Divide aws_s3_bucket_versioning resource (#17)

Author: posquit0

modules/s3-archive-bucket/README.md

@@ -0,0 +1,94 @@
+data "aws_caller_identity" "this" {}
+data "aws_canonical_user_id" "this" {}
+
+locals {
+  cloudfront_canonical_user_id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
+
+  default_grants = [
+    {
+      type       = "CanonicalUser"
+      id         = data.aws_canonical_user_id.this.id
+      permission = "FULL_CONTROL"
+    }
+  ]
+  cloudfront_grant = {
+    type       = "CanonicalUser"
+    id         = local.cloudfront_canonical_user_id
+    permission = "FULL_CONTROL"
+  }
+
+  grants = concat(
+    local.default_grants,
+    var.delivery_cloudfront_enabled ? [local.cloudfront_grant] : [],
+    var.grants
+  )
+}
+
+
+###################################################
+# Object Ownership for S3 Bucket
+###################################################
+
+resource "aws_s3_bucket_ownership_controls" "this" {
+  bucket = aws_s3_bucket.this.bucket
+
+  rule {
+    object_ownership = var.object_ownership
+  }
+}
+
+
+###################################################
+# ACL for S3 Bucket
+###################################################
+
+# TODO: `expected_bucket_owner`
+# INFO: Not supported attributes
+# - `acl`
+# - `access_control_policy.owner.display_name`
+resource "aws_s3_bucket_acl" "this" {
+  bucket = aws_s3_bucket.this.bucket
+
+  access_control_policy {
+    dynamic "grant" {
+      for_each = local.grants
+
+      content {
+        grantee {
+          type          = grant.value.type
+          id            = try(grant.value.id, null)
+          uri           = try(grant.value.uri, null)
+          email_address = try(grant.value.email, null)
+        }
+        permission = grant.value.permission
+      }
+    }
+
+    owner {
+      id = data.aws_canonical_user_id.this.id
+    }
+  }
+}
+
+
+###################################################
+# Public Access Block for S3 Bucket
+###################################################
+
+resource "aws_s3_bucket_public_access_block" "this" {
+  bucket = aws_s3_bucket.this.bucket
+
+  # Block new public ACLs and uploading public objects
+  block_public_acls = !var.public_access_enabled
+  # Retroactively remove public access granted through public ACLs
+  ignore_public_acls = !var.public_access_enabled
+  # Block new public bucket policies
+  block_public_policy = !var.public_access_enabled
+  # Retroactivley block public and cross-account access if bucket has public policies
+  restrict_public_buckets = !var.public_access_enabled
+
+  # To avoid OperationAborted: A conflicting conditional operation is currently in progress
+  depends_on = [
+    aws_s3_bucket_policy.this,
+  ]
+}

modules/s3-archive-bucket/acl.tf

@@ -0,0 +1,14 @@
+###################################################
+# Logging for S3 Bucket
+###################################################
+
+# TODO: `expected_bucket_owner`
+# TODO: `target_grant`
+resource "aws_s3_bucket_logging" "this" {
+  count = var.logging_enabled ? 1 : 0
+
+  bucket = aws_s3_bucket.this.bucket
+
+  target_bucket = var.logging_s3_bucket
+  target_prefix = try(var.logging_s3_key_prefix, null)
+}

modules/s3-archive-bucket/logging.tf

@@ -14,32 +14,6 @@ locals {
   } : {}
 }
 
-data "aws_caller_identity" "this" {}
-data "aws_canonical_user_id" "this" {}
-
-locals {
-  cloudfront_canonical_user_id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
-
-  default_grants = [
-    {
-      type        = "CanonicalUser"
-      id          = data.aws_canonical_user_id.this.id
-      permissions = ["FULL_CONTROL"]
-    }
-  ]
-  cloudfront_grant = {
-    type        = "CanonicalUser"
-    id          = local.cloudfront_canonical_user_id
-    permissions = ["FULL_CONTROL"]
-  }
-
-  grants = concat(
-    local.default_grants,
-    var.delivery_cloudfront_enabled ? [local.cloudfront_grant] : [],
-    var.grants
-  )
-}
-
 
