module.audit_log_bucket.this_bucket.id
audit_log_bucket_arn = local.use_external_bucket ? data.aws_s3_bucket.external[0].arn : module.audit_log_bucket.this_bucket.arn
audit_log_bucket_id = local.use_external_bucket ? data.aws_s3_bucket.external[0].id : module.audit_log_bucket[0].this_bucket.id
audit_log_bucket_arn = local.use_external_bucket ? data.aws_s3_bucket.external[0].arn : module.audit_log_bucket[0].this_bucket.arn

audit_log_cloudtrail_destination = join("/", [local.audit_log_bucket_arn, trim(var.cloudtrail_s3_key_prefix, "/")])
audit_log_config_destination = join("/", [local.audit_log_bucket_arn, trim(var.config_s3_bucket_key_prefix, "/")])
Expand All @@ -31,14 +31,14 @@ data "aws_s3_bucket" "external" {
# --------------------------------------------------------------------------------------------------

module "audit_log_bucket" {
count = local.use_external_bucket ? 0 : 1
source = "./modules/secure-bucket"

bucket_name = var.audit_log_bucket_name
bucket_key_enabled = var.audit_log_bucket_key_enabled
log_bucket_name = "${var.audit_log_bucket_name}-access-logs"
lifecycle_glacier_transition_days = var.audit_log_lifecycle_glacier_transition_days
force_destroy = var.audit_log_bucket_force_destroy
enabled = !local.use_external_bucket

tags = var.tags

Expand All @@ -58,8 +58,8 @@ data "aws_iam_policy_document" "audit_log_base" {
actions = ["s3:*"]
effect = "Deny"
resources = [
module.audit_log_bucket.this_bucket.arn,
"${module.audit_log_bucket.this_bucket.arn}/*"
module.audit_log_bucket[0].this_bucket.arn,
"${module.audit_log_bucket[0].this_bucket.arn}/*"
]
condition {
test = "Bool"
Expand Down Expand Up @@ -87,7 +87,7 @@ data "aws_iam_policy_document" "audit_log_cloud_trail" {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
resources = [module.audit_log_bucket.this_bucket.arn]
resources = [module.audit_log_bucket[0].this_bucket.arn]
}

statement {
Expand Down Expand Up @@ -123,7 +123,7 @@ data "aws_iam_policy_document" "audit_log_config" {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
resources = [module.audit_log_bucket.this_bucket.arn]
resources = [module.audit_log_bucket[0].this_bucket.arn]
}

statement {
Expand All @@ -133,7 +133,7 @@ data "aws_iam_policy_document" "audit_log_config" {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
resources = [module.audit_log_bucket.this_bucket.arn]
resources = [module.audit_log_bucket[0].this_bucket.arn]
}

statement {
Expand Down Expand Up @@ -164,7 +164,7 @@ data "aws_iam_policy_document" "audit_log_config" {
identifiers = [for account in statement.value : "arn:aws:iam::${account.account_id}:root"]
}
actions = ["s3:GetBucketAcl"]
resources = [module.audit_log_bucket.this_bucket.arn]
resources = [module.audit_log_bucket[0].this_bucket.arn]
}
}

Expand All @@ -178,7 +178,7 @@ data "aws_iam_policy_document" "audit_log_config" {
identifiers = [for account in statement.value : "arn:aws:iam::${account.account_id}:root"]
}
actions = ["s3:ListBucket", "s3:GetBucketLocation"]
resources = [module.audit_log_bucket.this_bucket.arn]
resources = [module.audit_log_bucket[0].this_bucket.arn]
}
}

Expand Down Expand Up @@ -217,7 +217,7 @@ data "aws_iam_policy_document" "audit_log_flow_logs" {
type = "Service"
identifiers = ["delivery.logs.amazonaws.com"]
}
resources = [module.audit_log_bucket.this_bucket.arn]
resources = [module.audit_log_bucket[0].this_bucket.arn]
}

statement {
Expand Down Expand Up @@ -250,6 +250,6 @@ data "aws_iam_policy_document" "audit_log" {
resource "aws_s3_bucket_policy" "audit_log" {
count = local.use_external_bucket ? 0 : 1

bucket = module.audit_log_bucket.this_bucket.id
bucket = module.audit_log_bucket[0].this_bucket.id
policy = data.aws_iam_policy_document.audit_log[0].json
}
40 changes: 20 additions & 20 deletions docs/upgrade-1.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,56 +10,56 @@ See [the upgrade guide for AWS provider] for more detail.

