From ac43e7b79247150ba209a664b32317e581575d89 Mon Sep 17 00:00:00 2001 From: Dominique Dumont Date: Fri, 3 Nov 2023 23:18:31 +0100 Subject: [PATCH] feat: add user_policy_document parameter (#142) --- .github/renovate.json | 7 +-- .github/workflows/release-branch.yml | 1 + .github/workflows/release-published.yml | 2 +- README.md | 72 +++++++------------------ docs/terraform.md | 5 ++ main.tf | 25 +++++++-- variables.tf | 10 ++++ versions.tf | 4 ++ 8 files changed, 65 insertions(+), 61 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index b61ed24..909df09 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,13 +1,14 @@ { "extends": [ "config:base", - ":preserveSemverRanges" + ":preserveSemverRanges", + ":rebaseStalePrs" ], - "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"], + "baseBranches": ["main"], "labels": ["auto-update"], "dependencyDashboardAutoclose": true, "enabledManagers": ["terraform"], "terraform": { - "ignorePaths": ["**/context.tf", "examples/**"] + "ignorePaths": ["**/context.tf"] } } diff --git a/.github/workflows/release-branch.yml b/.github/workflows/release-branch.yml index 3f8fe62..b30901e 100644 --- a/.github/workflows/release-branch.yml +++ b/.github/workflows/release-branch.yml @@ -10,6 +10,7 @@ on: - 'docs/**' - 'examples/**' - 'test/**' + - 'README.*' permissions: contents: write diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml index f86352b..b31232b 100644 --- a/.github/workflows/release-published.yml +++ b/.github/workflows/release-published.yml @@ -11,4 +11,4 @@ permissions: jobs: terraform-module: - uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main + uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main diff --git a/README.md b/README.md index c650dba..9f75a0f 100644 --- a/README.md +++ b/README.md @@ -48,12 +48,6 @@ __NOTE:__ This module cannot be used to apply changes to the `mfa_delete` featur --- This project is part of our comprehensive ["SweetOps"](https://cpco.io/sweetops) approach towards DevOps. -[][share_email] -[][share_googleplus] -[][share_facebook] -[][share_reddit] -[][share_linkedin] -[][share_twitter] [![Terraform Open Source Modules](https://docs.cloudposse.com/images/terraform-open-source-modules.svg)][terraform_modules] @@ -103,10 +97,6 @@ We highly recommend that in your code you pin the version to the exact version y using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise. -Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)), -the registry shows many of our inputs as required when in fact they are optional. -The table below correctly indicates which inputs are required. - ### Create @@ -251,6 +241,7 @@ Available targets: | [terraform](#requirement\_terraform) | >= 1.1.0 | | [aws](#requirement\_aws) | >= 4.9.0 | | [local](#requirement\_local) | >= 2.0 | +| [time](#requirement\_time) | >= 0.7.1 | ## Providers @@ -258,6 +249,7 @@ Available targets: |------|---------| | [aws](#provider\_aws) | >= 4.9.0 | | [local](#provider\_local) | >= 2.0 | +| [time](#provider\_time) | >= 0.7.1 | ## Modules @@ -286,6 +278,8 @@ Available targets: | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [local_file.terraform_backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [aws_iam_policy_document.aggregated_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.replication_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -334,6 +328,7 @@ Available targets: | [s3\_bucket\_name](#input\_s3\_bucket\_name) | S3 bucket name. If not provided, the name will be generated from the context by the label module. | `string` | `""` | no | | [s3\_replica\_bucket\_arn](#input\_s3\_replica\_bucket\_arn) | The ARN of the S3 replica bucket (destination) | `string` | `""` | no | | [s3\_replication\_enabled](#input\_s3\_replication\_enabled) | Set this to true and specify `s3_replica_bucket_arn` to enable replication | `bool` | `false` | no | +| [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON format) that are merged together into the generated S3 bucket policy.
Statements must have unique SIDs.
Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | @@ -364,8 +359,6 @@ Available targets: Like this project? Please give it a ★ on [our GitHub](https://github.com/cloudposse/terraform-aws-tfstate-backend)! (it helps us **a lot**) -Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =) - ## Related Projects @@ -409,10 +402,6 @@ We deliver 10x the value for a fraction of the cost of a full-time engineer. Our Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure. -## Discourse Forums - -Participate in our [Discourse Forums][discourse]. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account. - ## Newsletter Sign up for [our newsletter][newsletter] that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover. @@ -423,7 +412,18 @@ Sign up for [our newsletter][newsletter] that covers everything on our technolog [![zoom](https://img.cloudposse.com/fit-in/200x200/https://cloudposse.com/wp-content/uploads/2019/08/Powered-by-Zoom.png")][office_hours] -## Contributing +## ✨ Contributing + + + +This project is under active development, and we encourage contributions from our community. +Many thanks to our outstanding contributors: + + + + + + ### Bug Reports & Feature Requests @@ -497,35 +497,7 @@ We're a [DevOps Professional Services][hire] company based in Los Angeles, CA. W We offer [paid support][commercial_support] on all of our projects. -Check out [our other projects][github], [follow us on twitter][twitter], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation. - - - -### Contributors - - -| [![Andriy Knysh][aknysh_avatar]][aknysh_homepage]
[Andriy Knysh][aknysh_homepage] | [![Erik Osterman][osterman_avatar]][osterman_homepage]
[Erik Osterman][osterman_homepage] | [![Maarten van der Hoef][maartenvanderhoef_avatar]][maartenvanderhoef_homepage]
[Maarten van der Hoef][maartenvanderhoef_homepage] | [![Vladimir][SweetOps_avatar]][SweetOps_homepage]
[Vladimir][SweetOps_homepage] | [![Chris Weyl][rsrchboy_avatar]][rsrchboy_homepage]
[Chris Weyl][rsrchboy_homepage] | [![John McGehee][jmcgeheeiv_avatar]][jmcgeheeiv_homepage]
[John McGehee][jmcgeheeiv_homepage] | [![Oliver L Schoenborn][schollii_avatar]][schollii_homepage]
[Oliver L Schoenborn][schollii_homepage] | [![RB][nitrocode_avatar]][nitrocode_homepage]
[RB][nitrocode_homepage] | -|---|---|---|---|---|---|---|---| - - - [aknysh_homepage]: https://github.com/aknysh - [aknysh_avatar]: https://img.cloudposse.com/150x150/https://github.com/aknysh.png - [osterman_homepage]: https://github.com/osterman - [osterman_avatar]: https://img.cloudposse.com/150x150/https://github.com/osterman.png - [maartenvanderhoef_homepage]: https://github.com/maartenvanderhoef - [maartenvanderhoef_avatar]: https://img.cloudposse.com/150x150/https://github.com/maartenvanderhoef.png - [SweetOps_homepage]: https://github.com/SweetOps - [SweetOps_avatar]: https://img.cloudposse.com/150x150/https://github.com/SweetOps.png - [rsrchboy_homepage]: https://github.com/rsrchboy - [rsrchboy_avatar]: https://img.cloudposse.com/150x150/https://github.com/rsrchboy.png - [jmcgeheeiv_homepage]: https://github.com/jmcgeheeiv - [jmcgeheeiv_avatar]: https://img.cloudposse.com/150x150/https://github.com/jmcgeheeiv.png - [schollii_homepage]: https://github.com/schollii - [schollii_avatar]: https://img.cloudposse.com/150x150/https://github.com/schollii.png - [nitrocode_homepage]: https://github.com/nitrocode - [nitrocode_avatar]: https://img.cloudposse.com/150x150/https://github.com/nitrocode.png - -[![README Footer][readme_footer_img]][readme_footer_link] +Check out [our other projects][github], [follow us on twitter][twitter], [apply for a job][jobs], or [hire us][hire] to help with your cloud strategy and implementation.[![README Footer][readme_footer_img]][readme_footer_link] [![Beacon][beacon]][website] [logo]: https://cloudposse.com/logo-300x69.svg @@ -535,12 +507,10 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply [jobs]: https://cpco.io/jobs?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=jobs [hire]: https://cpco.io/hire?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=hire [slack]: https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=slack - [linkedin]: https://cpco.io/linkedin?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=linkedin [twitter]: https://cpco.io/twitter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=twitter [testimonial]: https://cpco.io/leave-testimonial?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=testimonial [office_hours]: https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=office_hours [newsletter]: https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=newsletter - [discourse]: https://ask.sweetops.com/?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=discourse [email]: https://cpco.io/email?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=email [commercial_support]: https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=commercial_support [we_love_open_source]: https://cpco.io/we-love-open-source?