 ###################################################
 # S3 Bucket for archive
@@ -50,24 +24,6 @@ resource "aws_s3_bucket" "this" {
   bucket        = var.name
   force_destroy = var.force_destroy
 
-  acceleration_status = var.transfer_acceleration_enabled ? "Enabled" : "Suspended"
-
-  versioning {
-    enabled    = var.versioning_enabled
-    mfa_delete = var.mfa_delete_enabled
-  }
-
-  dynamic "grant" {
-    for_each = length(local.grants) > 1 ? local.grants : []
-
-    content {
-      type        = try(grant.value.type, null)
-      id          = try(grant.value.id, null)
-      uri         = try(grant.value.uri, null)
-      permissions = try(grant.value.permissions, [])
-    }
-  }
-
   dynamic "lifecycle_rule" {
     for_each = var.lifecycle_rules
 
@@ -113,23 +69,6 @@ resource "aws_s3_bucket" "this" {
     }
   }
 
-  dynamic "logging" {
-    for_each = var.logging_s3_bucket != null ? ["go"] : []
-
-    content {
-      target_bucket = var.logging_s3_bucket
-      target_prefix = try(var.logging_s3_key_prefix, null)
-    }
-  }
-
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
-    }
-  }
-
   tags = merge(
     {
       "Name" = local.metadata.name
@@ -141,58 +80,44 @@ resource "aws_s3_bucket" "this" {
 
 
 ###################################################
-# IAM Policy for S3 Bucket
+# Server Side Encryption for S3 Bucket
 ###################################################
 
-data "aws_iam_policy_document" "this" {
-  source_policy_documents = concat(
-    var.tls_required ? [data.aws_iam_policy_document.tls_required.json] : [],
-    var.delivery_cloudtrail_enabled ? [data.aws_iam_policy_document.cloudtrail.json] : [],
-    var.delivery_config_enabled ? [data.aws_iam_policy_document.config.json] : [],
-    var.delivery_elb_enabled ? [data.aws_iam_policy_document.elb.json] : [],
-  )
-}
-
-resource "aws_s3_bucket_policy" "this" {
-  bucket = aws_s3_bucket.this.id
-  policy = data.aws_iam_policy_document.this.json
+locals {
+  sse_algorithm = {
+    "AES256"  = "AES256"
+    "AWS_KMS" = "aws:kms"
+  }
 }
 
-
-###################################################
-# Object Ownership for S3 Bucket
-###################################################
-
-resource "aws_s3_bucket_ownership_controls" "this" {
-  bucket = aws_s3_bucket.this.id
+# TODO: `expected_bucket_owner`
+# TODO: `bucket_key_enabled`
+# TODO: `rule.apply_server_side_encryption_by_default.kms_master_key_id`
+resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+  bucket = aws_s3_bucket.this.bucket
 
   rule {
-    object_ownership = var.object_ownership
+    apply_server_side_encryption_by_default {
+      sse_algorithm = local.sse_algorithm["AES256"]
+    }
   }
 }
 
 
 ###################################################
-# Public Access Block for S3 Bucket
+# IAM Policy for S3 Bucket
 ###################################################
 
-resource "aws_s3_bucket_public_access_block" "this" {
-  count = var.public_access_block_enabled ? 1 : 0
+data "aws_iam_policy_document" "this" {
+  source_policy_documents = concat(
+    var.tls_required ? [data.aws_iam_policy_document.tls_required.json] : [],
+    var.delivery_cloudtrail_enabled ? [data.aws_iam_policy_document.cloudtrail.json] : [],
+    var.delivery_config_enabled ? [data.aws_iam_policy_document.config.json] : [],
+    var.delivery_elb_enabled ? [data.aws_iam_policy_document.elb.json] : [],
+  )
+}
 