## Audit log bucket migrations

Following configurations from `module.audit_log_bucket.aws_s3_bucket.content[0]` were extracted to separated resources.
Following configurations from `module.audit_log_bucket[0].aws_s3_bucket.content` were extracted to separated resources.

- `module.audit_log_bucket.aws_s3_bucket_acl.content[0]`
- `module.audit_log_bucket.aws_s3_bucket_lifecycle_configuration.content[0]`
- `module.audit_log_bucket.aws_s3_bucket_logging.content[0]`
- `module.audit_log_bucket.aws_s3_bucket_server_side_encryption_configuration.content[0]`
- `module.audit_log_bucket.aws_s3_bucket_versioning.content[0]`
- `module.audit_log_bucket[0].aws_s3_bucket_acl.content`
- `module.audit_log_bucket[0].aws_s3_bucket_lifecycle_configuration.content`
- `module.audit_log_bucket[0].aws_s3_bucket_logging.content`
- `module.audit_log_bucket[0].aws_s3_bucket_server_side_encryption_configuration.content`
- `module.audit_log_bucket[0].aws_s3_bucket_versioning.content`

To import the current configuration into these resources, use `terraform import` command as follows.

```sh
$ terraform import "$MODULE_PATH.module.audit_log_bucket.aws_s3_bucket_acl.content[0]" "$AUDIT_LOG_BUCKET"
$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_acl.content" "$AUDIT_LOG_BUCKET"

$ terraform import "$MODULE_PATH.module.audit_log_bucket.aws_s3_bucket_lifecycle_configuration.content[0]" "$AUDIT_LOG_BUCKET"
$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_lifecycle_configuration.content" "$AUDIT_LOG_BUCKET"

$ terraform import "$MODULE_PATH.module.audit_log_bucket.aws_s3_bucket_logging.content[0]" "$AUDIT_LOG_BUCKET"
$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_logging.content" "$AUDIT_LOG_BUCKET"

$ terraform import "$MODULE_PATH.module.audit_log_bucket.aws_s3_bucket_server_side_encryption_configuration.content[0]" "$AUDIT_LOG_BUCKET"
$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_server_side_encryption_configuration.content" "$AUDIT_LOG_BUCKET"

$ terraform import "$MODULE_PATH.module.audit_log_bucket.aws_s3_bucket_versioning.content[0]" "$AUDIT_LOG_BUCKET"
$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_versioning.content" "$AUDIT_LOG_BUCKET"
```

### Notes

- `$MODULE_PATH` should be replaced the actual path of this module in your project, e.g. `module.secure_baseline`.
- `$AUDIT_LOG_BUCKET` should be replaced with the state bucket name. The actual value in your state file as `module.audit_log_bucket.aws_s3_bucket.content[0].id`.
- `$AUDIT_LOG_BUCKET` should be replaced with the state bucket name. The actual value in your state file as `module.audit_log_bucket.aws_s3_bucket[0].content.id`.

## Access logging bucket migrations

Following configurations from `module.audit_log_bucket.aws_s3_bucket.access_log[0]` were extracted to separated resources.
Following configurations from `module.audit_log_bucket[0].aws_s3_bucket.access_log` were extracted to separated resources.

