Fix deprecations and issues

- Fixed provider
- Logging now uses new resource
- MPU cleanup days set to var and defaulted to 7
- SSE now uses new resource
- SSE now supports Bucket KMS Keys
- Versioning now supports MFA Delete
- CORS now uses new resource
- CORS now fixed to actually reads more than one rule. (It's been broken forever, but no one noticed)
- CORS now supports bucket owner.
- Added an actual test for CORS with multiple rules
- Added KMS tests
- Adding test for logging bucket

.terraform-version

@@ -1 +1 @@
-0.13.2
+0.13.7

README.md

@@ -51,14 +51,14 @@ The following module variables were updated to better meet current Rackspace sty
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12 |
-| aws | >= 2.7.0 |
+| terraform | >= 0.13 |
+| aws | ~> 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 2.7.0 |
+| aws | ~> 3.0 |
 
 ## Modules
 
@@ -68,32 +68,38 @@ No Modules.
 
 | Name |
 |------|
-| [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/2.7.0/docs/resources/s3_bucket) |
-| [aws_s3_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/2.7.0/docs/resources/s3_bucket_public_access_block) |
+| [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/3.0/docs/resources/s3_bucket) |
+| [aws_s3_bucket_acl](https://registry.terraform.io/providers/hashicorp/aws/3.0/docs/resources/s3_bucket_acl) |
+| [aws_s3_bucket_cors_configuration](https://registry.terraform.io/providers/hashicorp/aws/3.0/docs/resources/s3_bucket_cors_configuration) |
+| [aws_s3_bucket_logging](https://registry.terraform.io/providers/hashicorp/aws/3.0/docs/resources/s3_bucket_logging) |
+| [aws_s3_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/3.0/docs/resources/s3_bucket_public_access_block) |
+| [aws_s3_bucket_server_side_encryption_configuration](https://registry.terraform.io/providers/hashicorp/aws/3.0/docs/resources/s3_bucket_server_side_encryption_configuration) |
+| [aws_s3_bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/3.0/docs/resources/s3_bucket_versioning) |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| allowed\_headers | Specifies which headers are allowed. | `list(string)` | `[]` | no |
-| allowed\_methods | (Required) Specifies which methods are allowed. Can be GET, PUT, POST, DELETE or HEAD. | `list(string)` | `[]` | no |
-| allowed\_origins | (Required) Specifies which origins are allowed. | `list(string)` | `[]` | no |
+| abort\_incomplete\_multipart\_upload\_days | Abort Incomplete Multipart Upload Days i.e. 7 \| 0 | `number` | `7` | no |
 | block\_public\_access | Block various forms of public access on a per bucket level | `bool` | `false` | no |
 | block\_public\_access\_acl | Related to block\_public\_access. PUT Bucket acl and PUT Object acl calls will fail if the specified ACL allows public access. PUT Object calls will fail if the request includes an object ACL. | `bool` | `true` | no |
 | block\_public\_access\_ignore\_acl | Related to block\_public\_access. Ignore public ACLs on this bucket and any objects that it contains. | `bool` | `true` | no |
 | block\_public\_access\_policy | Related to block\_public\_access. Reject calls to PUT Bucket policy if the specified bucket policy allows public access. | `bool` | `true` | no |
 | block\_public\_access\_restrict\_bucket | Related to block\_public\_access. Only the bucket owner and AWS Services can access this buckets if it has a public policy. | `bool` | `true` | no |
 | bucket\_acl | Bucket ACL. Must be either authenticated-read, aws-exec-read, log-delivery-write, private, public-read or public-read-write. For more details https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl | `string` | `"private"` | no |
