From e1ca878fa3010ec355ba0f46655afedf62d78d0e Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 4 Nov 2020 14:44:15 -0500 Subject: [PATCH 01/12] add config to split into submodules --- CHANGELOG.md | 12 ++++++++++++ outputs.tf => common/outputs.tf | 0 prefixes.tf => common/prefixes.tf | 0 main.tf => common/resources.tf | 23 ++++------------------- variables.tf => common/variables.tf | 0 version.tf => common/version.tf | 2 +- standard/main.tf | 18 ++++++++++++++++++ standard/outputs.tf | 1 + standard/prefixes.tf | 1 + standard/resources.tf | 1 + standard/variables.tf | 1 + standard/version.tf | 1 + title26/main.tf | 20 ++++++++++++++++++++ title26/outputs.tf | 1 + title26/prefixes.tf | 1 + title26/resources.tf | 1 + title26/variables.tf | 1 + title26/version.tf | 1 + 18 files changed, 65 insertions(+), 20 deletions(-) rename outputs.tf => common/outputs.tf (100%) rename prefixes.tf => common/prefixes.tf (100%) rename main.tf => common/resources.tf (94%) rename variables.tf => common/variables.tf (100%) rename version.tf => common/version.tf (81%) create mode 100644 standard/main.tf create mode 120000 standard/outputs.tf create mode 120000 standard/prefixes.tf create mode 120000 standard/resources.tf create mode 120000 standard/variables.tf create mode 120000 standard/version.tf create mode 100644 title26/main.tf create mode 120000 title26/outputs.tf create mode 120000 title26/prefixes.tf create mode 120000 title26/resources.tf create mode 120000 title26/variables.tf create mode 120000 title26/version.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index a927279..1f113dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,3 +12,15 @@ * v1.2 -- 20201104 - fix s3 bucket permission to not output statement with deny if no IP and VPCE provided + +* v2.0 -- 20201104 + - change to aws-s3 + - create submodules `standard` and `title26` + - standard + - no versioning + - no explicit boc:authority tag + - auto create encryption key if not provided already + - title26 + - versioning + - explicit boc:authority tag + - auto create encryption key diff --git a/outputs.tf b/common/outputs.tf similarity index 100% rename from outputs.tf rename to common/outputs.tf diff --git a/prefixes.tf b/common/prefixes.tf similarity index 100% rename from prefixes.tf rename to common/prefixes.tf diff --git a/main.tf b/common/resources.tf similarity index 94% rename from main.tf rename to common/resources.tf index 2e882fe..9939827 100644 --- a/main.tf +++ b/common/resources.tf @@ -1,18 +1,3 @@ -/* -* # About aws-t26-s3 -* -* # Usage -* -* ```hcl -* module "mybucket" { -* source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git" -* -* bucket_name = "myt26bucket" -* } -* ``` -* -*/ - locals { name = var.bucket_name bucket_name = format("%s%s", local._prefixes["s3"], var.bucket_name) @@ -34,9 +19,9 @@ locals { s3_bucket_conditions_list = list(local.condition_allowed_cidr, local.condition_allowed_endpoints) s3_bucket_conditions = [for x in local.s3_bucket_conditions_list : x if length(x.values) > 0] - enforced_tags = { - "boc:safeguard" = "title26" - } + # enforced_tags = { + # "boc:safeguard" = "title26" + # } base_tags = { "boc:tf_module_version" = var._module_version "boc:created_by" = "terraform" @@ -61,7 +46,7 @@ resource "aws_s3_bucket" "this" { } versioning { - enabled = true + enabled = local.versioning } logging { diff --git a/variables.tf b/common/variables.tf similarity index 100% rename from variables.tf rename to common/variables.tf diff --git a/version.tf b/common/version.tf similarity index 81% rename from version.tf rename to common/version.tf index e900a45..c2d950a 100644 --- a/version.tf +++ b/common/version.tf @@ -1,5 +1,5 @@ variable "_module_version" { description = "Module version number" type = string - default = "1.2" + default = "2.0" } diff --git a/standard/main.tf b/standard/main.tf new file mode 100644 index 0000000..f460239 --- /dev/null +++ b/standard/main.tf @@ -0,0 +1,18 @@ +/* +* # About aws-s3 +* +* # Usage +* +* ```hcl +* module "mybucket" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-s3//standard" +* +* bucket_name = "mynormalbucket" +* } +* ``` +* +*/ +locals { + enforced_tags = {} + versioning = false +} diff --git a/standard/outputs.tf b/standard/outputs.tf new file mode 120000 index 0000000..93b0065 --- /dev/null +++ b/standard/outputs.tf @@ -0,0 +1 @@ +../common/outputs.tf \ No newline at end of file diff --git a/standard/prefixes.tf b/standard/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/standard/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/standard/resources.tf b/standard/resources.tf new file mode 120000 index 0000000..6dd8c84 --- /dev/null +++ b/standard/resources.tf @@ -0,0 +1 @@ +../common/resources.tf \ No newline at end of file diff --git