From 6f1bc202b5781b00d8454808d4fb706e919f90b5 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 22:04:36 +0100 Subject: [PATCH 01/30] Fix bucket ACL --- main.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 8630905..e018927 100644 --- a/main.tf +++ b/main.tf @@ -2,13 +2,17 @@ data "aws_caller_identity" "default" {} data "aws_region" "default" {} +resource "aws_s3_bucket_acl" "default" { + bucket = aws_s3_bucket.cache_bucket.id + acl = "private" +} + resource "aws_s3_bucket" "cache_bucket" { #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629). count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = local.cache_bucket_name_normalised - acl = "private" force_destroy = true tags = module.this.tags From 422ffd1773f3836dd651a2a3940c02038f644a94 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 22:05:44 +0100 Subject: [PATCH 02/30] Fix bucket ACL --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index e018927..0cc5cd2 100644 --- a/main.tf +++ b/main.tf @@ -4,7 +4,7 @@ data "aws_region" "default" {} resource "aws_s3_bucket_acl" "default" { bucket = aws_s3_bucket.cache_bucket.id - acl = "private" + acl = "private" } resource "aws_s3_bucket" "cache_bucket" { From f21c8b017641c90c42aa556a6c5839f4159303a2 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 22:08:57 +0100 Subject: [PATCH 03/30] Fix bucket ACL --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 0cc5cd2..65ae1e6 100644 --- a/main.tf +++ b/main.tf @@ -3,6 +3,7 @@ data "aws_caller_identity" "default" {} data "aws_region" "default" {} resource "aws_s3_bucket_acl" "default" { + count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = aws_s3_bucket.cache_bucket.id acl = "private" } From 561400d0e7b0d0b3b7fe04b06167a6a1d5781347 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 22:10:42 +0100 Subject: [PATCH 04/30] Fix bucket ACL --- docs/terraform.md | 129 ---------------------------------------------- 1 file changed, 129 deletions(-) diff --git a/docs/terraform.md b/docs/terraform.md index e867b8a..d5224ec 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -1,130 +1 @@ -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 5.0 | -| [random](#requirement\_random) | >= 2.1 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 5.0 | -| [random](#provider\_random) | >= 2.1 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_codebuild_project.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | -| [aws_codebuild_source_credential.authorization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_source_credential) | resource | -| [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.combined_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.permissions_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.vpc_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_s3_bucket.secondary_artifact](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [access\_log\_bucket\_name](#input\_access\_log\_bucket\_name) | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [artifact\_location](#input\_artifact\_location) | Location of artifact. Applies only for artifact of type S3 | `string` | `""` | no | -| [artifact\_type](#input\_artifact\_type) | The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO\_ARTIFACTS or S3 | `string` | `"CODEPIPELINE"` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [aws\_account\_id](#input\_aws\_account\_id) | (Optional) AWS Account ID. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | -| [aws\_region](#input\_aws\_region) | (Optional) AWS Region, e.g. us-east-1. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | -| [badge\_enabled](#input\_badge\_enabled) | Generates a publicly-accessible URL for the projects build badge. Available as badge\_url attribute when enabled | `bool` | `false` | no | -| [build\_compute\_type](#input\_build\_compute\_type) | Instance type of the build instance | `string` | `"BUILD_GENERAL1_SMALL"` | no | -| [build\_image](#input\_build\_image) | Docker image for build environment, e.g. 'aws/codebuild/standard:2.0' or 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html | `string` | `"aws/codebuild/standard:2.0"` | no | -| [build\_image\_pull\_credentials\_type](#input\_build\_image\_pull\_credentials\_type) | Type of credentials AWS CodeBuild uses to pull images in your build.Valid values: CODEBUILD, SERVICE\_ROLE. When you use a cross-account or private registry image, you must use SERVICE\_ROLE credentials. | `string` | `"CODEBUILD"` | no | -| [build\_timeout](#input\_build\_timeout) | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | `number` | `60` | no | -| [build\_type](#input\_build\_type) | The type of build environment, e.g. 'LINUX\_CONTAINER' or 'WINDOWS\_CONTAINER' | `string` | `"LINUX_CONTAINER"` | no | -| [buildspec](#input\_buildspec) | Optional buildspec declaration to use for building the project | `string` | `""` | no | -| [cache\_bucket\_suffix\_enabled](#input\_cache\_bucket\_suffix\_enabled) | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3 | `bool` | `true` | no | -| [cache\_expiration\_days](#input\_cache\_expiration\_days) | How many days should the build cache be kept. It only works when cache\_type is 'S3' | `number` | `7` | no | -| [cache\_type](#input\_cache\_type) | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3. Defaults to NO\_CACHE. If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"NO_CACHE"` | no | -| [concurrent\_build\_limit](#input\_concurrent\_build\_limit) | Specify a maximum number of concurrent builds for the project. The value specified must be greater than 0 and less than the account concurrent running builds limit. | `number` | `null` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input\_description) | Short description of the CodeBuild project | `string` | `"Managed by Terraform"` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [encryption\_enabled](#input\_encryption\_enabled) | When set to 'true' the resource will have AES256 encryption enabled by default | `bool` | `false` | no | -| [encryption\_key](#input\_encryption\_key) | AWS Key Management Service (AWS KMS) customer master key (CMK) to be used for encrypting the build project's build output artifacts. | `string` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [environment\_variables](#input\_environment\_variables) | A list of maps, that contain the keys 'name', 'value', and 'type' to be used as additional environment variables for the build. Valid types are 'PLAINTEXT', 'PARAMETER\_STORE', or 'SECRETS\_MANAGER' | 
