diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f1322b..b6c2fab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -153,3 +153,7 @@ This works with the Terraform AWS provider 4.x, released 2022-02. * 3.3.4 -- 2022-10-06 - common - add bucket_policy_disabled to not apply a default policy if desired to do the policy differently + +* 3.3.5 -- 2022-11-09 + - common + - fix up bucket_owner when value is empty or null diff --git a/bin/upgrade-s3-provider-objects.sh b/bin/upgrade-s3-provider-objects.sh index 0748504..c84985d 100755 --- a/bin/upgrade-s3-provider-objects.sh +++ b/bin/upgrade-s3-provider-objects.sh @@ -1,6 +1,6 @@ #!/bin/bash -VERSION="1.0.0" +VERSION="1.1.0" THIS=$(basename $0 .sh) STATUS=0 MODULE=$1 @@ -31,22 +31,32 @@ FILE=$(mktemp -t tfplan.XXXXX) echo "* getting tf-plan for $MODULE resource_name $RNAME to $FILE (logfile $LOGFILE)" $TFCOMMAND plan -no-color -target=$MODULE > $FILE -echo "* checking that a bucket exists in $MODULE" -EXISTS=$(grep -c ^$MODULE.aws_s3_bucket.$RNAME: $FILE) -if [ $EXISTS == 0 ] +if [ -z "$BUCKETID" ] then - echo "* no S3 bucket at module $MODULE aws_s3_bucket.$RNAME" - exit 1 + echo "* checking that a bucket exists in $MODULE" + EXISTS=$(grep -c ^$MODULE.aws_s3_bucket.$RNAME: $FILE) + if [ $EXISTS == 0 ] + then + echo "* no S3 bucket at module $MODULE aws_s3_bucket.$RNAME" + exit 1 + fi +else + echo "* not checking for bucket in module, using bucket ID $BUCKETID from environment" fi -echo "* getting bucket ID from $MODULE" -BUCKETID=$($TFCOMMAND state show -no-color $MODULE.aws_s3_bucket.$RNAME|grep -E 'id.* *='|awk '{print $1,$3}' |grep ^id|awk '{print $2}'|sed -e 's/"//g') -if [ -z $BUCKETID ] -then - echo "* cannot determine bucket id for $MODULE" - exit 1 +if [ -z "$BUCKETID" ] +then + echo "* getting bucket ID from $MODULE" + BUCKETID=$($TFCOMMAND state show -no-color $MODULE.aws_s3_bucket.$RNAME|grep -E 'id.* *='|awk '{print $1,$3}' |grep ^id|awk '{print $2}'|sed -e 's/"//g') + if [ -z $BUCKETID ] + then + echo "* cannot determine bucket id for $MODULE" + exit 1 + else + echo "* found bucket $BUCKETID" + fi else - echo "* found bucket $BUCKETID" + echo "* using bucket ID $BUCKETID from environment" fi COUNT=0 diff --git a/common/resources.tf b/common/resources.tf index 645304d..f36ba6c 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -11,6 +11,7 @@ locals { name = local.too_long || var.name_enforce_region_compact ? format("%v%v%v", local.b_name, local.b_account, local.b_region_short) : local.c_name bucket_name = format("%v%v", local._prefixes["s3"], local.name) bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json + bucket_owner = var.bucket_owner == "" || var.bucket_owner == null ? "BucketOwnerPreferred" : var.bucket_owner # kms_key_arn = aws_kms_key.key.arn # kms_key_name = format("%s%s", local._prefixes["kms"], local.name) @@ -32,7 +33,7 @@ locals { condition_bucket_owner = { "test" : "StringEquals" "variable" : "s3:x-amz-acl" - "values" : var.bucket_owner == "BucketOwnerPreferred" ? "bucket-owner-full-control" : "" + "values" : local.bucket_owner == "BucketOwnerPreferred" ? "bucket-owner-full-control" : "" } s3_bucket_conditions_list = [local.condition_allowed_cidr, local.condition_allowed_endpoints] s3_bucket_conditions = [for x in local.s3_bucket_conditions_list : x if length(x.values) > 0] @@ -232,7 +233,7 @@ resource "aws_s3_bucket_ownership_controls" "this" { bucket = aws_s3_bucket.this.id rule { - object_ownership = var.bucket_owner + object_ownership = local.bucket_owner } } @@ -281,7 +282,7 @@ data "template_file" "policy" { # if bucket_owner == BucketOwnerEnforced, ACLs cannot be set to private, so do not use this #--- resource "aws_s3_bucket_acl" "this" { - count = var.bucket_owner == "BucketOwnerEnforced" ? 0 : 1 + count = local.bucket_owner == "BucketOwnerEnforced" ? 0 : 1 bucket = aws_s3_bucket.this.id acl = "private" } diff --git a/common/version.tf b/common/version.tf index 44417ff..3ef6674 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "3.3.4" + _module_version = "3.3.5" }