Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support AWS Provider V5 #284

Merged
merged 61 commits into from
Jul 25, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
61 commits
Select commit Hold shift + click to select a range
2e49c0c
Support AWS Provider V5
max-lobur Jun 9, 2023
b0a2cf9
Update versions.tf
max-lobur Jun 9, 2023
4e2aa16
Update versions.tf
max-lobur Jun 9, 2023
5defc73
Update versions.tf
max-lobur Jun 9, 2023
8c19840
Support AWS Provider V5
max-lobur Jun 9, 2023
a60cbca
bump provider
max-lobur Jun 9, 2023
986ed62
Support AWS Provider V5
max-lobur Jun 9, 2023
d727c1d
Support AWS Provider V5
max-lobur Jun 12, 2023
7310e5a
Support AWS Provider V5
max-lobur Jun 12, 2023
ff3c350
Support AWS Provider V5
max-lobur Jun 12, 2023
2b17944
upd
max-lobur Jun 12, 2023
acfcb1c
upd
max-lobur Jun 12, 2023
ac6a5c2
upd
max-lobur Jun 12, 2023
d860845
upd
max-lobur Jun 12, 2023
b78448c
upd
max-lobur Jun 12, 2023
2909451
upd
max-lobur Jun 13, 2023
2c08980
upd
max-lobur Jun 13, 2023
db53c0a
upd
max-lobur Jun 13, 2023
191cf0c
upd
max-lobur Jun 13, 2023
44814db
upd
max-lobur Jun 13, 2023
ac8e3b5
upd
max-lobur Jun 13, 2023
96ecf5c
upd
max-lobur Jun 14, 2023
e202fd3
upd
max-lobur Jun 15, 2023
be8070a
Add policy
max-lobur Jun 28, 2023
05bf010
use ACL for logging s3-bucket access
milldr Jul 21, 2023
3e018a7
make readme
milldr Jul 21, 2023
d2f8bd2
Removed unused locals, use updated bucket acl pattern, enable logging…
milldr Jul 21, 2023
7d199c6
allow public policy for test bucket
milldr Jul 21, 2023
8d4e13b
tf fmt
milldr Jul 21, 2023
56caadc
set BucketOwnerEnforced
milldr Jul 22, 2023
398d547
set acl with string, not grant
milldr Jul 22, 2023
26bf579
set logs ownership to ObjectWriter
milldr Jul 22, 2023
c5f58dd
set s3_object_ownership for test buckets
milldr Jul 22, 2023
257edbe
set logs bucket to BucketOwnerPreferred
milldr Jul 22, 2023
f411f16
Set bucket-owner-full-control
milldr Jul 22, 2023
2b8758f
reset to grant
milldr Jul 22, 2023
fc18f7a
Update main.tf
milldr Jul 22, 2023
bb34f28
set log-delivery-write for test bucekts
milldr Jul 22, 2023
7f5a8b4
set ownership on test bucket
milldr Jul 22, 2023
5028c8d
set BucketOwnerPreferred with grant list for test buckets
milldr Jul 22, 2023
d8a3fb5
reset tests, set ownership to BucketOwnerPreferred
milldr Jul 22, 2023
6dc01b4
setting s3_object_ownership
milldr Jul 22, 2023
c80947f
dependency for bucket settings before cdn
milldr Jul 22, 2023
9b99d12
Update examples/complete/main.tf
milldr Jul 22, 2023
bcef6a2
dependency for tweaks
milldr Jul 22, 2023
52c9da3
added more wait ons for bucket settings
milldr Jul 22, 2023
ba4ea46
added more wait ons for bucket settings
milldr Jul 22, 2023
9777e27
set ownership on test bucket, set acl null of s3
milldr Jul 22, 2023
2d2a3c0
set BucketOwnerEnforced
milldr Jul 22, 2023
550676d
set grants
milldr Jul 22, 2023
4f2ab30
set grants
milldr Jul 22, 2023
dbc01c9
Set policy after bucket settings
milldr Jul 24, 2023
9308ec6
Set block_origin_public_access_enabled
milldr Jul 24, 2023
8001efe
revert s3-origins test
milldr Jul 24, 2023
757e244
set BucketOwnerEnforced
milldr Jul 24, 2023
e4f44e4
sleep for eventual consistency
milldr Jul 24, 2023
a99c9ce
Set acl for s3-origin tests
milldr Jul 24, 2023
4ce087f
replace s3-website module with s3-bucket for tests
milldr Jul 25, 2023
68917e2
corrected bucket name input
milldr Jul 25, 2023
38463b6
corrected bucket name input
milldr Jul 25, 2023
c0e1360
bridgecrew issues resolved
milldr Jul 25, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/release-branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:
- 'docs/**'
- 'examples/**'
- 'test/**'
- 'README.*'

permissions:
contents: write
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-published.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ permissions:

jobs:
terraform-module:
uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main
uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main
12 changes: 4 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,10 +88,6 @@ We highly recommend that in your code you pin the version to the exact version y
using so that your infrastructure remains stable, and update versions in a
systematic way so that they do not catch you by surprise.

Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)),
the registry shows many of our inputs as required when in fact they are optional.
The table below correctly indicates which inputs are required.



For a complete example, see [examples/complete](examples/complete).
Expand Down Expand Up @@ -387,7 +383,7 @@ module "lambda_at_edge" {
EOT
filename = "index.js"
}]
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "origin-response"
include_body = false
Expand Down Expand Up @@ -436,15 +432,15 @@ Available targets:
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.2 |
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.7 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.2 |
| <a name="provider_time"></a> [time](#provider\_time) | >= 0.7 |

Expand All @@ -453,7 +449,7 @@ Available targets:
| Name | Source | Version |
|------|--------|---------|
| <a name="module_dns"></a> [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.13.0 |
| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.26.0 |
| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 1.4.2 |
| <a name="module_origin_label"></a> [origin\_label](#module\_origin\_label) | cloudposse/label/null | 0.25.0 |
| <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |

Expand Down
2 changes: 1 addition & 1 deletion README.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,7 @@ usage: |-
EOT
filename = "index.js"
}]
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "origin-response"
include_body = false
Expand Down
6 changes: 3 additions & 3 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.2 |
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.7 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.2 |
| <a name="provider_time"></a> [time](#provider\_time) | >= 0.7 |

Expand All @@ -21,7 +21,7 @@
| Name | Source | Version |
|------|--------|---------|
| <a name="module_dns"></a> [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.13.0 |
| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.26.0 |
| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 1.4.2 |
| <a name="module_origin_label"></a> [origin\_label](#module\_origin\_label) | cloudposse/label/null | 0.25.0 |
| <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |

Expand Down
97 changes: 85 additions & 12 deletions examples/complete/custom-origins.tf
Original file line number Diff line number Diff line change
Expand Up @@ -16,21 +16,37 @@ locals {
}
additional_custom_origin_primary = local.additional_custom_origins_enabled ? merge(
local.default_custom_origin_configuration, {
domain_name = module.additional_custom_origin.s3_bucket_website_endpoint
origin_id = module.additional_custom_origin.hostname
domain_name = module.additional_custom_origin.bucket_website_endpoint
origin_id = module.additional_custom_origin.bucket_id
}
) : null
additional_custom_origin_secondary = local.additional_custom_origins_enabled ? merge(
local.default_custom_origin_configuration, {
domain_name = module.additional_custom_failover_origin.s3_bucket_website_endpoint
origin_id = module.additional_custom_failover_origin.hostname
domain_name = module.additional_custom_failover_origin.bucket_website_endpoint
origin_id = module.additional_custom_failover_origin.bucket_id
}
) : null
additional_custom_origin_groups = local.additional_custom_origins_enabled ? [{
primary_origin_id = local.additional_custom_origin_primary.origin_id
failover_origin_id = local.additional_custom_origin_secondary.origin_id
failover_criteria = var.origin_group_failover_criteria_status_codes
}] : []
website_configuration = [
{
index_document = "index.html"
error_document = null
routing_rules = []
}
]
cors_configuration = [
{
allowed_headers = ["*"]
allowed_methods = ["GET"]
allowed_origins = ["*"]
expose_headers = ["ETag"]
max_age_seconds = 3600
}
]
}

