From 20604130b3c13997196e072bb6278a73f862ce0a Mon Sep 17 00:00:00 2001 From: Carter Jones Date: Wed, 11 May 2022 13:29:56 -0700 Subject: [PATCH 1/7] update pre-commit hooks --- .pre-commit-config.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a6cf059..afa7a4b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,18 +1,18 @@ repos: - - repo: git://github.com/pre-commit/pre-commit-hooks - rev: v3.4.0 + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.2.0 hooks: - id: check-merge-conflict - id: check-yaml - id: detect-private-key - id: trailing-whitespace - - repo: git://github.com/igorshubovych/markdownlint-cli - rev: v0.27.1 + - repo: https://github.com/igorshubovych/markdownlint-cli + rev: v0.31.1 hooks: - id: markdownlint - - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.48.0 + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.71.0 hooks: - - id: terraform_fmt \ No newline at end of file + - id: terraform_fmt From 180d060af4acfe7c49611275c078b01f0a646535 Mon Sep 17 00:00:00 2001 From: Carter Jones Date: Wed, 11 May 2022 13:29:25 -0700 Subject: [PATCH 2/7] bump module versions for compatibility with aws 4 provider --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 1430d0a..23c858d 100644 --- a/main.tf +++ b/main.tf @@ -14,7 +14,7 @@ resource "aws_iam_account_alias" "alias" { module "terraform_state_bucket" { source = "trussworks/s3-private-bucket/aws" - version = "~> 3.7.0" + version = "~> 4.0.0" bucket = local.state_bucket logging_bucket = module.terraform_state_bucket_logs.aws_logs_bucket @@ -31,7 +31,7 @@ module "terraform_state_bucket" { module "terraform_state_bucket_logs" { source = "trussworks/logs/aws" - version = "~> 11.0.0" + version = "~> 13.0.0" s3_bucket_name = local.logging_bucket default_allow = false From 7cd46cba62a58107c4c5eb8d079e66c665b7c7be Mon Sep 17 00:00:00 2001 From: Carter Jones Date: Wed, 11 May 2022 13:36:57 -0700 Subject: [PATCH 3/7] bump minimum aws provider version --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index 1ed13a4..ea22895 100644 --- a/versions.tf +++ b/versions.tf @@ -2,6 +2,6 @@ terraform { required_version = ">= 0.13.0" required_providers { - aws = ">= 3.0, < 4.0" + aws = ">= 3.75.0" } } From 35e41e19ba3cc6e762573efacd3595692fcac07e Mon Sep 17 00:00:00 2001 From: Carter Jones Date: Wed, 11 May 2022 16:28:35 -0700 Subject: [PATCH 4/7] make log bucket tags configurable --- main.tf | 2 ++ variables.tf | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/main.tf b/main.tf index 23c858d..f4f2215 100644 --- a/main.tf +++ b/main.tf @@ -37,6 +37,8 @@ module "terraform_state_bucket_logs" { default_allow = false s3_log_bucket_retention = var.log_retention enable_versioning = var.log_bucket_versioning + + tags = var.log_bucket_tags } # diff --git a/variables.tf b/variables.tf index 99b7d57..0c432df 100644 --- a/variables.tf +++ b/variables.tf @@ -53,6 +53,12 @@ variable "state_bucket_tags" { description = "Tags to associate with the bucket storing the Terraform state files" } +variable "log_bucket_tags" { + type = map(string) + default = { Automation : "Terraform" } + description = "Tags to associate with the bucket storing the Terraform state bucket logs" +} + variable "enable_s3_public_access_block" { description = "Bool for toggling whether the s3 public access block resource should be enabled." type = bool From 3f945b5d52edf9f6b08b010e0410a51b2b2a2925 Mon Sep 17 00:00:00 2001 From: Carter Jones Date: Wed, 11 May 2022 15:00:40 -0700 Subject: [PATCH 5/7] remove inter-module dependency --- main.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index f4f2215..ad9aeab 100644 --- a/main.tf +++ b/main.tf @@ -17,12 +17,16 @@ module "terraform_state_bucket" { version = "~> 4.0.0" bucket = local.state_bucket - logging_bucket = module.terraform_state_bucket_logs.aws_logs_bucket + logging_bucket = local.logging_bucket use_account_alias_prefix = false enable_s3_public_access_block = var.enable_s3_public_access_block tags = var.state_bucket_tags + + depends_on = [ + module.terraform_state_bucket_logs + ] } # From 31f3a77a3bf2b690889008d695674786ae477eb2 Mon Sep 17 00:00:00 2001 From: Carter Jones Date: Wed, 11 May 2022 14:50:27 -0700 Subject: [PATCH 6/7] change log_bucket_versioning from bool to string --- main.tf | 2 +- variables.tf | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index ad9aeab..8cf1eec 100644 --- a/main.tf +++ b/main.tf @@ -40,7 +40,7 @@ module "terraform_state_bucket_logs" { s3_bucket_name = local.logging_bucket default_allow = false s3_log_bucket_retention = var.log_retention - enable_versioning = var.log_bucket_versioning + versioning_status = var.log_bucket_versioning tags = var.log_bucket_tags } diff --git a/variables.tf b/variables.tf index 0c432df..3c6f49b 100644 --- a/variables.tf +++ b/variables.tf @@ -42,9 +42,13 @@ variable "log_name" { } variable "log_bucket_versioning" { - description = "Bool for toggling versioning for log bucket" - type = bool - default = false + description = "A string that indicates the versioning status for the log bucket." + default = "Disabled" + type = string + validation { + condition = contains(["Enabled", "Disabled", "Suspended"], var.log_bucket_versioning) + error_message = "Valid values for versioning_status are Enabled, Disabled, or Suspended." + } } variable "state_bucket_tags" { From 81d7ed2194fe614af41a66bf03a499d7a71d6a82 Mon Sep 17 00:00:00 2001 From: Carter Jones Date: Wed, 11 May 2022 13:37:34 -0700 Subject: [PATCH 7/7] add upgrade instructions to v3 --- README.