a/standard/variables.tf b/standard/variables.tf new file mode 120000 index 0000000..72202b3 --- /dev/null +++ b/standard/variables.tf @@ -0,0 +1 @@ +../common/variables.tf \ No newline at end of file diff --git a/standard/version.tf b/standard/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/standard/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/title26/main.tf b/title26/main.tf new file mode 100644 index 0000000..c380fd7 --- /dev/null +++ b/title26/main.tf @@ -0,0 +1,20 @@ +/* +* # About aws-s3 +* +* # Usage +* +* ```hcl +* module "mybucket" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-s3//title26" +* +* bucket_name = "myt26bucket" +* } +* ``` +* +*/ +locals { + enforced_tags = { + "boc:safeguard" = "title26" + } + versioning = true +} diff --git a/title26/outputs.tf b/title26/outputs.tf new file mode 120000 index 0000000..93b0065 --- /dev/null +++ b/title26/outputs.tf @@ -0,0 +1 @@ +../common/outputs.tf \ No newline at end of file diff --git a/title26/prefixes.tf b/title26/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/title26/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/title26/resources.tf b/title26/resources.tf new file mode 120000 index 0000000..6dd8c84 --- /dev/null +++ b/title26/resources.tf @@ -0,0 +1 @@ +../common/resources.tf \ No newline at end of file diff --git a/title26/variables.tf b/title26/variables.tf new file mode 120000 index 0000000..72202b3 --- /dev/null +++ b/title26/variables.tf @@ -0,0 +1 @@ +../common/variables.tf \ No newline at end of file diff --git a/title26/version.tf b/title26/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/title26/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file From 6b3512677a3faf7a8e1f978db18a37036a86f8b2 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 4 Nov 2020 14:44:30 -0500 Subject: [PATCH 02/12] add README in each dir --- common/README.md | 34 ++++++++++++++++++++++++++++++++++ standard/README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ title26/README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 126 insertions(+) create mode 100644 common/README.md create mode 100644 standard/README.md create mode 100644 title26/README.md diff --git a/common/README.md b/common/README.md new file mode 100644 index 0000000..cf6e832 --- /dev/null +++ b/common/README.md @@ -0,0 +1,34 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | +| null | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| \_module\_version | Module version number | `string` | `"2.0"` | no | +| access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | +| access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | +| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | +| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | +| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | +| bucket\_name | AWS Bucket Name | `string` | n/a | yes | +| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | +| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | +| tags | AWS Tags | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| kms\_key\_arn | Created KMS Key ARN | +| kms\_key\_id | Created KMS Key ID | +| s3\_bucket\_arn | Created S3 Bucket ARN | +| s3\_bucket\_id | Created S3 Bucket ID | diff --git a/standard/README.md b/standard/README.md new file mode 100644 index 0000000..3e23dd2 --- /dev/null +++ b/standard/README.md @@ -0,0 +1,46 @@ +# About aws-s3 + +# Usage + +```hcl +module "mybucket" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3//standard" + + bucket_name = "mynormalbucket" +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | +| null | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| \_module\_version | Module version number | `string` | `"2.0"` | no | +| access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | +| access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | +| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | +| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | +| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | +| bucket\_name | AWS Bucket Name | `string` | n/a | yes | +| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | +| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | +| tags | AWS Tags | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| kms\_key\_arn | Created KMS Key ARN | +| kms\_key\_id | Created KMS Key ID | +| s3\_bucket\_arn | Created S3 Bucket ARN | +| s3\_bucket\_id | Created S3 Bucket ID | diff --git a/title26/README.md b/title26/README.md new file mode 100644 index 0000000..c529a1d --- /dev/null +++ b/title26/README.md @@ -0,0 +1,46 @@ +# About aws-s3 + +# Usage + +```hcl +module "mybucket" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3//title26" + + bucket_name = "myt26bucket" +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | +| null | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| \_module\_version | Module version number | `string` | `"2.0"` | no | +| access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | +| access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | +| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | +| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | +| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | +| bucket\_name | AWS Bucket Name | `string` | n/a | yes | +| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | +| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | +| tags | AWS Tags | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| kms\_key\_arn | Created KMS Key ARN | +| kms\_key\_id | Created KMS Key ID | +| s3\_bucket\_arn | Created S3 Bucket ARN | +| s3\_bucket\_id | Created S3 Bucket ID | From b802737a4f61c1d7947993e5f6296a3b40c06955 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 4 Nov 2020 14:45:24 -0500 Subject: [PATCH 03/12] remove --- .pre-commit-config.yaml | 2 +- common/README.md | 34 ---------------------------------- 2 files changed, 1 insertion(+), 35 deletions(-) delete mode 100644 common/README.md diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 19b5625..85f5ae4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,7 +6,7 @@ repos: - id: terraform_fmt - id: terraform_docs_replace args: ['table'] - exclude: common/.* + exclude: common/*.tf exclude: version.tf - repo: https://github.com/pre-commit/pre-commit-hooks diff --git a/common/README.md b/common/README.md deleted file mode 100644 index cf6e832..0000000 --- a/common/README.md +++ /dev/null @@ -1,34 +0,0 @@ -## Requirements - -No requirements. - -## Providers - -| Name | Version | -|------|---------| -| aws | n/a | -| null | n/a | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| \_module\_version | Module version number | `string` | `"2.0"` | no | -| access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | -| access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | -| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | -| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | -| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | -| bucket\_name | AWS Bucket Name | `string` | n/a | yes | -| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | -| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | -| tags | AWS Tags | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| kms\_key\_arn | Created KMS Key ARN | -| kms\_key\_id | Created KMS Key ID | -| s3\_bucket\_arn | Created S3 Bucket ARN | -| s3\_bucket\_id | Created S3 Bucket ID | From bf38d7b35781c8e65e3e0deec8fafb52aa86fe2c Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 17 Dec 2020 09:33:05 -0500 Subject: [PATCH 04/12] work out code for tags --- common/defaults.tf | 7 +++++++ common/resources.tf | 13 +++++++++++++ standard/README.md | 4 +++- standard/defaults.tf | 1 + standard/main.tf | 7 ++++--- standard/safeguard_variables.tf | 14 ++++++++++++++ title26/README.md | 5 ++++- title26/defaults.tf | 1 + title26/main.tf | 10 +++++----- title26/safeguard_variables.tf | 14 ++++++++++++++ 10 files changed, 66 insertions(+), 10 deletions(-) create mode 100644 common/defaults.tf create mode 120000 standard/defaults.tf create mode 100644 standard/safeguard_variables.tf create mode 120000 title26/defaults.tf create mode 100644 title26/safeguard_variables.tf diff --git a/common/defaults.tf b/common/defaults.tf new file mode 100644 index 0000000..c6f8029 --- /dev/null +++ b/common/defaults.tf @@ -0,0 +1,7 @@ +# local._defaults["data_safeguards"] + +locals { + _defaults = { + data_safeguards = ["title13", "title26", "title42", "pii", "title5"] + } +} diff --git a/common/resources.tf b/common/resources.tf index 9939827..a972918 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -26,6 +26,19 @@ locals { "boc:tf_module_version" = var._module_version "boc:created_by" = "terraform" } + # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults + add_safeguard_tags = local.enable_title26 ? ["title26"] : [] + _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d } + safeguard_tags = sort(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags))) + add_tags = { + safeguard = { + "exists" = { "boc:safeguard" = join(",", local.safeguard_tags) } + "not_exists" = {} + } + } + enforced_tags = merge( + local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"] + ) } #--- diff --git a/standard/README.md b/standard/README.md index 3e23dd2..07d8dd1 100644 --- a/standard/README.md +++ b/standard/README.md @@ -4,7 +4,7 @@ ```hcl module "mybucket" { - source = "git@github.e.it.census.gov:terraform-modules/aws-s3//standard" + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard" bucket_name = "mynormalbucket" } @@ -32,6 +32,8 @@ No requirements. | allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | | bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | | bucket\_name | AWS Bucket Name | `string` | n/a | yes | +| data\_safeguards | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no | +| enable\_title26 | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no | | force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | | kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | | tags | AWS Tags | `map(string)` | `{}` | no | diff --git a/standard/defaults.tf b/standard/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/standard/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/standard/main.tf b/standard/main.tf index f460239..9139664 100644 --- a/standard/main.tf +++ b/standard/main.tf @@ -5,14 +5,15 @@ * * ```hcl * module "mybucket" { -* source = "git@github.e.it.census.gov:terraform-modules/aws-s3//standard" +* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard" * * bucket_name = "mynormalbucket" * } * ``` * */ + locals { - enforced_tags = {} - versioning = false + enable_title26 = var.enable_title26 ? true : false + versioning = false } diff --git a/standard/safeguard_variables.tf b/standard/safeguard_variables.tf new file mode 100644 index 0000000..a934cfc --- /dev/null +++ b/standard/safeguard_variables.tf @@ -0,0 +1,14 @@ +/* +* Valid values include: title13, title26, title42, pii, title5 +*/ +variable "data_safeguards" { + description = "Selected available safeguards which apply to the data in the bucket" + type = list(string) + default = [] +} + +variable "enable_title26" { + description = "Flag to enable bucket with Title 26 (FTI) settings" + type = bool + default = false +} diff --git a/title26/README.md b/title26/README.md index c529a1d..fec3ac3 100644 --- a/title26/README.md +++ b/title26/README.md @@ -4,9 +4,10 @@ ```hcl module "mybucket" { - source = "git@github.e.it.census.gov:terraform-modules/aws-s3//title26" + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26" bucket_name = "myt26bucket" + # enable_title26 = true } ``` @@ -32,6 +33,8 @@ No requirements. | allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | | bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | | bucket\_name | AWS Bucket Name | `string` | n/a | yes | +| data\_safeguards | Selected available safeguards which apply to the data in the bucket | `list(string)` | 
[
  "title26"
]
| no | +| enable\_title26 | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no | | force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | | kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | | tags | AWS Tags | `map(string)` | `{}` | no | diff --git a/title26/defaults.tf b/title26/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/title26/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/title26/main.tf b/title26/main.tf index c380fd7..f2e9f25 100644 --- a/title26/main.tf +++ b/title26/main.tf @@ -5,16 +5,16 @@ * * ```hcl * module "mybucket" { -* source = "git@github.e.it.census.gov:terraform-modules/aws-s3//title26" +* source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26" * * bucket_name = "myt26bucket" +* # enable_title26 = true * } * ``` * */ + locals { - enforced_tags = { - "boc:safeguard" = "title26" - } - versioning = true + enable_title26 = true + versioning = true } diff --git a/title26/safeguard_variables.tf b/title26/safeguard_variables.tf new file mode 100644 index 0000000..718b222 --- /dev/null +++ b/title26/safeguard_variables.tf @@ -0,0 +1,14 @@ +/* +* Valid values include: title13, title26, title42, pii, title5 +*/ +variable "data_safeguards" { + description = "Selected available safeguards which apply to the data in the bucket" + type = list(string) + default = ["title26"] +} + +variable "enable_title26" { + description = "Flag to enable bucket with Title 26 (FTI) settings" + type = bool + default = true +} From 4a51407dc603b48b43f10631ccc49ee3f25ab0e9 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 17 Dec 2020 10:15:31 -0500 Subject: [PATCH 05/12] add distinct --- common/resources.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/resources.tf b/common/resources.tf index a972918..8404a4c 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -29,7 +29,7 @@ locals { # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults add_safeguard_tags = local.enable_title26 ? ["title26"] : [] _default_safeguard_tags = { for d in local._defaults["data_safeguards"] : d => d } - safeguard_tags = sort(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags))) + safeguard_tags = sort(distinct(compact(concat([for t in var.data_safeguards : lookup(local._default_safeguard_tags, lower(replace(t, " ", "")), "")], local.add_safeguard_tags)))) add_tags = { safeguard = { "exists" = { "boc:safeguard" = join(",", local.safeguard_tags) } From bad7e1cc7be06f95a71090cfd6bc0eb49a6e3951 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 17 Dec 2020 10:22:43 -0500 Subject: [PATCH 06/12] update docs --- common/README.md | 34 ++++++++++++++++++++++++++++++++++ standard/README.md | 11 ++++++++++- standard/main.tf | 10 +++++++++- title26/README.md | 15 ++++++++++++++- title26/main.tf | 14 +++++++++++++- 5 files changed, 80 insertions(+), 4 deletions(-) create mode 100644 common/README.md diff --git a/common/README.md b/common/README.md new file mode 100644 index 0000000..cf6e832 --- /dev/null +++ b/common/README.md @@ -0,0 +1,34 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | +| null | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| \_module\_version | Module version number | `string` | `"2.0"` | no | +| access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | +| access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | +| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | +| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | +| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | +| bucket\_name | AWS Bucket Name | `string` | n/a | yes | +| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | +| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | +| tags | AWS Tags | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| kms\_key\_arn | Created KMS Key ARN | +| kms\_key\_id | Created KMS Key ID | +| s3\_bucket\_arn | Created S3 Bucket ARN | +| s3\_bucket\_id | Created S3 Bucket ID | diff --git a/standard/README.md b/standard/README.md index 07d8dd1..5db6431 100644 --- a/standard/README.md +++ b/standard/README.md @@ -1,4 +1,10 @@ -# About aws-s3 +# About aws-s3 :: standard + +This submodule allows you to create an S3 bucket using the standard prefixes and settings required for +non-FTI Data. This includes +- Server Access Logging + +Other configurations such as versioning or data safegurad tagging (only on the bucket/keys) are oiptional # Usage @@ -7,9 +13,12 @@ module "mybucket" { source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard" bucket_name = "mynormalbucket" + access_log_bucket = "mylogbucket" } ``` +This automaticaly creates an AWS KMS key used just for this bucket. + ## Requirements No requirements. diff --git a/standard/main.tf b/standard/main.tf index 9139664..b7ea135 100644 --- a/standard/main.tf +++ b/standard/main.tf @@ -1,5 +1,11 @@ /* -* # About aws-s3 +* # About aws-s3 :: standard +* +* This submodule allows you to create an S3 bucket using the standard prefixes and settings required for +* non-FTI Data. This includes +* - Server Access Logging +* +* Other configurations such as versioning or data safegurad tagging (only on the bucket/keys) are oiptional * * # Usage * @@ -8,9 +14,11 @@ * source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard" * * bucket_name = "mynormalbucket" +* access_log_bucket = "mylogbucket" * } * ``` * +* This automaticaly creates an AWS KMS key used just for this bucket. */ locals { diff --git a/title26/README.md b/title26/README.md index fec3ac3..97a700f 100644 --- a/title26/README.md +++ b/title26/README.md @@ -1,4 +1,10 @@ -# About aws-s3 +# About aws-s3 :: title26 + +This submodule allows you to create an S3 bucket using the standard prefixes and settings required for +FTI (Title26). This includes +- Versioning (though the requirements are unclear on this, this may be removed) +- Tag of boc:safeguade=title26 +- Server Access Logging # Usage @@ -7,10 +13,17 @@ module "mybucket" { source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26" bucket_name = "myt26bucket" + access_log_bucket = "mylogbucket" # enable_title26 = true } ``` +This automatically enables the enable\_title26 flag, giving you a tag of `boc:safeguard=title26`. +It does all you to add other safeguards as necessary (title13, pii, etc), and these are joined together +to make a comma separated list. + +This automaticaly creates an AWS KMS key used just for this bucket. + ## Requirements No requirements. diff --git a/title26/main.tf b/title26/main.tf index f2e9f25..aa2c325 100644 --- a/title26/main.tf +++ b/title26/main.tf @@ -1,5 +1,11 @@ /* -* # About aws-s3 +* # About aws-s3 :: title26 +* +* This submodule allows you to create an S3 bucket using the standard prefixes and settings required for +* FTI (Title26). This includes +* - Versioning (though the requirements are unclear on this, this may be removed) +* - Tag of boc:safeguade=title26 +* - Server Access Logging * * # Usage * @@ -8,10 +14,16 @@ * source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26" * * bucket_name = "myt26bucket" +* access_log_bucket = "mylogbucket" * # enable_title26 = true * } * ``` * +* This automatically enables the enable_title26 