From ce1f9da83611ed5407721ddfe93e156261c60fff Mon Sep 17 00:00:00 2001
From: Nikolay Kolev <nikolay@users.noreply.github.com>
Date: Tue, 10 Aug 2021 11:26:26 +0300
Subject: [PATCH 1/2] Expose the mfa_delete attribute

---
 main.tf      | 3 ++-
 variables.tf | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 9bbde62..7c53e73 100644
--- a/main.tf
+++ b/main.tf
@@ -368,7 +368,8 @@ resource "aws_s3_bucket" "aws_logs" {
   force_destroy = var.force_destroy
 
   versioning {
-    enabled = var.enable_versioning
+    enabled    = var.enable_versioning
+    mfa_delete = var.enable_mfa_delete
   }
 
   lifecycle_rule {
diff --git a/variables.tf b/variables.tf
index 50bed68..c5eaa9d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -183,3 +183,9 @@ variable "enable_versioning" {
   default     = false
   type        = bool
 }
+
+variable "enable_mfa_delete" {
+  description = "A bool that requires MFA to delete the log bucket."
+  default     = false
+  type        = bool
+}

From 6403363f09c85a05aafa254d52b9c85e96e6dc01 Mon Sep 17 00:00:00 2001
From: Michael Kania <dynamike@truss.works>
Date: Fri, 13 Aug 2021 16:05:54 -0700
Subject: [PATCH 2/2] update readme, circleci, pre-commit

---
 .circleci/config.yml    |  2 +-
 .pre-commit-config.yaml |  8 ++--
 README.md               | 95 ++++++++++++++++++++++++-----------------
 3 files changed, 61 insertions(+), 44 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 0c106e9..2cd9df2 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -6,7 +6,7 @@ jobs:
         username: $DOCKER_USERNAME
       environment:
       - TEST_RESULTS: /tmp/test-results
-      image: trussworks/circleci:efb1042e31538677779971798e0912390f699e72
+      image: trussworks/circleci:4842166032528adaf4e38225ef0964fe7158b4db
     steps:
     - checkout
     - restore_cache:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b041a70..79493c8 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v3.4.0
+    rev: v4.0.1
     hooks:
       - id: check-json
       - id: check-merge-conflict
@@ -12,17 +12,17 @@ repos:
       - id: trailing-whitespace
 
   - repo: git://github.com/igorshubovych/markdownlint-cli
-    rev: v0.26.0
+    rev: v0.28.1
     hooks:
       - id: markdownlint
 
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.45.0
+    rev: v1.50.0
     hooks:
       - id: terraform_docs
       - id: terraform_fmt
 