+| bucket\_key\_enabled | Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. | `bool` | `false` | no |
 | bucket\_logging | Enable bucket logging. Will store logs in another existing bucket. You must give the log-delivery group WRITE and READ\_ACP permissions to the target bucket. i.e. true \| false | `bool` | `false` | no |
+| cors | Enable CORS Rules. Rules must be defined in the variable cors\_rules | `bool` | `false` | no |
+| cors\_rule | List of maps containing rules for Cross-Origin Resource Sharing. | `any` | `[]` | no |
 | environment | Application environment for which this network is being created. must be one of ['Development', 'Integration', 'PreProduction', 'Production', 'QA', 'Staging', 'Test'] | `string` | `"Development"` | no |
-| expose\_headers | Specifies expose header in the response. | `list(string)` | `[]` | no |
+| expected\_bucket\_owner | The account ID of the expected bucket owner | `string` | `null` | no |
 | force\_destroy\_bucket | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
 | kms\_key\_id | The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. | `string` | `""` | no |
 | lifecycle\_enabled | Enable object lifecycle management. i.e. true \| false | `bool` | `false` | no |
 | lifecycle\_rule\_prefix | Object keyname prefix identifying one or more objects to which the rule applies. Set as an empty string to target the whole bucket. | `string` | `""` | no |
 | logging\_bucket\_name | Name of the existing bucket where the logs will be stored. | `string` | `""` | no |
 | logging\_bucket\_prefix | Prefix for all log object keys. i.e. logs/ | `string` | `""` | no |
-| max\_age\_seconds | Specifies time in seconds that browser can cache the response for a preflight request. | `number` | `600` | no |
+| mfa\_delete | Specifies whether MFA delete is enabled in the bucket versioning configuration | `bool` | `false` | no |
 | name | The name of the S3 bucket for the access logs. The bucket name can contain only lowercase letters, numbers, periods (.), and dashes (-). Must be globally unique. If changed, forces a new resource. | `string` | n/a | yes |
 | noncurrent\_version\_expiration\_days | Indicates after how many days we are deleting previous version of objects.  Set to 0 to disable or at least 365 days longer than noncurrent\_version\_transition\_glacier\_days. i.e. 0 to disable, 1-999 otherwise | `number` | `0` | no |
 | noncurrent\_version\_transition\_glacier\_days | Indicates after how many days we are moving previous versions to Glacier.  Should be 0 to disable or at least 30 days longer than noncurrent\_version\_transition\_ia\_days. i.e. 0 to disable, 1-999 otherwise | `number` | `0` | no |
@@ -108,7 +114,7 @@ No Modules.
 | tags | A map of tags to be applied to the Bucket. i.e {Environment='Development'} | `map(string)` | `{}` | no |
 | transition\_to\_glacier\_days | Indicates after how many days we are moving current versions to Glacier.  Should be 0 to disable or at least 30 days longer than transition\_to\_ia\_days. i.e. 0 to disable, otherwise 1-999 | `number` | `0` | no |
 | transition\_to\_ia\_days | Indicates after how many days we are moving current objects to Standard-IA storage. i.e. 0 to disable, otherwise 1-999 | `number` | `0` | no |
-| versioning | Enable bucket versioning. i.e. true \| false | `bool` | `false` | no |
+| versioning | Enable bucket versioning. | `bool` | `false` | no |
 | website | Use bucket as a static website. i.e. true \| false | `bool` | `false` | no |
 | website\_error | Location of Error HTML file. i.e. error.html | `string` | `"error.html"` | no |
 | website\_index | Location of Index HTML file. i.e index.html | `string` | `"index.html"` | no |