flag, giving you a tag of `boc:safeguard=title26`. +* It does all you to add other safeguards as necessary (title13, pii, etc), and these are joined together +* to make a comma separated list. +* +* This automaticaly creates an AWS KMS key used just for this bucket. */ locals { From 10368239b06e9b72e41e661407ce1b407f4bb2f9 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 17 Dec 2020 10:52:32 -0500 Subject: [PATCH 07/12] update main docs --- README.md | 52 ++++++++++++++++++---------------------------------- 1 file changed, 18 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index d4bac75..99b8194 100644 --- a/README.md +++ b/README.md @@ -1,46 +1,30 @@ -# About aws-t26-s3 +# About aws-s3 + +This module allows you to create an S3 bucket, either a standard bucket or a bucket used for FTI (Title26) +data. # Usage +* [Standard](standard) + ```hcl module "mybucket" { - source = "git@github.e.it.census.gov:terraform-modules/aws-t26-s3.git" + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard" - bucket_name = "myt26bucket" + bucket_name = "mynormalbucket" + access_log_bucket = "accesslogs" } ``` -## Requirements - -No requirements. - -## Providers - -| Name | Version | -|------|---------| -| aws | n/a | -| null | n/a | +* [Title 26](title26) -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| \_module\_version | Module version number | `string` | `"1.2"` | no | -| access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | -| access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | -| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | -| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | -| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | -| bucket\_name | AWS Bucket Name | `string` | n/a | yes | -| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | -| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | -| tags | AWS Tags | `map(string)` | `{}` | no | +```hcl +module "mybucket" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//title26" -## Outputs + bucket_name = "mytitle26bucket" + access_log_bucket = "accesslogs" +} +``` -| Name | Description | -|------|-------------| -| kms\_key\_arn | Created KMS Key ARN | -| kms\_key\_id | Created KMS Key ID | -| s3\_bucket\_arn | Created S3 Bucket ARN | -| s3\_bucket\_id | Created S3 Bucket ID | +See each section for additional information. From 184f8df9b573453c37e8860ed58fe886ba114d6a Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 17 Dec 2020 10:55:41 -0500 Subject: [PATCH 08/12] change module version to local --- common/README.md | 1 - common/resources.tf | 2 +- common/version.tf | 6 ++---- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/common/README.md b/common/README.md index cf6e832..f70625e 100644 --- a/common/README.md +++ b/common/README.md @@ -13,7 +13,6 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| \_module\_version | Module version number | `string` | `"2.0"` | no | | access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | | allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | diff --git a/common/resources.tf b/common/resources.tf index 8404a4c..941cea3 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -23,7 +23,7 @@ locals { # "boc:safeguard" = "title26" # } base_tags = { - "boc:tf_module_version" = var._module_version + "boc:tf_module_version" = local._module_version "boc:created_by" = "terraform" } # strip spaces, convert to lowercase, make distinct, sort. Remove those not in the _defaults diff --git a/common/version.tf b/common/version.tf index c2d950a..d09b354 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,5 +1,3 @@ -variable "_module_version" { - description = "Module version number" - type = string - default = "2.0" +locals { + _module_version = "2.0" } From 7bca75c7a4ec2be64b8b06df220943a2f1e78aec Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 17 Dec 2020 10:56:56 -0500 Subject: [PATCH 09/12] update docs --- standard/README.md | 1 - title26/README.md | 1 - 2 files changed, 2 deletions(-) diff --git a/standard/README.md b/standard/README.md index 5db6431..bc81091 100644 --- a/standard/README.md +++ b/standard/README.md @@ -34,7 +34,6 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| \_module\_version | Module version number | `string` | `"2.0"` | no | | access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | | allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | diff --git a/title26/README.md b/title26/README.md index 97a700f..3c42447 100644 --- a/title26/README.md +++ b/title26/README.md @@ -39,7 +39,6 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| \_module\_version | Module version number | `string` | `"2.0"` | no | | access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | | allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | From 