Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use object lock enabled #148

Merged
merged 4 commits into from
May 6, 2022
Merged

Use object lock enabled #148

merged 4 commits into from
May 6, 2022

Conversation

nitrocode
Copy link
Member

@nitrocode nitrocode commented Apr 22, 2022
edited
Loading

what

  • Use object lock enabled

why

  • Deprecation of dynamic object_lock_configuration for object_lock_enabled
│ Warning: Argument is deprecated
│
│   with module.bucket.aws_s3_bucket.default,
│   on .terraform/modules/bucket/main.tf line 30, in resource "aws_s3_bucket" "default":30: resource "aws_s3_bucket" "default" {
│
│ Use the top-level parameter object_lock_enabled and the aws_s3_bucket_object_lock_configuration resource instead

references

@nitrocode nitrocode added the patch A minor, backward compatible change label Apr 22, 2022
@nitrocode
Copy link
Member Author

/test all

bridgecrew[bot]
bridgecrew bot reviewed Apr 22, 2022
View reviewed changes
main.tf Show resolved Hide resolved
bridgecrew[bot]
bridgecrew bot reviewed Apr 22, 2022
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️   Due to 04397bf - Auto Format - 1 new error was added

Change details

Error ID Change Path Resource
BC_AWS_NETWORKING_52 Added /main.tf aws_s3_bucket.default

@nitrocode nitrocode marked this pull request as ready for review April 22, 2022 13:11
@nitrocode nitrocode requested review from a team as code owners April 22, 2022 13:11
@nitrocode nitrocode requested review from jhosteny and leb4r April 22, 2022 13:11
@nitrocode nitrocode mentioned this pull request Apr 22, 2022
Merged
2 tasks
This was referenced Apr 22, 2022
Closed
Closed
Merged
Merged
Merged
Gowiem
Gowiem previously approved these changes Apr 22, 2022
View reviewed changes
Copy link
Member

@Gowiem Gowiem left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, but I'll leave it open in case you want to get another set of eyes since this module has had some recent flux 👍

Nuru
Nuru previously requested changes Apr 23, 2022
View reviewed changes
Copy link
Contributor

@Nuru Nuru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, but before approving it, I want some extra testing, due to this note which says changing the value "Forces new resource". We want to be extra careful that we are not causing a change that could end up having Terraform destroy and replace an existing S3 bucket.

@Benbentwo
Copy link
Member

Benbentwo commented May 6, 2022
edited
Loading

Tested with a config where object_lock_configuration enabled via:

  object_lock_configuration = {
    mode  = var.object_lock_mode_archive
    days  = var.object_lock_days_archive
    years = null
  }

This branch fixes perma drift.

Also tested changing

  object_lock_configuration =  null

This did end up planning to delete the bucket. however this is if you change configuration. For those who have it configured this fixes consistency bugs, for those who don't it won't be a problem. It only becomes a problem when attempting to switch. from enabled -> disabled.

@nitrocode nitrocode requested a review from Nuru May 6, 2022 16:57
@nitrocode nitrocode dismissed Nuru’s stale review May 6, 2022 17:08

Requesting a new review

@mergify mergify bot dismissed Gowiem’s stale review May 6, 2022 18:48

This Pull Request has been updated, so we're dismissing all reviews.

@Nuru
Copy link
Contributor

Nuru commented May 6, 2022

/test all

bridgecrew[bot]
bridgecrew bot reviewed May 6, 2022
View reviewed changes
main.tf
object_lock_enabled = "Enabled"
}
}
object_lock_enabled = local.object_lock_enabled
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure S3 Bucket has public access blocks
    Resource: aws_s3_bucket.default | ID: BC_AWS_NETWORKING_52

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}

resource "aws_s3_bucket_public_access_block" "access_good_1" {
  bucket = aws_s3_bucket.bucket_good_1.id

  block_public_acls   = true
  block_public_policy = true
}

Description

When you create an S3 bucket, it is good practice to set the additional resource **aws_s3_bucket_public_access_block** to ensure the bucket is never accidentally public.

We recommend you ensure S3 bucket has public access blocks. If the public access block is not attached it defaults to False.

bridgecrew[bot]
bridgecrew bot reviewed May 6, 2022
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️   Due to 9557b6e - Merge branch 'master' into use-object-lock-enabled - 1 new error was added

Change details

Error ID Change Path Resource
BC_AWS_NETWORKING_52 Added /main.tf aws_s3_bucket.default

bridgecrew[bot]
bridgecrew bot reviewed May 6, 2022
View reviewed changes
main.tf
object_lock_enabled = "Enabled"
}
}
object_lock_enabled = local.object_lock_enabled
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure S3 Bucket has public access blocks
    Resource: aws_s3_bucket.default | ID: BC_AWS_NETWORKING_52

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}

resource "aws_s3_bucket_public_access_block" "access_good_1" {
  bucket = aws_s3_bucket.bucket_good_1.id

  block_public_acls   = true
  block_public_policy = true
}

Description

When you create an S3 bucket, it is good practice to set the additional resource **aws_s3_bucket_public_access_block** to ensure the bucket is never accidentally public.

We recommend you ensure S3 bucket has public access blocks. If the public access block is not attached it defaults to False.

bridgecrew[bot]
bridgecrew bot reviewed May 6, 2022
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️   Due to 021ec90 - Update go-getter for security fix - 1 new error was added

Change details

Error ID Change Path Resource
BC_AWS_NETWORKING_52 Added /main.tf aws_s3_bucket.default

@Nuru
Copy link
Contributor

Nuru commented May 6, 2022

/test all

Nuru
Nuru approved these changes May 6, 2022
View reviewed changes
Copy link
Contributor

@Nuru Nuru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The BridgeCrew complaint is a mistake on BridgeCrew's part.

@Nuru Nuru enabled auto-merge (squash) May 6, 2022 19:39
@Nuru Nuru merged commit a7f02d2 into master May 6, 2022
@Nuru Nuru deleted the use-object-lock-enabled branch May 6, 2022 19:42
@amontalban amontalban mentioned this pull request Jul 4, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bridgecrew bridgecrew[bot] bridgecrew[bot] left review comments

@Nuru Nuru Nuru approved these changes

@Gowiem Gowiem Gowiem left review comments

@jhosteny jhosteny Awaiting requested review from jhosteny jhosteny was automatically assigned from cloudposse/contributors

@leb4r leb4r Awaiting requested review from leb4r leb4r was automatically assigned from cloudposse/contributors

Assignees
No one assigned
Labels
patch A minor, backward compatible change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nitrocode @Benbentwo @Nuru @Gowiem @cloudpossebot