- `module.audit_log_bucket.aws_s3_bucket_acl.access_log[0]`
- `module.audit_log_bucket.aws_s3_bucket_lifecycle_configuration.access_log[0]`
- `module.audit_log_bucket.aws_s3_bucket_server_side_encryption_configuration.access_log[0]`
- `module.audit_log_bucket[0].aws_s3_bucket_acl.access_log`
- `module.audit_log_bucket[0].aws_s3_bucket_lifecycle_configuration.access_log`
- `module.audit_log_bucket[0].aws_s3_bucket_server_side_encryption_configuration.access_log`

These resources can be imported by `terraform import` command as well.

```sh
$ terraform import "$MODULE_PATH.aws_s3_bucket_acl.access_log[0]" "$ACCESS_LOG_BUCKET"
$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_acl.access_log" "$ACCESS_LOG_BUCKET"

$ terraform import "$MODULE_PATH.aws_s3_bucket_lifecycle_configuration.access_log[0]" "$ACCESS_LOG_BUCKET"
$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_lifecycle_configuration.access_log" "$ACCESS_LOG_BUCKET"

$ terraform import "$MODULE_PATH.aws_s3_bucket_server_side_encryption_configuration.access_log[0]" "$ACCESS_LOG_BUCKET"
$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_server_side_encryption_configuration.access_log" "$ACCESS_LOG_BUCKET"

```

### Notes

- `$MODULE_PATH` should be replaced the actual path of this module in your project, e.g. `module.secure_baseline`.
- `$ACCESS_LOG_BUCKET` should be replaced with the state bucket name. The actual value in your state file as `module.audit_log_bucket.aws_s3_bucket.access_log[0].id`.
- `$ACCESS_LOG_BUCKET` should be replaced with the state bucket name. The actual value in your state file as `module.audit_log_bucket[0].aws_s3_bucket.access_log.id`.

[aws provider]: https://github.com/hashicorp/terraform-provider-aws
[the upgrade guide for aws provider]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade
10 changes: 10 additions & 0 deletions migrations.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
# --------------------------------------------------------------------------------------------------
# Migrations to 1.0.0
# Replacing `enabled` argument in secure-bucket module with `count` meta-argument
# --------------------------------------------------------------------------------------------------

moved {
from = module.audit_log_bucket
to = module.audit_log_bucket[0]
}

# --------------------------------------------------------------------------------------------------
# Migrations to 0.31.0
# Replacing `enabled` argument in each sub-module with `count` meta-argument.
Expand Down
1 change: 0 additions & 1 deletion modules/secure-bucket/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ Creates a S3 bucket with access logging enabled.
| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name of the S3 bucket to create. | `string` | yes |
| <a name="input_log_bucket_name"></a> [log\_bucket\_name](#input\_log\_bucket\_name) | The name of the S3 bucket to store access logs to the main bucket. | `string` | yes |
| <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for this bucket. | `bool` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | A boolean that indicates this module is enabled. Resources are not created if it is set to false. | `bool` | no |
| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no |
| <a name="input_lifecycle_glacier_transition_days"></a> [lifecycle\_glacier\_transition\_days](#input\_lifecycle\_glacier\_transition\_days) | The number of days after object creation when the object is archived into Glacier. | `number` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
Expand Down
58 changes: 15 additions & 43 deletions modules/secure-bucket/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
data "aws_iam_policy_document" "access_log_policy" {
count = var.enabled ? 1 : 0

statement {
actions = ["s3:*"]
effect = "Deny"
resources = [
aws_s3_bucket.access_log[0].arn,
"${aws_s3_bucket.access_log[0].arn}/*"
aws_s3_bucket.access_log.arn,
"${aws_s3_bucket.access_log.arn}/*"
]
condition {
test = "Bool"
Expand All @@ -21,25 +19,19 @@ data "aws_iam_policy_document" "access_log_policy" {
}

resource "aws_s3_bucket" "access_log" {
count = var.enabled ? 1 : 0

bucket = var.log_bucket_name
force_destroy = var.force_destroy

tags = var.tags
}

resource "aws_s3_bucket_acl" "access_log" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.access_log[0].id
bucket = aws_s3_bucket.access_log.id
acl = "log-delivery-write"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "access_log" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.access_log[0].id
bucket = aws_s3_bucket.access_log.id