list(object(
    {
      name  = string
      value = string
      type  = string
    }
  ))
| 
[
  {
    "name": "NO_ADDITIONAL_BUILD_VARS",
    "type": "PLAINTEXT",
    "value": "TRUE"
  }
]
| no | -| [extra\_permissions](#input\_extra\_permissions) | List of action strings which will be added to IAM service account permissions. | `list(any)` | `[]` | no | -| [fetch\_git\_submodules](#input\_fetch\_git\_submodules) | If set to true, fetches Git submodules for the AWS CodeBuild build project. | `bool` | `false` | no | -| [file\_system\_locations](#input\_file\_system\_locations) | A set of file system locations to to mount inside the build. File system locations are documented below. | `any` | `{}` | no | -| [git\_clone\_depth](#input\_git\_clone\_depth) | Truncate git history to this many commits. | `number` | `null` | no | -| [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | -| [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | -| [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | -| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the policy. | `string` | `"/service-role/"` | no | -| [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | -| [image\_tag](#input\_image\_tag) | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | -| [local\_cache\_modes](#input\_local\_cache\_modes) | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL\_SOURCE\_CACHE, LOCAL\_DOCKER\_LAYER\_CACHE, and LOCAL\_CUSTOM\_CACHE | `list(string)` | `[]` | no | -| [logs\_config](#input\_logs\_config) | Configuration for the builds to store log data to CloudWatch or S3. | `any` | `{}` | no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [private\_repository](#input\_private\_repository) | Set to true to login into private repository with credentials supplied in source\_credential variable. | `bool` | `false` | no | -| [privileged\_mode](#input\_privileged\_mode) | (Optional) If set to true, enables running the Docker daemon inside a Docker container on the CodeBuild instance. Used when building Docker images | `bool` | `false` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [report\_build\_status](#input\_report\_build\_status) | Set to true to report the status of a build's start and finish to your source provider. This option is only valid when the source\_type is BITBUCKET or GITHUB | `bool` | `false` | no | -| [s3\_cache\_bucket\_name](#input\_s3\_cache\_bucket\_name) | Use an existing s3 bucket name for cache. Relevant if `cache_type` is set to `S3`. | `string` | `null` | no | -| [secondary\_artifact\_encryption\_enabled](#input\_secondary\_artifact\_encryption\_enabled) | Set to true to enable encryption on the secondary artifact bucket | `bool` | `false` | no | -| [secondary\_artifact\_identifier](#input\_secondary\_artifact\_identifier) | Secondary artifact identifier. Must match the identifier in the build spec | `string` | `null` | no | -| [secondary\_artifact\_location](#input\_secondary\_artifact\_location) | Location of secondary artifact. Must be an S3 reference | `string` | `null` | no | -| [secondary\_sources](#input\_secondary\_sources) | (Optional) secondary source for the codebuild project in addition to the primary location | 
list(object(
    {
      git_clone_depth     = number
      location            = string
      source_identifier   = string
      type                = string
      fetch_submodules    = bool
      insecure_ssl        = bool
      report_build_status = bool
  }))
| `[]` | no | -| [source\_credential\_auth\_type](#input\_source\_credential\_auth\_type) | The type of authentication used to connect to a GitHub, GitHub Enterprise, or Bitbucket repository. | `string` | `"PERSONAL_ACCESS_TOKEN"` | no | -| [source\_credential\_server\_type](#input\_source\_credential\_server\_type) | The source provider used for this project. | `string` | `"GITHUB"` | no | -| [source\_credential\_token](#input\_source\_credential\_token) | For GitHub or GitHub Enterprise, this is the personal access token. For Bitbucket, this is the app password. | `string` | `""` | no | -| [source\_credential\_user\_name](#input\_source\_credential\_user\_name) | The Bitbucket username when the authType is BASIC\_AUTH. This parameter is not valid for other types of source providers or connections. | `string` | `""` | no | -| [source\_location](#input\_source\_location) | The location of the source code from git or s3 | `string` | `""` | no | -| [source\_type](#input\_source\_type) | The type of repository that contains the source code to be built. Valid values for this parameter are: CODECOMMIT, CODEPIPELINE, GITHUB, GITHUB\_ENTERPRISE, BITBUCKET or S3 | `string` | `"CODEPIPELINE"` | no | -| [source\_version](#input\_source\_version) | A version of the build input to be built for this project. If not specified, the latest version is used. | `string` | `""` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [versioning\_enabled](#input\_versioning\_enabled) | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no | -| [vpc\_config](#input\_vpc\_config) | Configuration for the builds to run inside a VPC. | `any` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [badge\_url](#output\_badge\_url) | The URL of the build