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/README.md b/README.md index 66412ee..d465d2c 100644 --- a/README.md +++ b/README.md @@ -138,6 +138,50 @@ terraform { ## Upgrade Path +### Release v3.0.0 + +Version 3.x.x enables the use of version 4 of the AWS provider. Terraform provided [an upgrade path](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade) for this. To support the upgrade path, this module now includes the following additional resources: + +* `module.terraform_state_bucket.aws_s3_bucket_policy.private_bucket` +* `module.terraform_state_bucket.aws_s3_bucket_acl.private_bucket` +* `module.terraform_state_bucket.aws_s3_bucket_versioning.private_bucket` +* `module.terraform_state_bucket.aws_s3_bucket_lifecycle_configuration.private_bucket` +* `module.terraform_state_bucket.aws_s3_bucket_logging.private_bucket` +* `module.terraform_state_bucket.aws_s3_bucket_server_side_encryption_configuration.private_bucket` +* `module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs` +* `module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs` +* `module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs` +* `module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs` +* `module.terraform_state_bucket_logs.aws_s3_bucket_logging.aws_logs` +* `module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs` + +This module version changes the `log_bucket_versioning` variable from a boolean to a string. There are three possible values for this variable: `Enabled`, `Disabled`, and `Suspended`. If at one point versioning was enabled on your bucket, but has since been turned off, you will need to set `log_bucket_versioning` to `Suspended` rather than `Disabled`. + +Additionally, this version of the module requires a minimum AWS provider version of 3.75, so that you can remain on the 3.x AWS provider while still gaining the ability to utilize the new S3 resources introduced in the 4.x AWS provider. + +There are two general approaches to performing this upgrade: + +1. Upgrade the module version and run `terraform plan` followed by `terraform apply`, which will create the new Terraform resources. +1. Perform `terraform import` commands, which accomplishes the same thing without running `terraform apply`. This is the more cautious route. + +If you choose to take the route of running `terraform import`, you will need to perform the following imports. Replace `example` with the name you're using when calling this module and replace `your-bucket-name-here` with the name of your bucket (as opposed to an S3 bucket ARN). Replace `your-logging-bucket-name-here` with the name of your logging bucket. Also note the inclusion of `,private` when importing the new `module.terraform_state_bucket.aws_s3_bucket_acl.private_bucket` Terraform resource and the inclusion of `,log-delivery-write` when importing the new `module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs` Terraform resource. + +```sh +terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_policy.private_bucket your-bucket-name-here +terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_acl.private_bucket your-bucket-name-here,private +terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_versioning.private_bucket your-bucket-name-here +terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_lifecycle_configuration.private_bucket your-bucket-name-here +terraform import module.example.module.terraform_state_bucket.aws_s3_bucket_server_side_encryption_configuration.private_bucket your-bucket-name-here +terraform import 'module.example.module.terraform_state_bucket.aws_s3_bucket_logging.private_bucket[0]' your-bucket-name-here +terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_policy.aws_logs your-logging-bucket-name-here +terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_acl.aws_logs your-logging-bucket-name-here,log-delivery-write +terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_lifecycle_configuration.aws_logs your-logging-bucket-name-here +terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_server_side_encryption_configuration.aws_logs your-logging-bucket-name-here +terraform import module.example.module.terraform_state_bucket_logs.aws_s3_bucket_versioning.aws_logs your-logging-bucket-name-here +``` + +After this, you will need to run a `terraform plan` and `terraform apply` to apply some non-functional changes to lifecycle rule IDs. + ### Release v2.0.0 When upgrading from v1.6.1 to v2.0.0 the terraform state must be modified to move the account alias resource: