diff --git a/CHANGELOG.md b/CHANGELOG.md
index e690968..9098dab 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -184,3 +184,7 @@
- s3-flow-logs
- change encryption to AES256 from aws:kms (no default for log delivery)
- update policy according to docs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html
+
+* 1.16.4 -- 2022-11-01
+ - s3-access-logs
+ - disable acl
diff --git a/common/version.tf b/common/version.tf
index aa7208c..1d0ac4c 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.16.3"
+ _module_version = "1.16.4"
}
diff --git a/s3-access-logs/README.md b/s3-access-logs/README.md
index 248632d..246b211 100644
--- a/s3-access-logs/README.md
+++ b/s3-access-logs/README.md
@@ -59,17 +59,18 @@ No modules.
|------|------|
| [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket_acl.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_object.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource |
| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
| [aws_s3_bucket_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_s3_bucket_versioning.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_object.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.logs_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
## Inputs
@@ -82,6 +83,7 @@ No modules.
| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | {
"ddb": {},
"kms": {},
"s3": {}
} | no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended). To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no |
## Outputs
diff --git a/s3-access-logs/main.tf b/s3-access-logs/main.tf
index c3928b1..09e1aa3 100644
--- a/s3-access-logs/main.tf
+++ b/s3-access-logs/main.tf
@@ -98,7 +98,7 @@ resource "aws_s3_bucket_public_access_block" "logs" {
resource "aws_s3_bucket_versioning" "logs" {
bucket = aws_s3_bucket.logs.id
versioning_configuration {
- status = "Disabled"
+ status = var.versioning_configuration
}
}
@@ -111,7 +111,7 @@ resource "aws_s3_bucket_versioning" "logs" {
resource "aws_s3_bucket_ownership_controls" "this" {
bucket = aws_s3_bucket.logs.id
rule {
- object_ownership = "BucketOwnerEnforced"
+ object_ownership = "BucketOwnerPreferred"
}
}
@@ -125,15 +125,15 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
}
resource "aws_s3_bucket_acl" "logs" {
- # count = 0
+ # count = 0
bucket = aws_s3_bucket.logs.id
- acl = "private"
+ acl = "log-delivery-write"
}
#---
# create "directories"
#---
-resource "aws_s3_bucket_object" "logs" {
+resource "aws_s3_object" "logs" {
for_each = toset(local.logs_folders)
bucket = aws_s3_bucket.logs.id
key = format("%v/", each.key)
diff --git a/s3-access-logs/variables.tf b/s3-access-logs/variables.tf
index 2589730..79f37f4 100644
--- a/s3-access-logs/variables.tf
+++ b/s3-access-logs/variables.tf
@@ -16,3 +16,9 @@ variable "component_tags" {
type = map(map(string))
default = { "s3" = {}, "kms" = {}, "ddb" = {} }
}
+
+variable "versioning_configuration" {
+ description = "S3 Versioning Configuration (Enabled, Disabled, Suspended). To disable, use Suspended if existing bucket and Disabled if new"
+ type = string
+ default = "Disabled"
+}