badge when badge\_enabled is enabled | -| [cache\_bucket\_arn](#output\_cache\_bucket\_arn) | Cache S3 bucket ARN | -| [cache\_bucket\_name](#output\_cache\_bucket\_name) | Cache S3 bucket name | -| [project\_arn](#output\_project\_arn) | Project ARN | -| [project\_id](#output\_project\_id) | Project ID | -| [project\_name](#output\_project\_name) | Project name | -| [role\_arn](#output\_role\_arn) | IAM Role ARN | -| [role\_id](#output\_role\_id) | IAM Role ID | - From 3cb922bb2fe22a7df88b2d42f60c0132beb60398 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 22:12:08 +0100 Subject: [PATCH 05/30] Fix bucket ACL --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 65ae1e6..5493b44 100644 --- a/main.tf +++ b/main.tf @@ -4,7 +4,7 @@ data "aws_region" "default" {} resource "aws_s3_bucket_acl" "default" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 - bucket = aws_s3_bucket.cache_bucket.id + bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) acl = "private" } From c79aaebcd3b00f858f9e15b3bb805d7cd1172c20 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 22:14:03 +0100 Subject: [PATCH 06/30] Fix bucket ACL --- docs/terraform.md | 129 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) diff --git a/docs/terraform.md b/docs/terraform.md index d5224ec..e867b8a 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -1 +1,130 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.0 | +| [random](#requirement\_random) | >= 2.1 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.0 | +| [random](#provider\_random) | >= 2.1 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_codebuild_project.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | +| [aws_codebuild_source_credential.authorization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_source_credential) | resource | +| [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.combined_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.permissions_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.vpc_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.secondary_artifact](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_log\_bucket\_name](#input\_access\_log\_bucket\_name) | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [artifact\_location](#input\_artifact\_location) | Location of artifact. Applies only for artifact of type S3 | `string` | `""` | no | +| [artifact\_type](#input\_artifact\_type) | The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO\_ARTIFACTS or S3 | `string` | `"CODEPIPELINE"` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [aws\_account\_id](#input\_aws\_account\_id) | (Optional) AWS Account ID. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | +| [aws\_region](#input\_aws\_region) | (Optional) AWS Region, e.g. us-east-1. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | +| [badge\_enabled](#input\_badge\_enabled) | Generates a publicly-accessible URL for the projects build badge. Available as badge\_url attribute when enabled | `bool` | `false` | no | +| [build\_compute\_type](#input\_build\_compute\_type) | Instance type of the build instance | `string` | `"BUILD_GENERAL1_SMALL"` | no | +| [build\_image](#input\_build\_image) | Docker image for build environment, e.g. 'aws/codebuild/standard:2.0' or 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html | `string` | `"aws/codebuild/standard:2.0"` | no | +| [build\_image\_pull\_credentials\_type](#input\_build\_image\_pull\_credentials\_type) | Type of credentials AWS CodeBuild uses to pull images in your build.Valid values: CODEBUILD, SERVICE\_ROLE. When you use a cross-account or private registry image, you must use SERVICE\_ROLE credentials. | `string` | `"CODEBUILD"` | no | +| [build\_timeout](#input\_build\_timeout) | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | `number` | `60` | no | +| [build\_type](#input\_build\_type) | The type of build environment, e.g. 'LINUX\_CONTAINER' or 'WINDOWS\_CONTAINER' | `string` | `"LINUX_CONTAINER"` | no | +| [buildspec](#input\_buildspec) | Optional buildspec declaration to use for building the project | `string` | `""` | no | +| [cache\_bucket\_suffix\_enabled](#input\_cache\_bucket\_suffix\_enabled) | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3 | `bool` | `true` | no | +| [cache\_expiration\_days](#input\_cache\_expiration\_days) | How many days should the build cache be kept. It only works when cache\_type is 'S3' | `number` | `7` | no | +| [cache\_type](#input\_cache\_type) | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3. Defaults to NO\_CACHE. If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"NO_CACHE"` | no | +| [concurrent\_build\_limit](#input\_concurrent\_build\_limit) | Specify a maximum number of concurrent builds for the project. The value specified must be greater than 0 and less than the account concurrent running builds limit. | `number` | `null` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input\_description) | Short description of the CodeBuild project | `string` | `"Managed by Terraform"` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [encryption\_enabled](#input\_encryption\_enabled) | When set to 'true' the resource will have AES256 encryption enabled by default | `bool` | `false` | no | +| [encryption\_key](#input\_encryption\_key) | AWS Key Management Service (AWS KMS) customer master key (CMK) to be used for encrypting the build project's build output artifacts. | `string` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [environment\_variables](#input\_environment\_variables) | A list of maps, that contain the keys 'name', 'value', and 'type' to be used as additional environment variables for the build. Valid types are 'PLAINTEXT', 'PARAMETER\_STORE', or 'SECRETS\_MANAGER' | 
list(object(
    {
      name  = string
      value = string
      type  = string
    }
  ))
| 
[
  {