   - repo: git://github.com/golangci/golangci-lint
-    rev: v1.33.0
+    rev: v1.41.1
     hooks:
       - id: golangci-lint
diff --git a/README.md b/README.md
index 25408c8..a0c1945 100644
--- a/README.md
+++ b/README.md
@@ -91,60 +91,77 @@ module "aws_logs" {
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.13.0 |
-| aws | >= 3.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.aws_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
+| [aws_iam_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_redshift_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/redshift_service_account) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| alb\_account | Account for ALB logs.  By default limits to the current account. | `string` | `""` | no |
-| alb\_logs\_prefixes | S3 key prefixes for ALB logs. | `list(string)` | <pre>[<br>  "alb"<br>]</pre> | no |
-| allow\_alb | Allow ALB service to log to bucket. | `bool` | `false` | no |
-| allow\_cloudtrail | Allow Cloudtrail service to log to bucket. | `bool` | `false` | no |
-| allow\_cloudwatch | Allow Cloudwatch service to export logs to bucket. | `bool` | `false` | no |
-| allow\_config | Allow Config service to log to bucket. | `bool` | `false` | no |
-| allow\_elb | Allow ELB service to log to bucket. | `bool` | `false` | no |
-| allow\_nlb | Allow NLB service to log to bucket. | `bool` | `false` | no |
-| allow\_redshift | Allow Redshift service to log to bucket. | `bool` | `false` | no |
-| cloudtrail\_accounts | List of accounts for CloudTrail logs.  By default limits to the current account. | `list(string)` | `[]` | no |
-| cloudtrail\_logs\_prefix | S3 prefix for CloudTrail logs. | `string` | `"cloudtrail"` | no |
-| cloudtrail\_org\_id | AWS Organization ID for CloudTrail. | `string` | `""` | no |
-| cloudwatch\_logs\_prefix | S3 prefix for CloudWatch log exports. | `string` | `"cloudwatch"` | no |
-| config\_accounts | List of accounts for Config logs.  By default limits to the current account. | `list(string)` | `[]` | no |
-| config\_logs\_prefix | S3 prefix for AWS Config logs. | `string` | `"config"` | no |
-| create\_public\_access\_block | Whether to create a public\_access\_block restricting public access to the bucket. | `bool` | `true` | no |
-| default\_allow | Whether all services included in this module should be allowed to write to the bucket by default. Alternatively select individual services. It's recommended to use the default bucket ACL of log-delivery-write. | `bool` | `true` | no |
-| elb\_accounts | List of accounts for ELB logs.  By default limits to the current account. | `list(string)` | `[]` | no |
-| elb\_logs\_prefix | S3 prefix for ELB logs. | `string` | `"elb"` | no |
-| enable\_versioning | A bool that enables versioning for the log bucket. | `bool` | `false` | no |
-| force\_destroy | A bool that indicates all objects (including any locked objects) should be deleted from the bucket so the bucket can be destroyed without error. | `bool` | `false` | no |
-| logging\_target\_bucket | S3 Bucket to send S3 logs to. Disables logging if omitted. | `string` | `null` | no |
-| logging\_target\_prefix | Prefix for logs going into the log\_s3\_bucket. | `string` | `"s3/"` | no |
-| nlb\_account | Account for NLB logs.  By default limits to the current account. | `string` | `""` | no |
-| nlb\_logs\_prefixes | S3 key prefixes for NLB logs. | `list(string)` | <pre>[<br>  "nlb"<br>]</pre> | no |
-| noncurrent\_version\_retention | Number of days to retain non-current versions of objects if versioning is enabled. | `string` | `30` | no |
-| redshift\_logs\_prefix | S3 prefix for RedShift logs. | `string` | `"redshift"` | no |
-| s3\_bucket\_acl | Set bucket ACL per [AWS S3 Canned ACL](<https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl>) list. | `string` | `"log-delivery-write"` | no |
-| s3\_bucket\_name | S3 bucket to store AWS logs in. | `string` | n/a | yes |
-| s3\_log\_bucket\_retention | Number of days to keep AWS logs around. | `string` | `90` | no |
-| tags | A mapping of tags to assign to the logs bucket. Please note that tags with a conflicting key will not override the original tag. | `map(string)` | `{}` | no |
+| <a name="input_alb_account"></a> [alb\_account](#input\_alb\_account) | Account for ALB logs.  By default limits to the current account. | `string` | `""` | no |
+| <a name="input_alb_logs_prefixes"></a> [alb\_logs\_prefixes](#input\_alb\_logs\_prefixes) | S3 key prefixes for ALB logs. | `list(string)` | <pre>[<br>  "alb"<br>]</pre> | no |
+| <a name="input_allow_alb"></a> [allow\_alb](#input\_allow\_alb) | Allow ALB service to log to bucket. | `bool` | `false` | no |
+| <a name="input_allow_cloudtrail"></a> [allow\_cloudtrail](#input\_allow\_cloudtrail) | Allow Cloudtrail service to log to bucket. | `bool` | `false` | no |
+| <a name="input_allow_cloudwatch"></a> [allow\_cloudwatch](#input\_allow\_cloudwatch) | Allow Cloudwatch service to export logs to bucket. | `bool` | `false` | no |
+| <a name="input_allow_config"></a> [allow\_config](#input\_allow\_config) | Allow Config service to log to bucket. | `bool` | `false` | no |
+| <a name="input_allow_elb"></a> [allow\_elb](#input\_allow\_elb) | Allow ELB service to log to bucket. | `bool` | `false` | no |
+| <a name="input_allow_nlb"></a> [allow\_nlb](#input\_allow\_nlb) | Allow NLB service to log to bucket. | `bool` | `false` | no |