+resource "aws_s3_bucket_policy" "this" {
   bucket = aws_s3_bucket.this.id
-
-  # Block new public ACLs and uploading public objects
-  block_public_acls = true
-  # Retroactively remove public access granted through public ACLs
-  ignore_public_acls = true
-  # Block new public bucket policies
-  block_public_policy = true
-  # Retroactivley block public and cross-account access if bucket has public policies
-  restrict_public_buckets = true
-
-  # To avoid OperationAborted: A conflicting conditional operation is currently in progress
-  depends_on = [
-    aws_s3_bucket.this,
-    aws_s3_bucket_policy.this,
-  ]
+  policy = data.aws_iam_policy_document.this.json
 }

modules/s3-archive-bucket/main.tf

@@ -32,32 +32,54 @@ output "regional_domain_name" {
   value       = aws_s3_bucket.this.bucket_regional_domain_name
 }
 
-output "transfer_acceleration_enabled" {
-  description = "Whether S3 Transfer Acceleration is enabled."
-  value       = var.transfer_acceleration_enabled
+output "transfer_acceleration" {
+  description = "The configuration for the S3 Transfer Acceleration of the bucket."
+  value = {
+    enabled = var.transfer_acceleration_enabled
+  }
 }
 
 output "versioning" {
   description = "The versioning configuration for the bucket."
   value = {
-    enabled            = var.versioning_enabled
-    mfa_delete_enabled = var.mfa_delete_enabled
+    status       = var.versioning_status
+    mfa_deletion = var.versioning_mfa_deletion
+  }
+}
+
+output "server_side_encryption" {
+  description = "The configuration for the S3 bucket server-side encryption."
+  value = {
+    enabled   = true
+    algorithm = "AES256"
   }
 }
 
-output "object_ownership" {
-  description = "The ownership of objects written to the bucket from other AWS accounts and granted using access control lists(ACLs)."
-  value       = aws_s3_bucket_ownership_controls.this.rule[0].object_ownership
+output "request_payment" {
+  description = "The configuration for the S3 bucket request payment."
+  value = {
+    payer = aws_s3_bucket_request_payment_configuration.this.payer
+  }
 }
 
-output "public_access_block_enabled" {
-  description = "Whether S3 bucket-level Public Access Block is enabled."
-  value       = var.public_access_block_enabled
+output "access_control" {
+  description = "The configuration for the S3 bucket access control."
+  value = {
+    object_ownership = aws_s3_bucket_ownership_controls.this.rule[0].object_ownership
+    acl = {
+      enabled = aws_s3_bucket_ownership_controls.this.rule[0].object_ownership != "BucketOwnerEnforced"
+      grants  = local.grants
+    }
+    public_access = {
+      enabled = var.public_access_enabled
+    }
+  }
 }
 
 output "logging" {
-  description = "The logging configuration for access to the bucket."
+  description = "The logging configuration for the bucket."
   value = {
+    enabled = var.logging_enabled
     s3 = {
       bucket     = var.logging_s3_bucket
       key_prefix = var.logging_s3_key_prefix

modules/s3-archive-bucket/outputs.tf

@@ -0,0 +1,9 @@
+###################################################
+# Request Payment for S3 Bucket
+###################################################
+
+# TODO: `expected_bucket_owner`
+resource "aws_s3_bucket_request_payment_configuration" "this" {
+  bucket = aws_s3_bucket.this.bucket
+  payer  = "BucketOwner"
+}

modules/s3-archive-bucket/request-payment.tf

@@ -0,0 +1,9 @@
+###################################################
+# Transfer Acceleration for S3 Bucket
+###################################################
+
+# TODO: `expected_bucket_owner`
+resource "aws_s3_bucket_accelerate_configuration" "this" {
+  bucket = aws_s3_bucket.this.bucket
+  status = var.transfer_acceleration_enabled ? "Enabled" : "Suspended"
+}