40b90ffe6c00027aa5a5d43d2893e18a23ebeff4 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 17 Dec 2020 11:26:51 -0500 Subject: [PATCH 10/12] update descriptions, add metadata tags --- common/README.md | 15 ++++++++------- common/resources.tf | 16 +++++++++++----- common/variables.tf | 20 +++++++++++++------- 3 files changed, 32 insertions(+), 19 deletions(-) diff --git a/common/README.md b/common/README.md index f70625e..840487e 100644 --- a/common/README.md +++ b/common/README.md @@ -15,13 +15,14 @@ No requirements. |------|-------------|------|---------|:--------:| | access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | -| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | -| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | -| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | -| bucket\_name | AWS Bucket Name | `string` | n/a | yes | -| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | -| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | -| tags | AWS Tags | `map(string)` | `{}` | no | +| allowed\_cidr | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no | +| allowed\_endpoints | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no | +| bucket\_folders | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no | +| bucket\_name | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes | +| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no | +| kms\_key\_id | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no | +| metadata\_tags | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | +| tags | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | ## Outputs diff --git a/common/resources.tf b/common/resources.tf index 941cea3..613aa98 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -39,6 +39,10 @@ locals { enforced_tags = merge( local.add_tags["safeguard"][length(local.safeguard_tags) > 0 ? "exists" : "not_exists"] ) + metadata_tags = merge( + var.metadata_tags, + { for k, v in local.enforced_tags : format("x-amzn-meta-%v", replace(k, "\\W", "_")) => v } + ) } #--- @@ -178,21 +182,23 @@ resource "null_resource" "policy_delay" { } resource "aws_s3_bucket_object" "this_objects" { - bucket = aws_s3_bucket.this.id - count = length(var.bucket_folders) - key = format("%s/", element(var.bucket_folders, count.index)) - source = "/dev/null" + for_each = toset(var.bucket_folders) + bucket = aws_s3_bucket.this.id + key = format("%s/", each.key) + source = "/dev/null" + metadata = local.metadata_tags depends_on = [null_resource.policy_delay] } #--- # create a key and alias if not specified +# right now, this can't use an external key, it has to create one per bucket #--- resource "aws_kms_key" "key" { description = "KMS CMK for S3 bucket ${local.name}" enable_key_rotation = true - #policy = data.aws_iam_policy_document.key.json + # policy = data.aws_iam_policy_document.key.json tags = merge( local.base_tags, diff --git a/common/variables.tf b/common/variables.tf index 2dbfe44..687d447 100644 --- a/common/variables.tf +++ b/common/variables.tf @@ -1,22 +1,28 @@ variable "bucket_name" { - description = "AWS Bucket Name" + description = "AWS Bucket Name. Standard prefix will be applied here, do not include here." type = string } variable "bucket_folders" { - description = "List of folders (keys) to create after creation of bucket" + description = "List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata_tags and data_safeguard labels." type = list(string) default = [] } variable "kms_key_id" { - description = "AWS KMS Key ID (one per bucket)" + description = "AWS KMS Key ID (one per bucket). This is currently ignored." type = string default = "" } variable "tags" { - description = "AWS Tags" + description = "AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data_safeguard field for such things." + type = map(string) + default = {} +} + +variable "metadata_tags" { + description = "AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data_safeguard labels are applied, they will be incorporated on any bucket objects created." type = map(string) default = {} } @@ -34,19 +40,19 @@ variable "access_log_bucket" { } variable "allowed_cidr" { - description = "List of allowed source IPs (NOT from within the VPC)" + description = "List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed_endpoints for access within a VPC." type = list(string) default = [] } variable "allowed_endpoints" { - description = "List of allowed VPC endpoint IDs" + description = "List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints." type = list(string) default = [] } variable "force_destroy" { - description = "Sets force_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time" + description = "Sets force_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource." type = bool default = false } From 23336e26f9fd3bd21121f41288bfa12d3c2aad4c Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 17 Dec 2020 11:28:16 -0500 Subject: [PATCH 11/12] update descriptions, add metadata tags --- standard/README.md | 15 ++++++++------- title26/README.md | 15 ++++++++------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/standard/README.md b/standard/README.md index bc81091..4e6e1af 100644 --- a/standard/README.md +++ b/standard/README.md @@ -36,15 +36,16 @@ No requirements. |------|-------------|------|---------|:--------:| | access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | -| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | -| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | -| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | -| bucket\_name | AWS Bucket Name | `string` | n/a | yes | +| allowed\_cidr | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no | +| allowed\_endpoints | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no | +| bucket\_folders | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no | +| bucket\_name | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes | | data\_safeguards | Selected available safeguards which apply to the data in the bucket | `list(string)` | `[]` | no | | enable\_title26 | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `false` | no | -| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | -| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | -| tags | AWS Tags | `map(string)` | `{}` | no | +| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no | +| kms\_key\_id | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no | +| metadata\_tags | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | +| tags | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | ## Outputs diff --git a/title26/README.md b/title26/README.md index 3c42447..208a498 100644 --- a/title26/README.md +++ b/title26/README.md @@ -41,15 +41,16 @@ No requirements. |------|-------------|------|---------|:--------:| | access\_log\_bucket | Server Access Logging Bucket ID | `string` | n/a | yes | | access\_log\_bucket\_prefix | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | -| allowed\_cidr | List of allowed source IPs (NOT from within the VPC) | `list(string)` | `[]` | no | -| allowed\_endpoints | List of allowed VPC endpoint IDs | `list(string)` | `[]` | no | -| bucket\_folders | List of folders (keys) to create after creation of bucket | `list(string)` | `[]` | no | -| bucket\_name | AWS Bucket Name | `string` | n/a | yes | +| allowed\_cidr | List of allowed source IPs (NOT from within the VPC). If empty, there will be no restrictions on source IP. If provided, you must also use allowed\_endpoints for access within a VPC. | `list(string)` | `[]` | no | +| allowed\_endpoints | List of allowed VPC endpoint IDs. If used, it will enable access to the bucket from the specific VPC endpoints. | `list(string)` | `[]` | no | +| bucket\_folders | List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata\_tags and data\_safeguard labels. | `list(string)` | `[]` | no | +| bucket\_name | AWS Bucket Name. Standard prefix will be applied here, do not include here. | `string` | n/a | yes | | data\_safeguards | Selected available safeguards which apply to the data in the bucket | `list(string)` | 
[
  "title26"
]
| no | | enable\_title26 | Flag to enable bucket with Title 26 (FTI) settings | `bool` | `true` | no | -| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time | `bool` | `false` | no | -| kms\_key\_id | AWS KMS Key ID (one per bucket) | `string` | `""` | no | -| tags | AWS Tags | `map(string)` | `{}` | no | +| force\_destroy | Sets force\_destroy to allow the bucket and contents to be deleted. The deletion may take a very long time based on the number of objects. You normally want to update this to true, apply, and then destroy the resource. | `bool` | `false` | no | +| kms\_key\_id | AWS KMS Key ID (one per bucket). This is currently ignored. | `string` | `""` | no | +| metadata\_tags | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | +| tags | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | ## Outputs From 97facb5039bb65427bdce325cdc6cfd365f2dbc7 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 17 Dec 2020 11:49:30 -0500 Subject: [PATCH 12/12] fix regex --- common/resources.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/resources.tf b/common/resources.tf index 613aa98..c8babaa 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -41,7 +41,7 @@ locals { ) metadata_tags = merge( var.metadata_tags, - { for k, v in local.enforced_tags : format("x-amzn-meta-%v", replace(k, "\\W", "_")) => v } + { for k, v in local.enforced_tags : format("x-amzn-meta-%v", replace(k, "/\\W/", "_")) => v } ) }