+| <a name="input_allow_redshift"></a> [allow\_redshift](#input\_allow\_redshift) | Allow Redshift service to log to bucket. | `bool` | `false` | no |
+| <a name="input_cloudtrail_accounts"></a> [cloudtrail\_accounts](#input\_cloudtrail\_accounts) | List of accounts for CloudTrail logs.  By default limits to the current account. | `list(string)` | `[]` | no |
+| <a name="input_cloudtrail_logs_prefix"></a> [cloudtrail\_logs\_prefix](#input\_cloudtrail\_logs\_prefix) | S3 prefix for CloudTrail logs. | `string` | `"cloudtrail"` | no |
+| <a name="input_cloudtrail_org_id"></a> [cloudtrail\_org\_id](#input\_cloudtrail\_org\_id) | AWS Organization ID for CloudTrail. | `string` | `""` | no |
+| <a name="input_cloudwatch_logs_prefix"></a> [cloudwatch\_logs\_prefix](#input\_cloudwatch\_logs\_prefix) | S3 prefix for CloudWatch log exports. | `string` | `"cloudwatch"` | no |
+| <a name="input_config_accounts"></a> [config\_accounts](#input\_config\_accounts) | List of accounts for Config logs.  By default limits to the current account. | `list(string)` | `[]` | no |
+| <a name="input_config_logs_prefix"></a> [config\_logs\_prefix](#input\_config\_logs\_prefix) | S3 prefix for AWS Config logs. | `string` | `"config"` | no |
+| <a name="input_create_public_access_block"></a> [create\_public\_access\_block](#input\_create\_public\_access\_block) | Whether to create a public\_access\_block restricting public access to the bucket. | `bool` | `true` | no |
+| <a name="input_default_allow"></a> [default\_allow](#input\_default\_allow) | Whether all services included in this module should be allowed to write to the bucket by default. Alternatively select individual services. It's recommended to use the default bucket ACL of log-delivery-write. | `bool` | `true` | no |
+| <a name="input_elb_accounts"></a> [elb\_accounts](#input\_elb\_accounts) | List of accounts for ELB logs.  By default limits to the current account. | `list(string)` | `[]` | no |
+| <a name="input_elb_logs_prefix"></a> [elb\_logs\_prefix](#input\_elb\_logs\_prefix) | S3 prefix for ELB logs. | `string` | `"elb"` | no |
+| <a name="input_enable_mfa_delete"></a> [enable\_mfa\_delete](#input\_enable\_mfa\_delete) | A bool that requires MFA to delete the log bucket. | `bool` | `false` | no |
+| <a name="input_enable_versioning"></a> [enable\_versioning](#input\_enable\_versioning) | A bool that enables versioning for the log bucket. | `bool` | `false` | no |
+| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A bool that indicates all objects (including any locked objects) should be deleted from the bucket so the bucket can be destroyed without error. | `bool` | `false` | no |
+| <a name="input_logging_target_bucket"></a> [logging\_target\_bucket](#input\_logging\_target\_bucket) | S3 Bucket to send S3 logs to. Disables logging if omitted. | `string` | `null` | no |
+| <a name="input_logging_target_prefix"></a> [logging\_target\_prefix](#input\_logging\_target\_prefix) | Prefix for logs going into the log\_s3\_bucket. | `string` | `"s3/"` | no |
+| <a name="input_nlb_account"></a> [nlb\_account](#input\_nlb\_account) | Account for NLB logs.  By default limits to the current account. | `string` | `""` | no |
+| <a name="input_nlb_logs_prefixes"></a> [nlb\_logs\_prefixes](#input\_nlb\_logs\_prefixes) | S3 key prefixes for NLB logs. | `list(string)` | <pre>[<br>  "nlb"<br>]</pre> | no |
+| <a name="input_noncurrent_version_retention"></a> [noncurrent\_version\_retention](#input\_noncurrent\_version\_retention) | Number of days to retain non-current versions of objects if versioning is enabled. | `string` | `30` | no |
+| <a name="input_redshift_logs_prefix"></a> [redshift\_logs\_prefix](#input\_redshift\_logs\_prefix) | S3 prefix for RedShift logs. | `string` | `"redshift"` | no |
+| <a name="input_s3_bucket_acl"></a> [s3\_bucket\_acl](#input\_s3\_bucket\_acl) | Set bucket ACL per [AWS S3 Canned ACL](<https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl>) list. | `string` | `"log-delivery-write"` | no |
+| <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | S3 bucket to store AWS logs in. | `string` | n/a | yes |
+| <a name="input_s3_log_bucket_retention"></a> [s3\_log\_bucket\_retention](#input\_s3\_log\_bucket\_retention) | Number of days to keep AWS logs around. | `string` | `90` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to the logs bucket. Please note that tags with a conflicting key will not override the original tag. | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| aws\_logs\_bucket | ID of the S3 bucket containing AWS logs. |
-| configs\_logs\_path | S3 path for Config logs. |
-| elb\_logs\_path | S3 path for ELB logs. |
-| redshift\_logs\_path | S3 path for RedShift logs. |
-
+| <a name="output_aws_logs_bucket"></a> [aws\_logs\_bucket](#output\_aws\_logs\_bucket) | ID of the S3 bucket containing AWS logs. |
+| <a name="output_configs_logs_path"></a> [configs\_logs\_path](#output\_configs\_logs\_path) | S3 path for Config logs. |
+| <a name="output_elb_logs_path"></a> [elb\_logs\_path](#output\_elb\_logs\_path) | S3 path for ELB logs. |
+| <a name="output_redshift_logs_path"></a> [redshift\_logs\_path](#output\_redshift\_logs\_path) | S3 path for RedShift logs. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Upgrade Paths