rule {
apply_server_side_encryption_by_default {
Expand All @@ -49,9 +41,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "access_log" {
}

resource "aws_s3_bucket_lifecycle_configuration" "access_log" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.access_log[0].id
bucket = aws_s3_bucket.access_log.id

rule {
id = "auto-archive"
Expand All @@ -67,29 +57,23 @@ resource "aws_s3_bucket_lifecycle_configuration" "access_log" {
}

resource "aws_s3_bucket_policy" "access_log_policy" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.access_log[0].id
policy = data.aws_iam_policy_document.access_log_policy[0].json
bucket = aws_s3_bucket.access_log.id
policy = data.aws_iam_policy_document.access_log_policy.json

depends_on = [
aws_s3_bucket_public_access_block.access_log,
]
}

resource "aws_s3_bucket_public_access_block" "access_log" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.access_log[0].id
bucket = aws_s3_bucket.access_log.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}

resource "aws_s3_bucket" "content" {
count = var.enabled ? 1 : 0

bucket = var.bucket_name
force_destroy = var.force_destroy

Expand All @@ -101,16 +85,12 @@ resource "aws_s3_bucket" "content" {
}

resource "aws_s3_bucket_acl" "content" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.content[0].id
bucket = aws_s3_bucket.content.id
acl = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "content" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.content[0].id
bucket = aws_s3_bucket.content.id

rule {
apply_server_side_encryption_by_default {
Expand All @@ -121,18 +101,14 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "content" {
}

resource "aws_s3_bucket_logging" "content" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.content[0].id
bucket = aws_s3_bucket.content.id

target_bucket = aws_s3_bucket.access_log[0].id
target_bucket = aws_s3_bucket.access_log.id
target_prefix = ""
}

resource "aws_s3_bucket_lifecycle_configuration" "content" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.content[0].id
bucket = aws_s3_bucket.content.id

rule {
id = "auto-archive"
Expand All @@ -153,9 +129,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "content" {
}

resource "aws_s3_bucket_versioning" "content" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.content[0].id
bucket = aws_s3_bucket.content.id

versioning_configuration {
status = "Enabled"
Expand All @@ -166,9 +140,7 @@ resource "aws_s3_bucket_versioning" "content" {
}

resource "aws_s3_bucket_public_access_block" "content" {
count = var.enabled ? 1 : 0

bucket = aws_s3_bucket.content[0].id
bucket = aws_s3_bucket.content.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
Expand Down
30 changes: 30 additions & 0 deletions modules/secure-bucket/migrations.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# --------------------------------------------------------------------------------------------------
# Migrations to 1.0.0
# Replacing `enabled` argument in secure-bucket module with `count` meta-argument
# --------------------------------------------------------------------------------------------------

moved {
from = aws_s3_bucket.access_log[0]
to = aws_s3_bucket.access_log
}

moved {
from = aws_s3_bucket_policy.access_log_policy[0]
to = aws_s3_bucket_policy.access_log_policy
}

moved {
from = aws_s3_bucket_public_access_block.access_log[0]
to = aws_s3_bucket_public_access_block.access_log
}

moved {
from = aws_s3_bucket.content[0]
to = aws_s3_bucket.content
}

moved {
from = aws_s3_bucket_public_access_block.content[0]
to = aws_s3_bucket_public_access_block.content
}

4 changes: 2 additions & 2 deletions modules/secure-bucket/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
output "this_bucket" {
description = "This S3 bucket."
value = var.enabled ? aws_s3_bucket.content[0] : null
value = aws_s3_bucket.content
}

output "log_bucket" {
description = "The S3 bucket used for storing access logs of this bucket."
value = var.enabled ? aws_s3_bucket.access_log[0] : null
value = aws_s3_bucket.access_log
}
Loading