    "name": "NO_ADDITIONAL_BUILD_VARS",
    "type": "PLAINTEXT",
    "value": "TRUE"
  }
]
| no | +| [extra\_permissions](#input\_extra\_permissions) | List of action strings which will be added to IAM service account permissions. | `list(any)` | `[]` | no | +| [fetch\_git\_submodules](#input\_fetch\_git\_submodules) | If set to true, fetches Git submodules for the AWS CodeBuild build project. | `bool` | `false` | no | +| [file\_system\_locations](#input\_file\_system\_locations) | A set of file system locations to to mount inside the build. File system locations are documented below. | `any` | `{}` | no | +| [git\_clone\_depth](#input\_git\_clone\_depth) | Truncate git history to this many commits. | `number` | `null` | no | +| [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | +| [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | +| [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | +| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the policy. | `string` | `"/service-role/"` | no | +| [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | +| [image\_tag](#input\_image\_tag) | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | +| [local\_cache\_modes](#input\_local\_cache\_modes) | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL\_SOURCE\_CACHE, LOCAL\_DOCKER\_LAYER\_CACHE, and LOCAL\_CUSTOM\_CACHE | `list(string)` | `[]` | no | +| [logs\_config](#input\_logs\_config) | Configuration for the builds to store log data to CloudWatch or S3. | `any` | `{}` | no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [private\_repository](#input\_private\_repository) | Set to true to login into private repository with credentials supplied in source\_credential variable. | `bool` | `false` | no | +| [privileged\_mode](#input\_privileged\_mode) | (Optional) If set to true, enables running the Docker daemon inside a Docker container on the CodeBuild instance. Used when building Docker images | `bool` | `false` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [report\_build\_status](#input\_report\_build\_status) | Set to true to report the status of a build's start and finish to your source provider. This option is only valid when the source\_type is BITBUCKET or GITHUB | `bool` | `false` | no | +| [s3\_cache\_bucket\_name](#input\_s3\_cache\_bucket\_name) | Use an existing s3 bucket name for cache. Relevant if `cache_type` is set to `S3`. | `string` | `null` | no | +| [secondary\_artifact\_encryption\_enabled](#input\_secondary\_artifact\_encryption\_enabled) | Set to true to enable encryption on the secondary artifact bucket | `bool` | `false` | no | +| [secondary\_artifact\_identifier](#input\_secondary\_artifact\_identifier) | Secondary artifact identifier. Must match the identifier in the build spec | `string` | `null` | no | +| [secondary\_artifact\_location](#input\_secondary\_artifact\_location) | Location of secondary artifact. Must be an S3 reference | `string` | `null` | no | +| [secondary\_sources](#input\_secondary\_sources) | (Optional) secondary source for the codebuild project in addition to the primary location | 
list(object(
    {
      git_clone_depth     = number
      location            = string
      source_identifier   = string
      type                = string
      fetch_submodules    = bool
      insecure_ssl        = bool
      report_build_status = bool
  }))
| `[]` | no | +| [source\_credential\_auth\_type](#input\_source\_credential\_auth\_type) | The type of authentication used to connect to a GitHub, GitHub Enterprise, or Bitbucket repository. | `string` | `"PERSONAL_ACCESS_TOKEN"` | no | +| [source\_credential\_server\_type](#input\_source\_credential\_server\_type) | The source provider used for this project. | `string` | `"GITHUB"` | no | +| [source\_credential\_token](#input\_source\_credential\_token) | For GitHub or GitHub Enterprise, this is the personal access token. For Bitbucket, this is the app password. | `string` | `""` | no | +| [source\_credential\_user\_name](#input\_source\_credential\_user\_name) | The Bitbucket username when the authType is BASIC\_AUTH. This parameter is not valid for other types of source providers or connections. | `string` | `""` | no | +| [source\_location](#input\_source\_location) | The location of the source code from git or s3 | `string` | `""` | no | +| [source\_type](#input\_source\_type) | The type of repository that contains the source code to be built. Valid values for this parameter are: CODECOMMIT, CODEPIPELINE, GITHUB, GITHUB\_ENTERPRISE, BITBUCKET or S3 | `string` | `"CODEPIPELINE"` | no | +| [source\_version](#input\_source\_version) | A version of the build input to be built for this project. If not specified, the latest version is used. | `string` | `""` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [versioning\_enabled](#input\_versioning\_enabled) | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no | +| [vpc\_config](#input\_vpc\_config) | Configuration for the builds to run inside a VPC. | `any` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [badge\_url](#output\_badge\_url) | The URL of the build badge when badge\_enabled is enabled | +| [cache\_bucket\_arn](#output\_cache\_bucket\_arn) | Cache S3 bucket ARN | +| [cache\_bucket\_name](#output\_cache\_bucket\_name) | Cache S3 bucket name | +| [project\_arn](#output\_project\_arn) | Project ARN | +| [project\_id](#output\_project\_id) | Project ID | +| [project\_name](#output\_project\_name) | Project name | +| [role\_arn](#output\_role\_arn) | IAM Role ARN | +| [role\_id](#output\_role\_id) | IAM Role ID | + From 1b27e1f23e72c4c83f6a346692dda5318af0fc17 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 22:20:25 +0100 Subject: [PATCH 07/30] Fix bucket ACL --- main.tf | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 5493b44..46e1d04 100644 --- a/main.tf +++ b/main.tf @@ -8,6 +8,12 @@ resource "aws_s3_bucket_acl" "default" { acl = "private" } +resource "aws_bucket_versioning" "default" { + count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 + bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) + enabled = var.versioning_enabled +} + resource "aws_s3_bucket" "cache_bucket" { #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). @@ -17,10 +23,6 @@ resource "aws_s3_bucket" "cache_bucket" { force_destroy = true tags = module.this.tags - versioning { - enabled = var.versioning_enabled - } - dynamic "logging" { for_each = var.access_log_bucket_name != "" ? [1] : [] content { From b7b4b664fd8dc0162d6bb8ab90df7d5004ac0fd7 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 22:21:19 +0100 Subject: [PATCH 08/30] Fix bucket ACL --- main.