# additional labels are required because they will be used for the 'hostname' variables for each of the additional website origins.
Expand All @@ -45,16 +61,44 @@ module "additional_custom_origin_label" {
}

module "additional_custom_origin" {
source = "cloudposse/s3-website/aws"
version = "0.16.1"
source = "cloudposse/s3-bucket/aws"
version = "3.1.2"

enabled = local.additional_custom_origins_enabled

force_destroy = true
hostname = format("%s.%s", module.additional_custom_origin_label.id, var.parent_zone_name)
bucket_name = format("%s.%s", module.additional_custom_origin_label.id, var.parent_zone_name)
force_destroy = true
website_configuration = local.website_configuration
cors_configuration = local.cors_configuration

context = module.additional_custom_origin_label.context
}

resource "aws_s3_bucket_public_access_block" "additional_custom_origin" {
count = local.additional_custom_origins_enabled ? 1 : 0

# The bucket used for a public static website.
#bridgecrew:skip=BC_AWS_S3_19:Skipping `Ensure S3 bucket has block public ACLS enabled`
#bridgecrew:skip=BC_AWS_S3_20:Skipping `Ensure S3 Bucket BlockPublicPolicy is set to True`
#bridgecrew:skip=BC_AWS_S3_21:Skipping `Ensure S3 bucket IgnorePublicAcls is set to True`
#bridgecrew:skip=BC_AWS_S3_22:Skipping `Ensure S3 bucket RestrictPublicBucket is set to True`
bucket = module.additional_custom_origin.bucket_id

block_public_acls = false
block_public_policy = false
ignore_public_acls = false
restrict_public_buckets = false
}

resource "aws_s3_bucket_ownership_controls" "additional_custom_origin" {
count = local.additional_custom_origins_enabled ? 1 : 0

bucket = module.additional_custom_origin.bucket_id
rule {
object_ownership = "BucketOwnerEnforced"
}
}

module "additional_custom_failover_origin_label" {
source = "cloudposse/label/null"
version = "0.24.1"
Expand All @@ -66,12 +110,41 @@ module "additional_custom_failover_origin_label" {
}

module "additional_custom_failover_origin" {
source = "cloudposse/s3-website/aws"
version = "0.16.1"
source = "cloudposse/s3-bucket/aws"
version = "3.1.2"

enabled = local.additional_custom_origins_enabled

force_destroy = true
hostname = format("%s.%s", module.additional_custom_failover_origin_label.id, var.parent_zone_name)
bucket_name = format("%s.%s", module.additional_custom_failover_origin_label.id, var.parent_zone_name)
force_destroy = true
website_configuration = local.website_configuration
cors_configuration = local.cors_configuration

context = module.additional_custom_failover_origin_label.context
}

resource "aws_s3_bucket_public_access_block" "additional_custom_failover_origin" {
count = local.additional_custom_origins_enabled ? 1 : 0

# The bucket used for a public static website.
#bridgecrew:skip=BC_AWS_S3_19:Skipping `Ensure S3 bucket has block public ACLS enabled`
#bridgecrew:skip=BC_AWS_S3_20:Skipping `Ensure S3 Bucket BlockPublicPolicy is set to True`
#bridgecrew:skip=BC_AWS_S3_21:Skipping `Ensure S3 bucket IgnorePublicAcls is set to True`
#bridgecrew:skip=BC_AWS_S3_22:Skipping `Ensure S3 bucket RestrictPublicBucket is set to True`
bucket = module.additional_custom_failover_origin.bucket_id

block_public_acls = false
block_public_policy = false
ignore_public_acls = false
restrict_public_buckets = false
}

resource "aws_s3_bucket_ownership_controls" "additional_custom_failover_origin" {
count = local.additional_custom_origins_enabled ? 1 : 0

bucket = module.additional_custom_failover_origin.bucket_id
rule {
object_ownership = "BucketOwnerEnforced"
}
}

