- s3-access-logs

- disable acl
terraform-modules · Nov 1, 2022 · a56068d · a56068d
1 parent 2816192
commit a56068d
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -184,3 +184,7 @@
   - s3-flow-logs
     - change encryption to AES256 from aws:kms (no default for log delivery)
     - update policy according to docs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html  
+
+* 1.16.4 -- 2022-11-01
+  - s3-access-logs
+    - disable acl
diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.16.3"
+  _module_version = "1.16.4"
 }
diff --git a/s3-access-logs/README.md b/s3-access-logs/README.md
@@ -59,17 +59,18 @@ No modules.
 |------|------|
 | [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_object.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource |
 | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_object.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.logs_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
 
 ## Inputs
 
@@ -82,6 +83,7 @@ No modules.
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_versioning_configuration"></a> [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended).  To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no |
 
 ## Outputs
 

diff --git a/s3-access-logs/main.tf b/s3-access-logs/main.tf
@@ -98,7 +98,7 @@ resource "aws_s3_bucket_public_access_block" "logs" {
 resource "aws_s3_bucket_versioning" "logs" {
   bucket = aws_s3_bucket.logs.id
   versioning_configuration {
-    status = "Disabled"
+    status = var.versioning_configuration
   }
 }
 
@@ -111,7 +111,7 @@ resource "aws_s3_bucket_versioning" "logs" {
 resource "aws_s3_bucket_ownership_controls" "this" {
   bucket = aws_s3_bucket.logs.id
   rule {
-    object_ownership = "BucketOwnerEnforced"
+    object_ownership = "BucketOwnerPreferred"
   }
 }
 
@@ -125,15 +125,15 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
 }
 
 resource "aws_s3_bucket_acl" "logs" {
-  #  count  = 0
+  # count  = 0
   bucket = aws_s3_bucket.logs.id
-  acl    = "private"
+  acl    = "log-delivery-write"
 }
 
 #---
 # create "directories"
 #---
-resource "aws_s3_bucket_object" "logs" {
+resource "aws_s3_object" "logs" {
   for_each = toset(local.logs_folders)
   bucket   = aws_s3_bucket.logs.id
   key      = format("%v/", each.key)

diff --git a/s3-access-logs/variables.tf b/s3-access-logs/variables.tf
@@ -16,3 +16,9 @@ variable "component_tags" {
   type        = map(map(string))
   default     = { "s3" = {}, "kms" = {}, "ddb" = {} }
 }
+
+variable "versioning_configuration" {
+  description = "S3 Versioning Configuration (Enabled, Disabled, Suspended).  To disable, use Suspended if existing bucket and Disabled if new"
+  type        = string
+  default     = "Disabled"
+}