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 46e1d04..fa09382 100644 --- a/main.tf +++ b/main.tf @@ -8,10 +8,12 @@ resource "aws_s3_bucket_acl" "default" { acl = "private" } -resource "aws_bucket_versioning" "default" { +resource "aws_s3_bucket_versioning" "default" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) - enabled = var.versioning_enabled + versioning_configuration { + status = "Enabled" + } } resource "aws_s3_bucket" "cache_bucket" { From 6b34fedf2083905eb1be7ca886af661c68d76c97 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 23:23:13 +0200 Subject: [PATCH 09/30] Update main.tf Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index fa09382..db7a782 100644 --- a/main.tf +++ b/main.tf @@ -9,8 +9,8 @@ resource "aws_s3_bucket_acl" "default" { } resource "aws_s3_bucket_versioning" "default" { - count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 - bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) + count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 + bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) versioning_configuration { status = "Enabled" } From c11ad9ed5b39dac36b12905e7153403216313a42 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 22:29:01 +0100 Subject: [PATCH 10/30] readme --- README.md | 2 ++ docs/terraform.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/README.md b/README.md index 4a628fa..ccb191d 100644 --- a/README.md +++ b/README.md @@ -182,6 +182,8 @@ Available targets: | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.combined_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | diff --git a/docs/terraform.md b/docs/terraform.md index e867b8a..bc58029 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -32,6 +32,8 @@ | [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.combined_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | From 3144d1fa62b80c88ac205539892f11395e555218 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 23:25:57 +0100 Subject: [PATCH 11/30] Fix bucket settings --- main.tf | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/main.tf b/main.tf index db7a782..4421133 100644 --- a/main.tf +++ b/main.tf @@ -16,6 +16,22 @@ resource "aws_s3_bucket_versioning" "default" { } } +resource "aws_s3_bucket_lifecycle" "example_lifecycle" { + count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 + bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) + + rule { + id = "codebuildcache" + enabled = true + + prefix = "/" + + expiration { + days = var.cache_expiration_days + } + } +} + resource "aws_s3_bucket" "cache_bucket" { #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). @@ -33,18 +49,6 @@ resource "aws_s3_bucket" "cache_bucket" { } } - lifecycle_rule { - id = "codebuildcache" - enabled = true - - prefix = "/" - tags = module.this.tags - - expiration { - days = var.cache_expiration_days - } - } - dynamic "server_side_encryption_configuration" { for_each = var.encryption_enabled ? ["true"] : [] From 10bff003dbdf70282ae4092df25ac6d73a51ebf9 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 23:30:27 +0100 Subject: [PATCH 12/30] Fix bucket settings --- main.tf | 44 ++++++++++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/main.tf b/main.tf index 4421133..3d949cd 100644 --- a/main.tf +++ b/main.tf @@ -16,7 +16,7 @@ resource "aws_s3_bucket_versioning" "default" { } } -resource "aws_s3_bucket_lifecycle" "example_lifecycle" { +resource "aws_s3_bucket_lifecycle" "default" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) @@ -32,14 +32,20 @@ resource "aws_s3_bucket_lifecycle" "example_lifecycle" { } } -resource "aws_s3_bucket" "cache_bucket" { - #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). - #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). - #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629). - count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 - bucket = local.cache_bucket_name_normalised - force_destroy = true - tags = module.this.tags +resource "aws_s3_bucket_server_side_encryption_configuration" "default" { + count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 + bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_logging" "example_logging" { + count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 + bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) dynamic "logging" { for_each = var.access_log_bucket_name != "" ? [1] : [] @@ -48,18 +54,16 @@ resource "aws_s3_bucket" "cache_bucket" { target_prefix = "logs/${module.this.id}/" } } +} - dynamic "server_side_encryption_configuration" { - for_each = var.encryption_enabled ? ["true"] : [] - - content { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } - } - } +resource "aws_s3_bucket" "cache_bucket" { + #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). + #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). + #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue in terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629). + count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 + bucket = local.cache_bucket_name_normalised + force_destroy = true + tags = module.this.tags } resource "random_string" "bucket_prefix" { From 9cf5c84d5e7863d968fe8bbd68148bad5b29d7b4 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 23:31:11 +0100 Subject: [PATCH 13/30] Fix bucket settings --- README.md | 3 +++ docs/terraform.