From d3169bcda5715aaf74d864c15aed70fe59867d9f Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 24 Feb 2022 16:08:06 -0500 Subject: [PATCH 1/4] - add variables for controlling region, account, and compacting region if name > 63 - name_include_region - name_include_account - name_include_region_compact --- CHANGELOG.md | 6 +++++- common/resources.tf | 19 +++++++++++++++++-- common/variables.s3.tf | 18 ++++++++++++++++++ common/version.tf | 2 +- 4 files changed, 41 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7917b04..ad2f24e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -56,4 +56,8 @@ Provides standard and t26 S3 bucket construction. - pin aws provider to < 4.0 - add bucket_key_enabled (for S3 bucket keys; https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html) - +* 2.4.2 -- 2022-02-24 + - add variables for controlling region, account, and compacting region if name > 63 + - name_include_region + - name_include_account + - name_include_region_compact diff --git a/common/resources.tf b/common/resources.tf index 07963aa..47aa9b7 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -1,7 +1,15 @@ locals { + region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) base_name = var.bucket_name - name = replace(var.bucket_name, local._prefixes["s3"], "") - bucket_name = format("%s%s", local._prefixes["s3"], local.name) + b_name = replace(var.bucket_name, local._prefixes["s3"], "") + b_account = var.name_include_account ? format("-%v", local.account_id) : "" + b_region = var.name_include_region ? format("-%v", local.region) : "" + b_region_short = format("-%v", local.region_short) + c_name = format("%v%v%v", local.b_name, local.b_account, local.b_region) + b_bucket_name = format("%v%v", local._prefixes["s3"], local.c_name) + too_long = length(local.b_bucket_name) > 63 && var.name_include_region_compcat ? true : false + name = local.too_long ? format("%v%v%v", local.b_name, local.b_account, local.b_region_short) : local.c_name + bucket_name = format("%v%v", local._prefixes["s3"], local.name) bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json # kms_key_arn = aws_kms_key.key.arn @@ -215,3 +223,10 @@ resource "aws_s3_bucket_ownership_controls" "this" { object_ownership = var.bucket_owner } } + +resource "null_resource" "name_too_long" { + count = local.too_long ? 1 : 0 + provisioner "local-exec" { + command = "echo 'The resultant name ${local.b_bucket_name} > 63, shortening to ${local.bucket_name}'" + } +} diff --git a/common/variables.s3.tf b/common/variables.s3.tf index b8bb04b..2c7901a 100644 --- a/common/variables.s3.tf +++ b/common/variables.s3.tf @@ -72,3 +72,21 @@ variable "bucket_key_enabled" { type = bool default = false } + +variable "name_include_region" { + description = "Flag to determine if we include the full region name in the resulting bucket name" + type = bool + default = false +} + +variable "name_include_account" { + description = "Flag to determine if we include the AWS Account id in the resulting bucket name" + type = bool + default = false +} + +variable "name_include_region_compact" { + description = "Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters" + type = bool + default = true +} diff --git a/common/version.tf b/common/version.tf index 58b0c87..930d737 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.3.1" + _module_version = "2.4.2" } From c018e729291fdc341db7c8be782a9fe08d8b2268 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 24 Feb 2022 16:08:48 -0500 Subject: [PATCH 2/4] update readme --- standard/README.md | 4 ++++ title26/README.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/standard/README.md b/standard/README.md index 64a87cb..46d341e 100644 --- a/standard/README.md +++ b/standard/README.md @@ -117,6 +117,7 @@ No modules. | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [null_resource.name_too_long](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | @@ -149,6 +150,9 @@ No modules. | [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no | | [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | | [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | +| [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no | +| [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no | +| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters | `bool` | `true` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | diff --git a/title26/README.md b/title26/README.md index a5c8024..2568987 100644 --- a/title26/README.md +++ b/title26/README.md @@ -114,6 +114,7 @@ No modules. | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [null_resource.name_too_long](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | @@ -146,6 +147,9 @@ No modules. | [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no | | [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | | [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | +| [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no | +| [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no | +| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters | `bool` | `true` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | From d53e1be60c298a56dec8b223fea6054ecf5b55bb Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 24 Feb 2022 16:19:43 -0500 Subject: [PATCH 3/4] fix --- common/resources.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/resources.tf b/common/resources.tf index 47aa9b7..731ddea 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -7,7 +7,7 @@ locals { b_region_short = format("-%v", local.region_short) c_name = format("%v%v%v", local.b_name, local.b_account, local.b_region) b_bucket_name = format("%v%v", local._prefixes["s3"], local.c_name) - too_long = length(local.b_bucket_name) > 63 && var.name_include_region_compcat ? true : false + too_long = length(local.b_bucket_name) > 63 && var.name_include_region_compact ? true : false name = local.too_long ? format("%v%v%v", local.b_name, local.b_account, local.b_region_short) : local.c_name bucket_name = format("%v%v", local._prefixes["s3"], local.name) bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json From 20b95753d547fb6d0ab74eb79e1d8a16095d1301 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 24 Feb 2022 16:37:13 -0500 Subject: [PATCH 4/4] add too long check if include region --- CHANGELOG.md | 1 + common/resources.tf | 4 ++-- common/variables.s3.tf | 8 +++++++- standard/README.md | 26 +++++++++++++++++++++++++- standard/main.tf | 24 ++++++++++++++++++++++++ title26/README.md | 26 +++++++++++++++++++++++++- title26/main.tf | 23 +++++++++++++++++++++++ 7 files changed, 107 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad2f24e..c403655 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -61,3 +61,4 @@ Provides standard and t26 S3 bucket construction. - name_include_region - name_include_account - name_include_region_compact + - name_enforce_region_compact diff --git a/common/resources.tf b/common/resources.tf index 731ddea..e13ce93 100644 --- a/common/resources.tf +++ b/common/resources.tf @@ -7,8 +7,8 @@ locals { b_region_short = format("-%v", local.region_short) c_name = format("%v%v%v", local.b_name, local.b_account, local.b_region) b_bucket_name = format("%v%v", local._prefixes["s3"], local.c_name) - too_long = length(local.b_bucket_name) > 63 && var.name_include_region_compact ? true : false - name = local.too_long ? format("%v%v%v", local.b_name, local.b_account, local.b_region_short) : local.c_name + too_long = length(local.b_bucket_name) > 63 && var.name_include_region && var.name_include_region_compact ? true : false + name = local.too_long || var.name_enforce_region_compact ? format("%v%v%v", local.b_name, local.b_account, local.b_region_short) : local.c_name bucket_name = format("%v%v", local._prefixes["s3"], local.name) bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json diff --git a/common/variables.s3.tf b/common/variables.s3.tf index 2c7901a..6e243ad 100644 --- a/common/variables.s3.tf +++ b/common/variables.s3.tf @@ -86,7 +86,13 @@ variable "name_include_account" { } variable "name_include_region_compact" { - description = "Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters" + description = "Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name_include_region." type = bool default = true } + +variable "name_enforce_region_compact" { + description = "Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name_include_region." + type = bool + default = false +} diff --git a/standard/README.md b/standard/README.md index 46d341e..d9df85e 100644 --- a/standard/README.md +++ b/standard/README.md @@ -19,6 +19,10 @@ module "my-bucket" { ## optional # kms_policy_document = data.aws_iam_policy_document.my-policy.json # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json + # name_include_account = true + # name_include_region = true + # name_include_region_compact = true + # name_enforce_region_compact = false } output "my-bucket-info" { @@ -91,6 +95,25 @@ This will be merged with the default bucket policy which requires TLS and, via o optionally requires explicit encryption (`require_explicit_encryption` flag, default false) and address restrictions (lists `allowed_cidr` and `allowed_endpoints`). +# Options +## Options :: name\_include\_account +Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default +is false. + +## Options :: name\_include\_region +Use of this flag as true will include current region after the bucket name (name-REGION). Default +is false. If used in conjunction with `name_include_account`, the region will be at the end. + +## Options :: name\_include\_region\_compact +This flag determines if we compact the region to a shorter name, and use it if the name with the full +region is longer than the maximum of 63 characters. It takes the first character of the full region +name and uses that. For example, `us-gov-west-1` becomes `ugw1`. The default value is true. +It is still possible to construct a name that is longer than 63 characters and get a failure, even with +this shorter region value. + +## Options :: name\_enforce\_region\_compact +This flag always compacts the region, no mater whehter the name is longer than 63 characters or not. + ## Requirements No requirements. @@ -150,9 +173,10 @@ No modules. | [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no | | [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | | [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | +| [name\_enforce\_region\_compact](#input\_name\_enforce\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name\_include\_region. | `bool` | `false` | no | | [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no | | [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no | -| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters | `bool` | `true` | no | +| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name\_include\_region. | `bool` | `true` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | diff --git a/standard/main.tf b/standard/main.tf index 2de9d6c..aa99d04 100644 --- a/standard/main.tf +++ b/standard/main.tf @@ -20,6 +20,10 @@ * ## optional * # kms_policy_document = data.aws_iam_policy_document.my-policy.json * # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json +* # name_include_account = true +* # name_include_region = true +* # name_include_region_compact = true +* # name_enforce_region_compact = false * } * * output "my-bucket-info" { @@ -91,6 +95,26 @@ * This will be merged with the default bucket policy which requires TLS and, via other settings, * optionally requires explicit encryption (`require_explicit_encryption` flag, default false) * and address restrictions (lists `allowed_cidr` and `allowed_endpoints`). +* +* # Options +* ## Options :: name_include_account +* Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default +* is false. +* +* ## Options :: name_include_region +* Use of this flag as true will include current region after the bucket name (name-REGION). Default +* is false. If used in conjunction with `name_include_account`, the region will be at the end. +* +* ## Options :: name_include_region_compact +* This flag determines if we compact the region to a shorter name, and use it if the name with the full +* region is longer than the maximum of 63 characters. It takes the first character of the full region +* name and uses that. For example, `us-gov-west-1` becomes `ugw1`. The default value is true. +* It is still possible to construct a name that is longer than 63 characters and get a failure, even with +* this shorter region value. +* +* ## Options :: name_enforce_region_compact +* This flag always compacts the region, no mater whehter the name is longer than 63 characters or not. +* */ locals { diff --git a/title26/README.md b/title26/README.md index 2568987..b14b132 100644 --- a/title26/README.md +++ b/title26/README.md @@ -20,6 +20,10 @@ module "mybucket" { ## optional # kms_policy_document = data.aws_iam_policy_document.mypolicy.json # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json + # name_include_account = true + # name_include_region = true + # name_include_region_compact = true + # name_enforce_region_compact = false } ``` @@ -88,6 +92,25 @@ This will be merged with the default bucket policy which requires TLS and, via o optionally requires explicit encryption (`require_explicit_encryption` flag, default false) and address restrictions (lists `allowed_cidr` and `allowed_endpoints`). +# Options +## Options :: name\_include\_account +Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default +is false. + +## Options :: name\_include\_region +Use of this flag as true will include current region after the bucket name (name-REGION). Default +is false. If used in conjunction with `name_include_account`, the region will be at the end. + +## Options :: name\_include\_region\_compact +This flag determines if we compact the region to a shorter name, and use it if the name with the full +region is longer than the maximum of 63 characters. It takes the first character of the full region +name and uses that. For example, `us-gov-west-1` becomes `ugw1`. The default value is true. +It is still possible to construct a name that is longer than 63 characters and get a failure, even with +this shorter region value. + +## Options :: name\_enforce\_region\_compact +This flag always compacts the region, no mater whehter the name is longer than 63 characters or not. + ## Requirements No requirements. @@ -147,9 +170,10 @@ No modules. | [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no | | [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no | | [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no | +| [name\_enforce\_region\_compact](#input\_name\_enforce\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name\_include\_region. | `bool` | `false` | no | | [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no | | [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no | -| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters | `bool` | `true` | no | +| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name\_include\_region. | `bool` | `true` | no | | [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | diff --git a/title26/main.tf b/title26/main.tf index c734d51..2840f7c 100644 --- a/title26/main.tf +++ b/title26/main.tf @@ -21,6 +21,10 @@ * ## optional * # kms_policy_document = data.aws_iam_policy_document.mypolicy.json * # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json +* # name_include_account = true +* # name_include_region = true +* # name_include_region_compact = true +* # name_enforce_region_compact = false * } * ``` * @@ -88,6 +92,25 @@ * This will be merged with the default bucket policy which requires TLS and, via other settings, * optionally requires explicit encryption (`require_explicit_encryption` flag, default false) * and address restrictions (lists `allowed_cidr` and `allowed_endpoints`). +* +* # Options +* ## Options :: name_include_account +* Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default +* is false. +* +* ## Options :: name_include_region +* Use of this flag as true will include current region after the bucket name (name-REGION). Default +* is false. If used in conjunction with `name_include_account`, the region will be at the end. +* +* ## Options :: name_include_region_compact +* This flag determines if we compact the region to a shorter name, and use it if the name with the full +* region is longer than the maximum of 63 characters. It takes the first character of the full region +* name and uses that. For example, `us-gov-west-1` becomes `ugw1`. The default value is true. +* It is still possible to construct a name that is longer than 63 characters and get a failure, even with +* this shorter region value. +* +* ## Options :: name_enforce_region_compact +* This flag always compacts the region, no mater whehter the name is longer than 63 characters or not. */ locals {