2 changes: 1 addition & 1 deletion examples/complete/deployment.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ locals {
} : {}

our_account_id = local.enabled ? data.aws_caller_identity.current[0].account_id : ""
our_role_arn_prefix = "arn:${join("", data.aws_partition.current.*.partition)}:iam::${local.our_account_id}:role"
our_role_arn_prefix = "arn:${join("", data.aws_partition.current[*].partition)}:iam::${local.our_account_id}:role"
role_names = { for k, v in local.test_deployment_role_prefix_map : k => module.role_labels[k].id }
deployment_principal_arns = { for k, v in local.role_names : format("%v/%v", local.our_role_arn_prefix, v) => local.test_deployment_role_prefix_map[k] }
}
Expand Down
8 changes: 4 additions & 4 deletions examples/complete/lambda-at-edge.tf
Original file line number Diff line number Diff line change
Expand Up @@ -30,22 +30,22 @@ module "lambda_at_edge" {
EOT
filename = "index.js"
}]
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "viewer-request"
include_body = false
},
# Add custom header to the response
viewer_response = {
source_dir = "lib"
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "viewer-response"
include_body = false
},
origin_request = {
source_zip = "origin-request.zip"
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "origin-request"
include_body = false
Expand Down Expand Up @@ -77,7 +77,7 @@ module "lambda_at_edge" {
EOT
filename = "index.js"
}]
runtime = "nodejs12.x"
runtime = "nodejs16.x"
handler = "index.handler"
event_type = "origin-response"
include_body = false
Expand Down
37 changes: 29 additions & 8 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ data "aws_iam_policy_document" "document" {

actions = ["s3:GetObject"]
resources = [
"arn:${join("", data.aws_partition.current.*.partition)}:s3:::$${bucket_name}$${origin_path}testprefix/*"
"arn:${join("", data.aws_partition.current[*].partition)}:s3:::$${bucket_name}$${origin_path}testprefix/*"
]

principals {
Expand All @@ -36,14 +36,16 @@ data "aws_canonical_user_id" "current" {

module "s3_bucket" {
source = "cloudposse/s3-bucket/aws"
version = "0.36.0"
version = "3.1.2"

acl = null
force_destroy = true
user_enabled = false
versioning_enabled = false
attributes = ["existing-bucket"]
force_destroy = true
user_enabled = false
versioning_enabled = false
block_public_policy = false
attributes = ["existing-bucket"]

acl = null
milldr marked this conversation as resolved.
Show resolved Hide resolved
s3_object_ownership = "BucketOwnerPreferred"
grants = [
{
id = local.enabled ? data.aws_canonical_user_id.current[0].id : ""
Expand All @@ -62,9 +64,27 @@ module "s3_bucket" {
context = module.this.context
}

# Workaround for S3 eventual consistency for settings relating to objects
resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
count = local.enabled ? 1 : 0

create_duration = "30s"
destroy_duration = "30s"

depends_on = [
data.aws_iam_policy_document.document,
module.s3_bucket
]
}

module "cloudfront_s3_cdn" {
source = "../../"

depends_on = [
time_sleep.wait_for_aws_s3_bucket_settings,
time_sleep.wait_for_additional_s3_origins
]

parent_zone_name = var.parent_zone_name
dns_alias_enabled = true
origin_force_destroy = true
Expand All @@ -81,6 +101,7 @@ module "cloudfront_s3_cdn" {

cloudfront_access_logging_enabled = true
cloudfront_access_log_prefix = "logs/cf_access"
s3_object_ownership = "BucketOwnerPreferred"

additional_bucket_policy = local.enabled ? data.aws_iam_policy_document.document[0].json : ""

Expand All @@ -105,7 +126,7 @@ module "cloudfront_s3_cdn" {
context = module.this.context
}

resource "aws_s3_bucket_object" "index" {
resource "aws_s3_object" "index" {
count = local.enabled ? 1 : 0

bucket = module.cloudfront_s3_cdn.s3_bucket
Expand Down
Loading