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=we_love_open_source @@ -551,11 +521,5 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply [readme_footer_link]: https://cloudposse.com/readme/footer/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=readme_footer_link [readme_commercial_support_img]: https://cloudposse.com/readme/commercial-support/img [readme_commercial_support_link]: https://cloudposse.com/readme/commercial-support/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=readme_commercial_support_link - [share_twitter]: https://twitter.com/intent/tweet/?text=terraform-aws-tfstate-backend&url=https://github.com/cloudposse/terraform-aws-tfstate-backend - [share_linkedin]: https://www.linkedin.com/shareArticle?mini=true&title=terraform-aws-tfstate-backend&url=https://github.com/cloudposse/terraform-aws-tfstate-backend - [share_reddit]: https://reddit.com/submit/?url=https://github.com/cloudposse/terraform-aws-tfstate-backend - [share_facebook]: https://facebook.com/sharer/sharer.php?u=https://github.com/cloudposse/terraform-aws-tfstate-backend - [share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-tfstate-backend - [share_email]: mailto:?subject=terraform-aws-tfstate-backend&body=https://github.com/cloudposse/terraform-aws-tfstate-backend [beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-tfstate-backend?pixel&cs=github&cm=readme&an=terraform-aws-tfstate-backend diff --git a/docs/terraform.md b/docs/terraform.md index cd63531..3e386b1 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -6,6 +6,7 @@ | [terraform](#requirement\_terraform) | >= 1.1.0 | | [aws](#requirement\_aws) | >= 4.9.0 | | [local](#requirement\_local) | >= 2.0 | +| [time](#requirement\_time) | >= 0.7.1 | ## Providers @@ -13,6 +14,7 @@ |------|---------| | [aws](#provider\_aws) | >= 4.9.0 | | [local](#provider\_local) | >= 2.0 | +| [time](#provider\_time) | >= 0.7.1 | ## Modules @@ -41,6 +43,8 @@ | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [local_file.terraform_backend_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [aws_iam_policy_document.aggregated_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.replication_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -89,6 +93,7 @@ | [s3\_bucket\_name](#input\_s3\_bucket\_name) | S3 bucket name. If not provided, the name will be generated from the context by the label module. | `string` | `""` | no | | [s3\_replica\_bucket\_arn](#input\_s3\_replica\_bucket\_arn) | The ARN of the S3 replica bucket (destination) | `string` | `""` | no | | [s3\_replication\_enabled](#input\_s3\_replication\_enabled) | Set this to true and specify `s3_replica_bucket_arn` to enable replication | `bool` | `false` | no | +| [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON format) that are merged together into the generated S3 bucket policy.
Statements must have unique SIDs.
Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | diff --git a/main.tf b/main.tf index 5a50729..7f86611 100644 --- a/main.tf +++ b/main.tf @@ -8,7 +8,7 @@ locals { prevent_unencrypted_uploads = local.enabled && var.prevent_unencrypted_uploads - policy = one(data.aws_iam_policy_document.bucket_policy[*].json) + policy = one(data.aws_iam_policy_document.aggregated_policy[*].json) terraform_backend_config_file = format( "%s/%s", @@ -53,6 +53,14 @@ module "bucket_label" { data "aws_region" "current" {} +data "aws_iam_policy_document" "aggregated_policy" { + count = local.enabled ? 1 : 0 + + source_policy_documents = [one(data.aws_iam_policy_document.bucket_policy[*].json)] + override_policy_documents = var.source_policy_documents +} + + data "aws_iam_policy_document" "bucket_policy" { count = local.enabled ? 1 : 0 @@ -162,8 +170,9 @@ resource "aws_s3_bucket" "default" { resource "aws_s3_bucket_policy" "default" { count = local.bucket_enabled ? 1 : 0 - bucket = one(aws_s3_bucket.default[*].id) - policy = local.policy + bucket = one(aws_s3_bucket.default[*].id) + policy = local.policy + depends_on = [aws_s3_bucket_public_access_block.default] } resource "aws_s3_bucket_acl" "default" { @@ -228,6 +237,16 @@ resource "aws_s3_bucket_ownership_controls" "default" { rule { object_ownership = var.bucket_ownership_enforced_enabled ? "BucketOwnerEnforced" : "BucketOwnerPreferred" } + depends_on = [time_sleep.wait_for_aws_s3_bucket_settings] +} + +# Workaround S3 eventual consistency for settings objects +resource "time_sleep" "wait_for_aws_s3_bucket_settings" { + count = local.enabled ? 1 : 0 + + depends_on = [aws_s3_bucket_public_access_block.default, aws_s3_bucket_policy.default] + create_duration = "30s" + destroy_duration = "30s" } module "dynamodb_table_label" { diff --git a/variables.tf b/variables.tf index 922efa3..b6f31ab 100644 --- a/variables.tf +++ b/variables.tf @@ -189,3 +189,13 @@ variable "permissions_boundary" { default = "" description = "ARN of the policy that is used to set the permissions boundary for the IAM replication role" } + +variable "source_policy_documents" { + type = list(string) + default = [] + description = <<-EOT + List of IAM policy documents (in JSON format) that are merged together into the generated S3 bucket policy. + Statements must have unique SIDs. + Statement having SIDs that match policy SIDs generated by this module will override them. + EOT +} diff --git a/versions.tf b/versions.tf index 2622c99..cc04b4b 100644 --- a/versions.tf +++ b/versions.tf @@ -6,6 +6,10 @@ terraform { source = "hashicorp/aws" version = ">= 4.9.0" } + time = { + source = "hashicorp/time" + version = ">= 0.7.1" + } local = { source = "hashicorp/local" version = ">= 2.0"