Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for S3ObjectAcl in the acmpca_certificate_authority resource #19570

Closed
sakisv opened this issue May 28, 2021 · 2 comments · Fixed by #19578
Closed

Add support for S3ObjectAcl in the acmpca_certificate_authority resource #19570

sakisv opened this issue May 28, 2021 · 2 comments · Fixed by #19578
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/acmpca Issues and PRs that pertain to the acmpca service.
Milestone
v3.44.0

Comments

@sakisv
Copy link

sakisv commented May 28, 2021
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add support for S3ObjectAcl [1] in the aws_acmpca_certificate_authority resource.

When we configure an ACM PCA we can use the revocation_configuration to provide an S3 bucket, where the ACM PCA service can put the relevant CRLs.

As mentioned in the docs, by default the CRLs are copied with a PUBLIC_READ ACL, which can cause a problem when the bucket has Block Public Access enabled.

New or Affected Resource(s)

  • aws_acmpca_certificate_authority

Potential Terraform Configuration

resource "aws_s3_bucket" "root_ca_revoc" {
  bucket = "root-ca-revoc"
}

resource "aws_s3_bucket_public_access_block" "root_ca_revoc" {
  bucket = aws_s3_bucket.root_ca_revoc.id

  block_public_acls       = true
  ignore_public_acls      = true
  block_public_policy     = true
  restrict_public_buckets = true
}

resource "aws_acmpca_certificate_authority" "root" {
  type = "ROOT"

  certificate_authority_configuration {
    key_algorithm     = "RSA_4096"
    signing_algorithm = "SHA256WITHRSA"

    subject {
      country             = "GB"
      organization        = "Org"
      organizational_unit = "OrgUnit"
      common_name         = "name.orgunit.org"
    }
  }

  revocation_configuration {
    crl_configuration {
      enabled            = true
      expiration_in_days = 30
      s3_bucket_name     = aws_s3_bucket.root_ca_revoc.id
      s3_object_acl     = "BUCKET_OWNER_FULL_CONTROL"
    }
  }
}

References
@sakisv sakisv added the enhancement Requests to existing resources that expand the functionality or scope. label May 28, 2021
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/acmpca Issues and PRs that pertain to the acmpca service. service/s3 Issues and PRs that pertain to the s3 service. labels May 28, 2021
@nikhil-goenka nikhil-goenka mentioned this issue May 29, 2021
Merged
@ewbankkit ewbankkit removed needs-triage Waiting for first response or review from a maintainer. service/s3 Issues and PRs that pertain to the s3 service. labels Jun 1, 2021
@github-actions github-actions bot added this to the v3.44.0 milestone Jun 1, 2021
@ghost
Copy link

ghost commented Jun 3, 2021

This has been released in version 3.44.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@github-actions
Copy link

github-actions bot commented Jul 4, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/acmpca Issues and PRs that pertain to the acmpca service.
Projects
None yet
Milestone
v3.44.0
2 participants
@ewbankkit @sakisv