Fix Race Condition between the Creation of the S3 Bucket Policy and t…

…he CloudTrail Trail (#91)
cloudposse · Apr 15, 2024 · 91595d9 · 91595d9
1 parent 5dd9b38
commit 91595d9
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -10,3 +10,13 @@ module "cloudtrail_s3_bucket" {
 
   context = module.this.context
 }
+
+module "cloudtrail" {
+  source  = "cloudposse/cloudtrail/aws"
+  version = "0.23.0"
+
+  is_multi_region_trail = false
+  s3_bucket_name        = module.cloudtrail_s3_bucket.bucket_id
+
+  context = module.this.context
+}
diff --git a/outputs.tf b/outputs.tf
@@ -6,6 +6,21 @@ output "bucket_domain_name" {
 output "bucket_id" {
   value       = module.s3_bucket.bucket_id
   description = "Bucket ID"
+  #
+  # Ensure the bucket is fully configured before allowing any use of `bucket_id`.
+  #
+  # Although undocumented, `depends_on` is allowed in an output block.
+  # The `bucket_id` is available before the bucket is fully configured 
+  # with policies, versioning, lifecycle, etc. However, all that 
+  # needs to happen before the bucket can be used as a destination for 
+  # a CloudTrail. While the documented way to ensure this would be
+  # for the user of this module to add a `depends_on` that depends
+  # on this module, since this is such a common need, and since
+  # we can depend on a submodule here rather than this entire module,
+  # we add the `depends_on` block here.
+  depends_on = [
+    module.s3_bucket
+  ]
 }
 
 output "bucket_arn" {
@@ -21,4 +36,4 @@ output "prefix" {
 output "bucket_notifications_sqs_queue_arn" {
   value       = module.s3_bucket.bucket_notifications_sqs_queue_arn
   description = "Notifications SQS queue ARN"
-}
+}