Divide aws_s3_bucket_lifecycle_configuration resource

posquit0 · posquit0 · commit 5cff76cfd045 · 2022-05-31T14:08:12.000+09:00
diff --git a/modules/s3-archive-bucket/README.md b/modules/s3-archive-bucket/README.md
@@ -4,6 +4,7 @@ This module creates following resources.
 
 - `aws_s3_bucket`
 - `aws_s3_bucket_accelerate_configuration`
+- `aws_s3_bucket_lifecycle_configuration`
 - `aws_s3_bucket_logging` (optional)
 - `aws_s3_bucket_ownership_controls`
 - `aws_s3_bucket_policy`
@@ -38,6 +39,7 @@ No modules.
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_accelerate_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_accelerate_configuration) | resource |
 | [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
@@ -67,13 +69,13 @@ No modules.
 | <a name="input_delivery_elb_enabled"></a> [delivery\_elb\_enabled](#input\_delivery\_elb\_enabled) | (Optional) Allow ELB(Elastic Load Balancer) service to export logs to bucket. | `bool` | `false` | no |
 | <a name="input_delivery_elb_key_prefixes"></a> [delivery\_elb\_key\_prefixes](#input\_delivery\_elb\_key\_prefixes) | (Optional) List of the S3 key prefixes that follows the name of the bucket you have allowed for ELB(Elastic Load Balancer) log file delivery. | `list(string)` | `[]` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | (Optional) A bool that indicates all objects (including any locked objects) should be deleted from the bucket so the bucket can be destroyed without error. | `bool` | `false` | no |
-| <a name="input_grants"></a> [grants](#input\_grants) | (Optional) A list of the ACL policy grant. Conflicts with acl. Valid values for `grant.type` are `CanonicalUser` and `Group`. `AmazonCustomerByEmail` is not supported. Valid values for `grant.permissions` are `READ`, `WRITE`, `READ_ACP`, `WRITE_ACP`, `FULL_CONTROL`. | `list(any)` | `[]` | no |
+| <a name="input_grants"></a> [grants](#input\_grants) | (Optional) A list of the ACL policy grant. Conflicts with acl. Valid values for `grant.type` are `CanonicalUser` and `Group`. `AmazonCustomerByEmail` is not supported. Valid values for `grant.permission` are `READ`, `WRITE`, `READ_ACP`, `WRITE_ACP`, `FULL_CONTROL`. | `list(any)` | `[]` | no |
 | <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | (Optional) Use lifecycle rules to define actions you want Amazon S3 to take during an object's lifetime such as transitioning objects to another storage class, archiving them, or deleting them after a specified period of time. | `list(any)` | `[]` | no |
 | <a name="input_logging_enabled"></a> [logging\_enabled](#input\_logging\_enabled) | (Optional) Whether to enable S3 bucket logging for the access log. Defaults to `false`. | `bool` | `false` | no |
 | <a name="input_logging_s3_bucket"></a> [logging\_s3\_bucket](#input\_logging\_s3\_bucket) | (Optional) The name of the bucket that will receive the log objects. | `string` | `null` | no |
 | <a name="input_logging_s3_key_prefix"></a> [logging\_s3\_key\_prefix](#input\_logging\_s3\_key\_prefix) | (Optional) To specify a key prefix of log objects. | `string` | `null` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
-| <a name="input_object_ownership"></a> [object\_ownership](#input\_object\_ownership) | (Optional) Control ownership of objects written to this bucket from other AWS accounts and granted using access control lists (ACLs). Object ownership determines who can specify access to objects. Valid values: `BucketOwnerPreferred` or `ObjectWriter`. | `string` | `"BucketOwnerPreferred"` | no |
+| <a name="input_object_ownership"></a> [object\_ownership](#input\_object\_ownership) | (Optional) Control ownership of objects written to this bucket from other AWS accounts and granted using access control lists (ACLs). Object ownership determines who can specify access to objects. Valid values: `BucketOwnerPreferred`, `BucketOwnerEnforced` or `ObjectWriter`. | `string` | `"BucketOwnerPreferred"` | no |
 | <a name="input_public_access_enabled"></a> [public\_access\_enabled](#input\_public\_access\_enabled) | (Optional) Whether to enable S3 bucket-level Public Access Block configuration. Block the public access to S3 bucket if the value is `false`. | `bool` | `false` | no |
 | <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
@@ -93,6 +95,7 @@ No modules.
 | <a name="output_domain_name"></a> [domain\_name](#output\_domain\_name) | The bucket domain name. Will be of format `bucketname.s3.amazonaws.com`. |
 | <a name="output_hosted_zone_id"></a> [hosted\_zone\_id](#output\_hosted\_zone\_id) | The Route 53 Hosted Zone ID for this bucket's region. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the bucket. |
+| <a name="output_lifecycle_rules"></a> [lifecycle\_rules](#output\_lifecycle\_rules) | The lifecycle configuration for the bucket. |
 | <a name="output_logging"></a> [logging](#output\_logging) | The logging configuration for the bucket. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the bucket. |
 | <a name="output_region"></a> [region](#output\_region) | The AWS region this bucket resides in. |
diff --git a/modules/s3-archive-bucket/access-control.tf b/modules/s3-archive-bucket/access-control.tf
@@ -25,6 +25,25 @@ locals {
 }
 
