CA-202 - Replace S3 deprecated arguments (#14)

fvazquez-caylent · web-flow · commit 04a59a686300 · 2022-04-22T14:44:17.000-03:00
* Updates versions file to allow update of aws provider.

* Replaces source_json argument by source_policy_documents to remove warning.

* Replaces bucket encryption configuration argument for resource block to fix warning.

* Updates version to allow aws provider update.

* Runs fmt.

* Adds enable public access block functionality.

* Replaces deprecated arguments by resource blocks.

* Updates with newer version.

* Fixes typo.

* Updates versions.

* Updates version to 0.13.

* Runs fmt, lint and docs.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Tamr S3 Module Repo
 
+## v1.2.1 - April 21st 2022
+* Replaces deprecated S3 arguments with resource blocks.
+* Replaces deprecated IAM policy document argument names.
+
 ## v1.2.0 - April 18th 2022
 * Resolves S3 bucket public access block tfsec vulnerability.
 
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.2.0
+1.2.1
diff --git a/examples/iam-policy-submodule/main.tf b/examples/iam-policy-submodule/main.tf
@@ -4,15 +4,15 @@ data "aws_s3_bucket" "existing-bucket" {
 }
 
 module "existing-bucket-iam-0" {
-  # source = "git::https://github.com/Datatamer/terraform-aws-s3.git//modules/bucket-iam-policy?ref=1.0.0"
+  # source = "git::https://github.com/Datatamer/terraform-aws-s3.git//modules/bucket-iam-policy?ref=1.2.1"
   source           = "../../modules/bucket-iam-policy"
   bucket_name      = data.aws_s3_bucket.existing-bucket.id
   read_write_paths = ["some/read-write-folder"]
   tags             = var.tags
 }
 
 module "existing-bucket-iam-1" {
-  # source = "git::https://github.com/Datatamer/terraform-aws-s3.git//modules/bucket-iam-policy?ref=1.0.0"
+  # source = "git::https://github.com/Datatamer/terraform-aws-s3.git//modules/bucket-iam-policy?ref=1.2.1"
   source           = "../../modules/bucket-iam-policy"
   bucket_name      = data.aws_s3_bucket.existing-bucket.id
   read_write_paths = ["another/read-write-folder"]
diff --git a/examples/minimal/main.tf b/examples/minimal/main.tf
@@ -1,5 +1,5 @@
 module "minimal" {
-  # source           = "git::https://github.com/Datatamer/terraform-aws-s3?ref=1.0.0"
+  # source           = "git::https://github.com/Datatamer/terraform-aws-s3?ref=1.2.1"
   source           = "../../"
   bucket_name      = var.test_bucket_name
   read_only_paths  = var.read_only_paths  # ["path/to/ro-folder"]
diff --git a/modules/bucket-iam-policy/main.tf b/modules/bucket-iam-policy/main.tf
@@ -29,8 +29,8 @@ data "aws_iam_policy_document" "ro_source_policy_doc" {
 data "aws_iam_policy_document" "path_specific_ro_doc" {
   count = length(local.ro_paths) == 0 ? 0 : 1
 
-  version     = "2012-10-17"
-  source_json = data.aws_iam_policy_document.ro_source_policy_doc[0].json
+  version                 = "2012-10-17"
+  source_policy_documents = [data.aws_iam_policy_document.ro_source_policy_doc[0].json]
 
   dynamic "statement" {
     for_each = local.ro_paths_map
@@ -86,8 +86,8 @@ data "aws_iam_policy_document" "rw_source_policy_doc" {
 data "aws_iam_policy_document" "path_specific_rw_doc" {
   count = length(var.read_write_paths) == 0 ? 0 : 1
 
-  version     = "2012-10-17"
-  source_json = data.aws_iam_policy_document.rw_source_policy_doc[0].json
+  version                 = "2012-10-17"
+  source_policy_documents = [data.aws_iam_policy_document.rw_source_policy_doc[0].json]
 
   dynamic "statement" {
     for_each = local.rw_paths_map
diff --git a/modules/encrypted-bucket/main.tf b/modules/encrypted-bucket/main.tf
@@ -1,20 +1,22 @@
+
+#tfsec:ignore:aws-s3-enable-bucket-encryption:tfsec is yet not detecting the aws_s3_bucket_server_side_encryption_configuration resource block. https://github.com/aquasecurity/defsec/issues/489
 #tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning
 resource "aws_s3_bucket" "new_bucket" {
   bucket = var.bucket_name
-  acl    = "private"
-
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
-    }
-  }
 
   force_destroy = var.force_destroy
   tags          = var.tags
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "encryption_for_new_bucket" {
+  bucket = aws_s3_bucket.new_bucket.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
 # Bucket policy to enforce AES256 server-side-encryption
 resource "aws_s3_bucket_policy" "sse_bucket_policy" {
   bucket = aws_s3_bucket.new_bucket.id
@@ -27,6 +29,13 @@ resource "aws_s3_bucket_policy" "sse_bucket_policy" {
   )
 }
 
+# Sets S3 bucket ACL
+resource "aws_s3_bucket_acl" "acl_for_new_bucket" {
+  bucket = aws_s3_bucket.new_bucket.id
+  acl    = "private"
+}
+
+# Enabling S3 bucket public access block
 resource "aws_s3_bucket_public_access_block" "for_new_bucket" {
   bucket = aws_s3_bucket.new_bucket.id
 
diff --git a/test_examples/minimal/main.tf b/test_examples/minimal/main.tf
@@ -1,5 +1,5 @@
 module "minimal" {
-  # source           = "git::https://github.com/Datatamer/terraform-aws-s3?ref=1.0.0"
+  # source           = "git::https://github.com/Datatamer/terraform-aws-s3?ref=1.2.1"
   source           = "../../examples/minimal"
   test_bucket_name = var.test_bucket_name
   read_only_paths  = var.read_only_paths
