feat: make glacier transition rules optional (#293)

BREAKING CHANGE: this change disables glacier transition rules by default since transitioning small objects is officially not recommended. it can be enabled by setting `var.audit_log_lifecycle_glacier_transition_days` to a positive number. https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-transition-general-considerations.html
nozaq · Jun 5, 2022 · f0cdf3e · f0cdf3e
1 parent a94ba14
commit f0cdf3e
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -145,7 +145,7 @@ This module is composed of several submodules and each of which can be used inde
 | <a name="input_audit_log_bucket_custom_policy_json"></a> [audit\_log\_bucket\_custom\_policy\_json](#input\_audit\_log\_bucket\_custom\_policy\_json) | Override policy for the audit log bucket. Allows addition of extra policies. | `string` | no |
 | <a name="input_audit_log_bucket_force_destroy"></a> [audit\_log\_bucket\_force\_destroy](#input\_audit\_log\_bucket\_force\_destroy) | A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no |
 | <a name="input_audit_log_bucket_key_enabled"></a> [audit\_log\_bucket\_key\_enabled](#input\_audit\_log\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for encrypting the audit log bucket. | `bool` | no |
-| <a name="input_audit_log_lifecycle_glacier_transition_days"></a> [audit\_log\_lifecycle\_glacier\_transition\_days](#input\_audit\_log\_lifecycle\_glacier\_transition\_days) | The number of days after log creation when the log file is archived into Glacier. | `number` | no |
+| <a name="input_audit_log_lifecycle_glacier_transition_days"></a> [audit\_log\_lifecycle\_glacier\_transition\_days](#input\_audit\_log\_lifecycle\_glacier\_transition\_days) | The number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition. | `number` | no |
 | <a name="input_aws_config_changes_enabled"></a> [aws\_config\_changes\_enabled](#input\_aws\_config\_changes\_enabled) | The boolean flag whether the aws\_config\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
 | <a name="input_cloudtrail_baseline_enabled"></a> [cloudtrail\_baseline\_enabled](#input\_cloudtrail\_baseline\_enabled) | Boolean whether cloudtrail-baseline is enabled. | `bool` | no |
 | <a name="input_cloudtrail_cfg_changes_enabled"></a> [cloudtrail\_cfg\_changes\_enabled](#input\_cloudtrail\_cfg\_changes\_enabled) | The boolean flag whether the cloudtrail\_cfg\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |

diff --git a/modules/secure-bucket/README.md b/modules/secure-bucket/README.md
@@ -24,7 +24,7 @@ Creates a S3 bucket with access logging enabled.
 | <a name="input_log_bucket_name"></a> [log\_bucket\_name](#input\_log\_bucket\_name) | The name of the S3 bucket to store access logs to the main bucket. | `string` | yes |
 | <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for this bucket. | `bool` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no |
-| <a name="input_lifecycle_glacier_transition_days"></a> [lifecycle\_glacier\_transition\_days](#input\_lifecycle\_glacier\_transition\_days) | The number of days after object creation when the object is archived into Glacier. | `number` | no |
+| <a name="input_lifecycle_glacier_transition_days"></a> [lifecycle\_glacier\_transition\_days](#input\_lifecycle\_glacier\_transition\_days) | The number of days after object creation when the object is archived into Glacier.  Setting to zero disables the transition. | `number` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
 
 ## Outputs

diff --git a/modules/secure-bucket/main.tf b/modules/secure-bucket/main.tf
@@ -41,6 +41,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "access_log" {
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "access_log" {
+  count = var.lifecycle_glacier_transition_days > 0 ? 1 : 0
+
   bucket = aws_s3_bucket.access_log.id
 
   rule {
@@ -108,6 +110,8 @@ resource "aws_s3_bucket_logging" "content" {
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "content" {
+  count = var.lifecycle_glacier_transition_days > 0 ? 1 : 0
+
   bucket = aws_s3_bucket.content.id
 
   rule {

diff --git a/modules/secure-bucket/variables.tf b/modules/secure-bucket/variables.tf
@@ -9,9 +9,9 @@ variable "log_bucket_name" {
 }
 
 variable "lifecycle_glacier_transition_days" {
-  description = "The number of days after object creation when the object is archived into Glacier."
+  description = "The number of days after object creation when the object is archived into Glacier.  Setting to zero disables the transition."
   type        = number
-  default     = 90
+  default     = 0
 }
 
 variable "force_destroy" {

diff --git a/variables.tf b/variables.tf
@@ -86,9 +86,9 @@ variable "audit_log_bucket_key_enabled" {
 }
 
 variable "audit_log_lifecycle_glacier_transition_days" {
-  description = "The number of days after log creation when the log file is archived into Glacier."
+  description = "The number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition."
   type        = number
-  default     = 90
+  default     = 0
 }
 
 variable "audit_log_bucket_force_destroy" {