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/README.md b/README.md index ccb191d..0833288 100644 --- a/README.md +++ b/README.md @@ -183,6 +183,9 @@ Available targets: | [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_lifecycle.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle) | resource | +| [aws_s3_bucket_logging.example_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | diff --git a/docs/terraform.md b/docs/terraform.md index bc58029..22f0c11 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -33,6 +33,9 @@ | [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_lifecycle.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle) | resource | +| [aws_s3_bucket_logging.example_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | From cad59d26df7535e188fcfb1843865a2b659a38fb Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 23:32:01 +0100 Subject: [PATCH 14/30] Fix bucket settings --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 3d949cd..423f165 100644 --- a/main.tf +++ b/main.tf @@ -25,7 +25,7 @@ resource "aws_s3_bucket_lifecycle" "default" { enabled = true prefix = "/" - + expiration { days = var.cache_expiration_days } From 5b829a54376705a0f84368e2b03d3282840f98de Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 23:33:20 +0100 Subject: [PATCH 15/30] Fix bucket settings --- README.md | 1 + docs/terraform.md | 1 + main.tf | 8 ++++++++ 3 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 0833288..59fcb31 100644 --- a/README.md +++ b/README.md @@ -185,6 +185,7 @@ Available targets: | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_lifecycle.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle) | resource | | [aws_s3_bucket_logging.example_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_public_access_block.access_good_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | diff --git a/docs/terraform.md b/docs/terraform.md index 22f0c11..25e08fe 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -35,6 +35,7 @@ | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_lifecycle.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle) | resource | | [aws_s3_bucket_logging.example_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_public_access_block.access_good_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | diff --git a/main.tf b/main.tf index 423f165..db37035 100644 --- a/main.tf +++ b/main.tf @@ -56,6 +56,14 @@ resource "aws_s3_bucket_logging" "example_logging" { } } +resource "aws_s3_bucket_public_access_block" "access_good_1" { + count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 + bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) + + block_public_acls = true + block_public_policy = true +} + resource "aws_s3_bucket" "cache_bucket" { #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776). From ad0ed1765be116170c0625cf0ec03a45457cb753 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 23:34:43 +0100 Subject: [PATCH 16/30] Fix bucket settings --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index db37035..2725d11 100644 --- a/main.tf +++ b/main.tf @@ -43,7 +43,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { } } -resource "aws_s3_bucket_logging" "example_logging" { +resource "aws_s3_bucket_logging" "default" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) @@ -56,7 +56,7 @@ resource "aws_s3_bucket_logging" "example_logging" { } } -resource "aws_s3_bucket_public_access_block" "access_good_1" { +resource "aws_s3_bucket_public_access_block" "default" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) From aa60b453e1ac7e1929f2b61434b4834c1ed8b7ea Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 23:36:31 +0100 Subject: [PATCH 17/30] Fix bucket settings --- main.tf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 2725d11..fa5fdb2 100644 --- a/main.tf +++ b/main.tf @@ -60,8 +60,10 @@ resource "aws_s3_bucket_public_access_block" "default" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) - block_public_acls = true - block_public_policy = true + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true } resource "aws_s3_bucket" "cache_bucket" { From e25fb1f45dfe1667497942c1c78ce0a2f4968ed3 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Fri, 10 Nov 2023 23:37:31 +0100 Subject: [PATCH 18/30] Fix bucket settings --- README.md | 4 ++-- docs/terraform.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 59fcb31..ffeae42 100644 --- a/README.md +++ b/README.md @@ -184,8 +184,8 @@ Available targets: | [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_lifecycle.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle) | resource | -| [aws_s3_bucket_logging.example_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | -| [aws_s3_bucket_public_access_block.access_good_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | diff --git a/docs/terraform.md b/docs/terraform.md index 25e08fe..28a8fd3 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -34,8 +34,8 @@ | [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_lifecycle.