 
+###################################################
+# Policy for S3 Bucket
+###################################################
+
+data "aws_iam_policy_document" "this" {
+  source_policy_documents = concat(
+    var.tls_required ? [data.aws_iam_policy_document.tls_required.json] : [],
+    var.delivery_cloudtrail_enabled ? [data.aws_iam_policy_document.cloudtrail.json] : [],
+    var.delivery_config_enabled ? [data.aws_iam_policy_document.config.json] : [],
+    var.delivery_elb_enabled ? [data.aws_iam_policy_document.elb.json] : [],
+  )
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.this.json
+}
+
+
 ###################################################
 # Object Ownership for S3 Bucket
 ###################################################
diff --git a/modules/s3-archive-bucket/lifecycle.tf b/modules/s3-archive-bucket/lifecycle.tf
@@ -0,0 +1,138 @@
+locals {
+  versioning_mfa_status = {
+    "ENABLED"   = "Enabled"
+    "DISABLED"  = "Disabled"
+    "SUSPENDED" = "Suspended"
+  }
+
+  lifecycle_rules = {
+    for rule in var.lifecycle_rules :
+    rule.id => rule
+  }
+}
+
+
+###################################################
+# Versioning for S3 Bucket
+###################################################
+
+# TODO: `expected_bucket_owner`
+resource "aws_s3_bucket_versioning" "this" {
+  bucket = aws_s3_bucket.this.bucket
+
+  mfa = try(var.versioning_mfa_deletion.device, null)
+
+  versioning_configuration {
+    status     = local.versioning_mfa_status[var.versioning_status]
+    mfa_delete = try(var.versioning_mfa_deletion.enabled, false) ? "Enabled" : "Disabled"
+  }
+}
+
+
+###################################################
+# Lifecycle Rules for S3 Bucket
+###################################################
+
+# TODO: `expected_bucket_owner`
+resource "aws_s3_bucket_lifecycle_configuration" "this" {
+  bucket = aws_s3_bucket.this.bucket
+
+  dynamic "rule" {
+    for_each = var.lifecycle_rules
+
+    content {
+      id     = rule.value.id
+      status = try(rule.value.enabled, true) ? "Enabled" : "Disabled"
+
+      dynamic "abort_incomplete_multipart_upload" {
+        for_each = try([rule.value.days_to_abort_incomplete_multipart_upload], [])
+
+        content {
+          days_after_initiation = abort_incomplete_multipart_upload.value
+        }
+      }
+
+      ## Single Filter
+      dynamic "filter" {
+        for_each = sum([
+          try(rule.value.prefix != null ? 1 : 0, 0),
+          try(rule.value.min_object_size != null ? 1 : 0, 0),
+          try(rule.value.max_object_size != null ? 1 : 0, 0),
+        ]) == 1 ? ["go"] : []
+
+        content {
+          prefix = try(rule.value.prefix, null)
+
+          object_size_greater_than = try(rule.value.min_object_size, null)
+          object_size_less_than    = try(rule.value.max_object_size, null)
+        }
+      }
+
+      ## Multi Filter
+      dynamic "filter" {
+        for_each = sum([
+          try(rule.value.prefix != null ? 1 : 0, 0),
+          try(rule.value.tags != null ? 2 : 0, 0),
+          try(rule.value.min_object_size != null ? 1 : 0, 0),
+          try(rule.value.max_object_size != null ? 1 : 0, 0),
+        ]) > 1 ? ["go"] : []
+
+        content {
+          and {
+            prefix = try(rule.value.prefix, null)
+            tags   = try(rule.value.tags, null)
+
+            object_size_greater_than = try(rule.value.min_object_size, null)
+            object_size_less_than    = try(rule.value.max_object_size, null)
+          }
+        }
+      }
+
+      dynamic "expiration" {
+        for_each = try([rule.value.expiration], [])
+
+        content {
+          date = try(expiration.value.date, null)
+          days = try(expiration.value.days, 0)
+
+          expired_object_delete_marker = try(expiration.value.expired_object_delete_marker, false)
+        }
+      }
+
+      dynamic "noncurrent_version_expiration" {
+        for_each = try([rule.value.noncurrent_version_expiration], [])
+
+        content {
+          noncurrent_days           = try(noncurrent_version_expiration.value.days, null)
+          newer_noncurrent_versions = try(noncurrent_version_expiration.value.count, null)
+        }
+      }
+
+      dynamic "transition" {
+        for_each = try(rule.value.transitions, [])
+
+        content {
+          date = try(transition.value.date, null)
+          days = try(transition.value.days, null)
+
+          storage_class = transition.value.storage_class
+        }
+      }
+
+      dynamic "noncurrent_version_transition" {
+        for_each = try(rule.value.noncurrent_version_transitions, [])
+
+        content {
+          noncurrent_days           = try(noncurrent_version_transition.value.days, null)
+          newer_noncurrent_versions = try(noncurrent_version_transition.value.count, null)
+
+          storage_class = noncurrent_version_transition.value.storage_class
+        }
+      }
+    }
+  }
+
+  depends_on = [
+    aws_s3_bucket_versioning.this,
+  ]
+}
diff --git a/modules/s3-archive-bucket/main.tf b/modules/s3-archive-bucket/main.tf
@@ -24,58 +24,19 @@ resource "aws_s3_bucket" "this" {
   bucket        = var.name
   force_destroy = var.force_destroy
 
