- common

  - fix up bucket_owner when value is empty or null

CHANGELOG.md

@@ -153,3 +153,7 @@ This works with the Terraform AWS provider 4.x, released 2022-02.
 * 3.3.4 -- 2022-10-06
   - common
     - add bucket_policy_disabled to not apply a default policy if desired to do the policy differently
+
+* 3.3.5 -- 2022-11-09
+  - common
+    - fix up bucket_owner when value is empty or null

bin/upgrade-s3-provider-objects.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-VERSION="1.0.0"
+VERSION="1.1.0"
 THIS=$(basename $0 .sh)
 STATUS=0
 MODULE=$1
@@ -31,22 +31,32 @@ FILE=$(mktemp -t tfplan.XXXXX)
 echo "* getting tf-plan for $MODULE resource_name $RNAME to $FILE (logfile $LOGFILE)"
 $TFCOMMAND plan -no-color -target=$MODULE > $FILE
 
-echo "* checking that a bucket exists in $MODULE"
-EXISTS=$(grep -c ^$MODULE.aws_s3_bucket.$RNAME: $FILE)
-if [ $EXISTS == 0 ]
+if [ -z "$BUCKETID" ]
 then
-  echo "* no S3 bucket at module $MODULE aws_s3_bucket.$RNAME"
-  exit 1
+  echo "* checking that a bucket exists in $MODULE"
+  EXISTS=$(grep -c ^$MODULE.aws_s3_bucket.$RNAME: $FILE)
+  if [ $EXISTS == 0 ]
+  then
+    echo "* no S3 bucket at module $MODULE aws_s3_bucket.$RNAME"
+    exit 1
+  fi
+else
+  echo "* not checking for bucket in module, using bucket ID $BUCKETID from environment"
 fi
 
-echo "* getting bucket ID from $MODULE"
-BUCKETID=$($TFCOMMAND state show -no-color $MODULE.aws_s3_bucket.$RNAME|grep  -E 'id.* *='|awk '{print $1,$3}' |grep ^id|awk '{print $2}'|sed -e 's/"//g')
-if [ -z $BUCKETID ]
-then 
-  echo "* cannot determine bucket id for $MODULE"
-  exit 1
+if [ -z "$BUCKETID" ]
+then
+  echo "* getting bucket ID from $MODULE"
+  BUCKETID=$($TFCOMMAND state show -no-color $MODULE.aws_s3_bucket.$RNAME|grep  -E 'id.* *='|awk '{print $1,$3}' |grep ^id|awk '{print $2}'|sed -e 's/"//g')
+  if [ -z $BUCKETID ]
+  then 
+    echo "* cannot determine bucket id for $MODULE"
+    exit 1
+  else
+    echo "* found bucket $BUCKETID"
+  fi
 else
-  echo "* found bucket $BUCKETID"
+  echo "* using bucket ID $BUCKETID from environment"
 fi
 
 COUNT=0

common/resources.tf

@@ -11,6 +11,7 @@ locals {
   name                   = local.too_long || var.name_enforce_region_compact ? format("%v%v%v", local.b_name, local.b_account, local.b_region_short) : local.c_name
   bucket_name            = format("%v%v", local._prefixes["s3"], local.name)
   bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json
+  bucket_owner           = var.bucket_owner == "" || var.bucket_owner == null ? "BucketOwnerPreferred" : var.bucket_owner
 
   #  kms_key_arn  = aws_kms_key.key.arn
   #  kms_key_name = format("%s%s", local._prefixes["kms"], local.name)
@@ -32,7 +33,7 @@ locals {
   condition_bucket_owner = {
     "test" : "StringEquals"
     "variable" : "s3:x-amz-acl"
-    "values" : var.bucket_owner == "BucketOwnerPreferred" ? "bucket-owner-full-control" : ""
+    "values" : local.bucket_owner == "BucketOwnerPreferred" ? "bucket-owner-full-control" : ""
   }
   s3_bucket_conditions_list = [local.condition_allowed_cidr, local.condition_allowed_endpoints]
   s3_bucket_conditions      = [for x in local.s3_bucket_conditions_list : x if length(x.values) > 0]
@@ -232,7 +233,7 @@ resource "aws_s3_bucket_ownership_controls" "this" {
   bucket = aws_s3_bucket.this.id
 
   rule {
-    object_ownership = var.bucket_owner
+    object_ownership = local.bucket_owner
   }
 }
 
@@ -281,7 +282,7 @@ data "template_file" "policy" {
 #  if bucket_owner == BucketOwnerEnforced, ACLs cannot be set to private, so do not use this
 #---
 resource "aws_s3_bucket_acl" "this" {
-  count  = var.bucket_owner == "BucketOwnerEnforced" ? 0 : 1
+  count  = local.bucket_owner == "BucketOwnerEnforced" ? 0 : 1
   bucket = aws_s3_bucket.this.id
   acl    = "private"
 }

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "3.3.4"
+  _module_version = "3.3.5"
 }