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle) | resource | -| [aws_s3_bucket_logging.example_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | -| [aws_s3_bucket_public_access_block.access_good_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | From bd2d9c1c2d4ee7a2eedbc21fe7aba4eeb4e379cb Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:08:43 +0100 Subject: [PATCH 19/30] Fix bucket settings --- main.tf | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/main.tf b/main.tf index fa5fdb2..4521af8 100644 --- a/main.tf +++ b/main.tf @@ -44,16 +44,11 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { } resource "aws_s3_bucket_logging" "default" { - count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 + count = module.this.enabled && local.create_s3_cache_bucket && var.access_log_bucket_name != "" ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) - dynamic "logging" { - for_each = var.access_log_bucket_name != "" ? [1] : [] - content { - target_bucket = var.access_log_bucket_name - target_prefix = "logs/${module.this.id}/" - } - } + target_bucket = var.access_log_bucket_name + target_prefix = "logs/${module.this.id}/" } resource "aws_s3_bucket_public_access_block" "default" { From 721c67f584b066e9c4fc17b21ab41cd4962dd794 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:10:02 +0100 Subject: [PATCH 20/30] Fix bucket settings --- main.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 4521af8..b00c96a 100644 --- a/main.tf +++ b/main.tf @@ -16,15 +16,17 @@ resource "aws_s3_bucket_versioning" "default" { } } -resource "aws_s3_bucket_lifecycle" "default" { +resource "aws_s3_bucket_lifecycle_configuration" "default" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) rule { id = "codebuildcache" - enabled = true + status = "Enabled" - prefix = "/" + filter { + prefix = "/" + } expiration { days = var.cache_expiration_days From 1d60396709b1c758c71825f6b720e0434e1b07e1 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:10:55 +0100 Subject: [PATCH 21/30] Fix bucket settings --- README.md | 2 +- docs/terraform.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ffeae42..2392f53 100644 --- a/README.md +++ b/README.md @@ -183,7 +183,7 @@ Available targets: | [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | -| [aws_s3_bucket_lifecycle.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle) | resource | +| [aws_s3_bucket_lifecycle_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | | [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | diff --git a/docs/terraform.md b/docs/terraform.md index 28a8fd3..ccf7326 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -33,7 +33,7 @@ | [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | -| [aws_s3_bucket_lifecycle.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle) | resource | +| [aws_s3_bucket_lifecycle_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | | [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | From 8485afe324e30fb52ea89265019c4f71ffecb773 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:11:18 +0100 Subject: [PATCH 22/30] Fix bucket settings --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b00c96a..ad0c156 100644 --- a/main.tf +++ b/main.tf @@ -21,7 +21,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "default" { bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) rule { - id = "codebuildcache" + id = "codebuildcache" status = "Enabled" filter { From 1625e6486b4d8cc012ef231c463136139455baa5 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:12:16 +0100 Subject: [PATCH 23/30] Fix bucket settings --- docs/terraform.md | 135 ---------------------------------------------- 1 file changed, 135 deletions(-) diff --git a/docs/terraform.md b/docs/terraform.md index ccf7326..d5224ec 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -1,136 +1 @@ -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 5.0 | -| [random](#requirement\_random) | >= 2.1 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 5.0 | -| [random](#provider\_random) | >= 2.1 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_codebuild_project.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | -| [aws_codebuild_source_credential.authorization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_source_credential) | resource | -| [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | -| [aws_s3_bucket_lifecycle_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | -| [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | -| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | -| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | -| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | -| [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.combined_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.permissions_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.vpc_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_s3_bucket.secondary_artifact](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [access\_log\_bucket\_name](#input\_access\_log\_bucket\_name) | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [artifact\_location](#input\_artifact\_location) | Location of artifact. Applies only for artifact of type S3 | `string` | `""` | no | -| [artifact\_type](#input\_artifact\_type) | The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO\_ARTIFACTS or S3 | `string` | `"CODEPIPELINE"` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [aws\_account\_id](#input\_aws\_account\_id) | (Optional) AWS Account ID. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | -| [aws\_region](#input\_aws\_region) | (Optional) AWS Region, e.g. us-east-1. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | -| [badge\_enabled](#input\_badge\_enabled) | Generates a publicly-accessible URL for the projects build badge. Available as badge\_url attribute when enabled | `bool` | `false` | no | -| [build\_compute\_type](#input\_build\_compute\_type) | Instance type of the build instance | `string` | `"BUILD_GENERAL1_SMALL"` | no | -| [build\_image](#input\_build\_image) | Docker image for build environment, e.g. 'aws/codebuild/standard:2.0' or 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html | `string` | `"aws/codebuild/standard:2.0"` | no | -| [build\_image\_pull\_credentials\_type](#input\_build\_image\_pull\_credentials\_type) | Type of credentials AWS CodeBuild uses to pull images in your build.Valid values: CODEBUILD, SERVICE\_ROLE. When you use a cross-account or private registry image, you must use SERVICE\_ROLE credentials. | `string` | `"CODEBUILD"` | no | -| [build\_timeout](#input\_build\_timeout) | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | `number` | `60` | no | -| [build\_type](#input\_build\_type) | The type of build environment, e.g. 