-  dynamic "lifecycle_rule" {
-    for_each = var.lifecycle_rules
-
-    content {
-      id      = try(lifecycle_rule.value.id, null)
-      enabled = try(lifecycle_rule.value.enabled, true)
-      prefix  = try(lifecycle_rule.value.prefix, null)
-      tags    = try(lifecycle_rule.value.tags, null)
-
-      abort_incomplete_multipart_upload_days = try(lifecycle_rule.value.abort_incomplete_multipart_upload_days, null)
-
-      expiration {
-        date = try(lifecycle_rule.value.expiration.date, null)
-        days = try(lifecycle_rule.value.expiration.days, 0)
-
-        expired_object_delete_marker = try(lifecycle_rule.value.expiration.expired_object_delete_marker, false)
-      }
-
-      dynamic "transition" {
-        for_each = try(lifecycle_rule.value.transitions, [])
-
-        content {
-          date = try(transition.value.date, null)
-          days = try(transition.value.days, null)
-
-          storage_class = transition.value.storage_class
-        }
-      }
-
-      noncurrent_version_expiration {
-        days = try(lifecycle_rule.value.noncurrent_version_expiration.days, null)
-      }
-
-      dynamic "noncurrent_version_transition" {
-        for_each = try(lifecycle_rule.value.noncurrent_version_transitions, [])
-
-        content {
-          days = try(noncurrent_version_transition.value.days, null)
-
-          storage_class = noncurrent_version_transition.value.storage_class
-        }
-      }
-    }
-  }
-
   tags = merge(
     {
       "Name" = local.metadata.name
     },
     local.module_tags,
     var.tags,
   )
+
+  lifecycle {
+    ignore_changes = [
+      lifecycle_rule,
+    ]
+  }
 }
 
 
@@ -102,22 +63,3 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
     }
   }
 }
-
-
-###################################################
-# IAM Policy for S3 Bucket
-###################################################
-
-data "aws_iam_policy_document" "this" {
-  source_policy_documents = concat(
-    var.tls_required ? [data.aws_iam_policy_document.tls_required.json] : [],
-    var.delivery_cloudtrail_enabled ? [data.aws_iam_policy_document.cloudtrail.json] : [],
-    var.delivery_config_enabled ? [data.aws_iam_policy_document.config.json] : [],
-    var.delivery_elb_enabled ? [data.aws_iam_policy_document.elb.json] : [],
-  )
-}
-
-resource "aws_s3_bucket_policy" "this" {
-  bucket = aws_s3_bucket.this.id
-  policy = data.aws_iam_policy_document.this.json
-}
diff --git a/modules/s3-archive-bucket/outputs.tf b/modules/s3-archive-bucket/outputs.tf
@@ -47,6 +47,24 @@ output "versioning" {
   }
 }
 
+output "lifecycle_rules" {
+  description = "The lifecycle configuration for the bucket."
+  value = {
+    for rule in aws_s3_bucket_lifecycle_configuration.this.rule :
+    rule.id => {
+      id      = rule.id
+      enabled = rule.status == "Enabled"
+
+      filter = {
+        prefix          = try(local.lifecycle_rules[rule.id].prefix, null)
+        tags            = try(local.lifecycle_rules[rule.id].tags, {})
+        min_object_size = try(local.lifecycle_rules[rule.id].min_object_size, null)
+        max_object_size = try(local.lifecycle_rules[rule.id].max_object_size, null)
+      }
+    }
+  }
+}
+
 output "server_side_encryption" {
   description = "The configuration for the S3 bucket server-side encryption."
   value = {
diff --git a/modules/s3-archive-bucket/variables.tf b/modules/s3-archive-bucket/variables.tf
diff --git a/modules/s3-archive-bucket/versioning.tf b/modules/s3-archive-bucket/versioning.tf