main.tf

@@ -51,10 +51,13 @@
  */
 
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
 
   required_providers {
-    aws = ">= 2.7.0"
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
   }
 }
 
@@ -72,22 +75,7 @@ locals {
     SkipBucket      = var.rax_mpu_cleanup_enabled ? null : "True"
   }
 
-  ##############################################################
-  # CORS rules local variables
-  ##############################################################
-
-  cors_rules = {
-    enabled = [
-      {
-        allowed_headers = var.allowed_headers
-        allowed_methods = var.allowed_methods
-        allowed_origins = var.allowed_origins
-        expose_headers  = var.expose_headers
-        max_age_seconds = var.max_age_seconds
-      },
-    ]
-    disabled = []
-  }
+  cors_rules = try(jsondecode(var.cors_rule), var.cors_rule)
 
   ##############################################################
   # Lifecycle Rules local variables
@@ -114,7 +102,7 @@ locals {
     ]
     mpu_cleanup_enabled = [
       {
-        abort_incomplete_multipart_upload_days = 7
+        abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days
         enabled                                = true
         id                                     = "rax-cleanup-incomplete-mpu-objects"
         expiration                             = [{}]
@@ -165,20 +153,6 @@ locals {
     disabled = []
   }
 
-  ##############################################################
-  # Bucket Logging local variables
-  ##############################################################
-
-  bucket_logging = {
-    enabled = [
-      {
-        target_bucket = var.logging_bucket_name
-        target_prefix = var.logging_bucket_prefix
-      },
-    ]
-    disabled = []
-  }
-
   ##############################################################
   # Bucket object lock local variables
   ##############################################################
@@ -198,28 +172,6 @@ locals {
     Disabled = []
   }
 
-  ##############################################################
-  # Server side encryption rule local variables
-  ##############################################################
-
-  server_side_encryption_rule = {
-    enabled = [
-      {
-        rule = [
-          {
-            apply_server_side_encryption_by_default = [
-              {
-                kms_master_key_id = var.kms_key_id
-                sse_algorithm     = var.sse_algorithm
-              },
-            ]
-          },
-        ]
-      },
-    ]
-    disabled = []
-  }
-
   ##############################################################
   # Bucket website local variables
   ##############################################################
@@ -236,22 +188,10 @@ locals {
 }
 
 resource "aws_s3_bucket" "s3_bucket" {
-  acl           = contains(local.acl_list, var.bucket_acl) ? var.bucket_acl : "ACL_ERROR"
   bucket        = var.name
   force_destroy = var.force_destroy_bucket
   tags          = merge(var.tags, local.default_tags)
 
-  dynamic "cors_rule" {
-    for_each = local.cors_rules[length(var.allowed_origins) > 0 ? "enabled" : "disabled"]
-    content {
-      allowed_headers = lookup(cors_rule.value, "allowed_headers", null)
-      allowed_methods = cors_rule.value.allowed_methods
-      allowed_origins = cors_rule.value.allowed_origins
-      expose_headers  = lookup(cors_rule.value, "expose_headers", null)
-      max_age_seconds = lookup(cors_rule.value, "max_age_seconds", null)
-    }
-  }
-
   dynamic "lifecycle_rule" {
     for_each = concat(
       local.lifecycle_rules[(var.lifecycle_enabled ? "enabled" : "disabled")],
@@ -300,14 +240,6 @@ resource "aws_s3_bucket" "s3_bucket" {
     }
   }
 
-  dynamic "logging" {
-    for_each = local.bucket_logging[var.bucket_logging ? "enabled" : "disabled"]
-    content {
-      target_bucket = logging.value.target_bucket
-      target_prefix = lookup(logging.value, "target_prefix", null)
-    }
-  }
-
   dynamic "object_lock_configuration" {
     for_each = local.object_lock_rule[var.object_lock_enabled ? "Enabled" : "Disabled"]
     content {
@@ -325,27 +257,6 @@ resource "aws_s3_bucket" "s3_bucket" {
     }
   }
 
-  dynamic "server_side_encryption_configuration" {
-    for_each = local.server_side_encryption_rule[var.sse_algorithm == "none" ? "disabled" : "enabled"]
-    content {
-      dynamic "rule" {
-        for_each = lookup(server_side_encryption_configuration.value, "rule", [])
-        content {
-          dynamic "apply_server_side_encryption_by_default" {
-            for_each = lookup(rule.value, "apply_server_side_encryption_by_default", [])
-            content {
-              kms_master_key_id = lookup(apply_server_side_encryption_by_default.value, "kms_master_key_id", null)
-              sse_algorithm     = apply_server_side_encryption_by_default.value.sse_algorithm
-            }
-          }
-        }
-      }
-    }
-  }
-
-  versioning {
-    enabled = var.versioning
-  }
 
   dynamic "website" {
     for_each = local.bucket_website_config[var.website ? "enabled" : "disabled"]
@@ -372,3 +283,73 @@ resource "aws_s3_bucket_public_access_block" "block_public_access_settings" {
   ignore_public_acls      = var.block_public_access_ignore_acl
   restrict_public_buckets = var.block_public_access_restrict_bucket
 }
+
+##############################################################
+# S3 Access Control List
+##############################################################
+resource "aws_s3_bucket_acl" "s3_acl" {
+  bucket = aws_s3_bucket.s3_bucket.id
+  acl    = contains(local.acl_list, var.bucket_acl) ? var.bucket_acl : "ACL_ERROR"
+}
+
+
+##############################################################
+# S3 Versioning Configuration
+##############################################################
+resource "aws_s3_bucket_versioning" "s3_versioning" {
+  bucket = aws_s3_bucket.s3_bucket.id
+  versioning_configuration {
+    status     = var.versioning ? "Enabled" : "Disabled"
+    mfa_delete = var.mfa_delete ? "Enabled" : "Disabled"
+  }
+}
+
+##############################################################
+# S3 Logging Configuration
+##############################################################
+resource "aws_s3_bucket_logging" "s3_logging" {
+  count = var.bucket_logging ? 1 : 0
+
+  bucket        = aws_s3_bucket.s3_bucket.id
+  target_bucket = var.logging_bucket_name
+  target_prefix = var.logging_bucket_prefix
+}
+
+##############################################################
+# S3 Server Side Encryption (SSE) Configuration
+##############################################################
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse" {
+  count = var.sse_algorithm == "none" ? 0 : 1
+
+  bucket = aws_s3_bucket.s3_bucket.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = var.sse_algorithm
+      kms_master_key_id = var.kms_key_id
+    }
+    bucket_key_enabled = var.bucket_key_enabled
+  }
+}
+
+##############################################################
+# S3 CORS Configuration
+##############################################################
+resource "aws_s3_bucket_cors_configuration" "this" {
+  count = var.cors ? 1 : 0
+
+  bucket                = aws_s3_bucket.s3_bucket.id
+  expected_bucket_owner = var.expected_bucket_owner
+
+  dynamic "cors_rule" {
+    for_each = local.cors_rules
+
+    content {
+      id              = try(cors_rule.value.id, null)
+      allowed_methods = cors_rule.value.allowed_methods
+      allowed_origins = cors_rule.value.allowed_origins
+      allowed_headers = try(cors_rule.value.allowed_headers, null)
+      expose_headers  = try(cors_rule.value.expose_headers, null)
+      max_age_seconds = try(cors_rule.value.max_age_seconds, null)
+    }
+  }
+}

tests/test2/main.tf

@@ -20,9 +20,6 @@ resource "random_string" "s3_rstring" {
 module "s3" {
   source = "../../module"
 
-  allowed_headers                            = ["*"]
-  allowed_methods                            = ["PUT", "POST"]
-  allowed_origins                            = ["*"]
   bucket_acl                                 = "private"
   bucket_logging                             = false
   environment                                = "Development"
@@ -38,10 +35,25 @@ module "s3" {
   website                                    = true
   website_error                              = "error.html"
   website_index                              = "index.html"
+  cors                                       = true
+  cors_rule = [
+    {
+      allowed_methods = ["PUT", "POST"]
+      allowed_origins = ["https://modules.tf", "https://terraform-aws-modules.modules.tf"]
+      allowed_headers = ["*"]
+      expose_headers  = ["ETag"]
+      max_age_seconds = 3000
+      }, {
+      allowed_methods = ["PUT"]
+      allowed_origins = ["https://example.com"]
+      allowed_headers = ["*"]
+      expose_headers  = ["ETag"]
+      max_age_seconds = 3000
+    }
+  ]
 
   #  Not defining these to ensure it can properly handle undefined variable lists or strings
   #  expose_headers  = ["Accept-Ranges", "Content-Range", "Content-Encoding", "Content-Length"]
-  #  max_age_seconds = 3000
 
   tags = {
     RightSaid = "Fred"

tests/test3/main.tf

@@ -43,3 +43,34 @@ module "s3" {
     LeftSaid  = "George"
   }
 }
+
+module "s3_logging_test" {
+  source = "../../module"
+
+  bucket_acl                                 = "private"
+  bucket_logging                             = true
+  logging_bucket_name                        = module.s3.bucket_id
+  logging_bucket_prefix                      = "logs/"
+  environment                                = "Development"
+  lifecycle_enabled                          = true
+  name                                       = "${random_string.s3_rstring.result}-example-s3-log-bucket"
+  noncurrent_version_expiration_days         = "425"
+  noncurrent_version_transition_glacier_days = "60"
+  noncurrent_version_transition_ia_days      = "30"
+  object_expiration_days                     = "425"
+  rax_mpu_cleanup_enabled                    = true
+  transition_to_glacier_days                 = "60"
+  transition_to_ia_days                      = "30"
+  versioning                                 = true
+  kms_key_id                                 = "aws/s3"
+  sse_algorithm                              = "aws:kms"
+  bucket_key_enabled                         = true
+
+
+  tags = {
+    RightSaid = "Fred"
+    LeftSaid  = "George"
+  }
+
+  depends_on = [module.s3]
+}