'LINUX\_CONTAINER' or 'WINDOWS\_CONTAINER' | `string` | `"LINUX_CONTAINER"` | no | -| [buildspec](#input\_buildspec) | Optional buildspec declaration to use for building the project | `string` | `""` | no | -| [cache\_bucket\_suffix\_enabled](#input\_cache\_bucket\_suffix\_enabled) | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3 | `bool` | `true` | no | -| [cache\_expiration\_days](#input\_cache\_expiration\_days) | How many days should the build cache be kept. It only works when cache\_type is 'S3' | `number` | `7` | no | -| [cache\_type](#input\_cache\_type) | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3. Defaults to NO\_CACHE. If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"NO_CACHE"` | no | -| [concurrent\_build\_limit](#input\_concurrent\_build\_limit) | Specify a maximum number of concurrent builds for the project. The value specified must be greater than 0 and less than the account concurrent running builds limit. | `number` | `null` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input\_description) | Short description of the CodeBuild project | `string` | `"Managed by Terraform"` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [encryption\_enabled](#input\_encryption\_enabled) | When set to 'true' the resource will have AES256 encryption enabled by default | `bool` | `false` | no | -| [encryption\_key](#input\_encryption\_key) | AWS Key Management Service (AWS KMS) customer master key (CMK) to be used for encrypting the build project's build output artifacts. | `string` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [environment\_variables](#input\_environment\_variables) | A list of maps, that contain the keys 'name', 'value', and 'type' to be used as additional environment variables for the build. Valid types are 'PLAINTEXT', 'PARAMETER\_STORE', or 'SECRETS\_MANAGER' | 
list(object(
    {
      name  = string
      value = string
      type  = string
    }
  ))
| 
[
  {
    "name": "NO_ADDITIONAL_BUILD_VARS",
    "type": "PLAINTEXT",
    "value": "TRUE"
  }
]
| no | -| [extra\_permissions](#input\_extra\_permissions) | List of action strings which will be added to IAM service account permissions. | `list(any)` | `[]` | no | -| [fetch\_git\_submodules](#input\_fetch\_git\_submodules) | If set to true, fetches Git submodules for the AWS CodeBuild build project. | `bool` | `false` | no | -| [file\_system\_locations](#input\_file\_system\_locations) | A set of file system locations to to mount inside the build. File system locations are documented below. | `any` | `{}` | no | -| [git\_clone\_depth](#input\_git\_clone\_depth) | Truncate git history to this many commits. | `number` | `null` | no | -| [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | -| [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | -| [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | -| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the policy. | `string` | `"/service-role/"` | no | -| [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | -| [image\_tag](#input\_image\_tag) | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | -| [local\_cache\_modes](#input\_local\_cache\_modes) | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL\_SOURCE\_CACHE, LOCAL\_DOCKER\_LAYER\_CACHE, and LOCAL\_CUSTOM\_CACHE | `list(string)` | `[]` | no | -| [logs\_config](#input\_logs\_config) | Configuration for the builds to store log data to CloudWatch or S3. | `any` | `{}` | no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [private\_repository](#input\_private\_repository) | Set to true to login into private repository with credentials supplied in source\_credential variable. | `bool` | `false` | no | -| [privileged\_mode](#input\_privileged\_mode) | (Optional) If set to true, enables running the Docker daemon inside a Docker container on the CodeBuild instance. Used when building Docker images | `bool` | `false` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [report\_build\_status](#input\_report\_build\_status) | Set to true to report the status of a build's start and finish to your source provider. This option is only valid when the source\_type is BITBUCKET or GITHUB | `bool` | `false` | no | -| [s3\_cache\_bucket\_name](#input\_s3\_cache\_bucket\_name) | Use an existing s3 bucket name for cache. Relevant if `cache_type` is set to `S3`. | `string` | `null` | no | -| [secondary\_artifact\_encryption\_enabled](#input\_secondary\_artifact\_encryption\_enabled) | Set to true to enable encryption on the secondary artifact bucket | `bool` | `false` | no | -| [secondary\_artifact\_identifier](#input\_secondary\_artifact\_identifier) | Secondary artifact identifier. Must match the identifier in the build spec | `string` | `null` | no | -| [secondary\_artifact\_location](#input\_secondary\_artifact\_location) | Location of secondary artifact. Must be an S3 reference | `string` | `null` | no | -| [secondary\_sources](#input\_secondary\_sources) | (Optional) secondary source for the codebuild project in addition to the primary location | 
list(object(
    {
      git_clone_depth     = number
      location            = string
      source_identifier   = string
      type                = string
      fetch_submodules    = bool
      insecure_ssl        = bool
      report_build_status = bool
  }))
| `[]` | no | -| [source\_credential\_auth\_type](#input\_source\_credential\_auth\_type) | The type of authentication used to connect to a GitHub, GitHub Enterprise, or Bitbucket repository. | `string` | `"PERSONAL_ACCESS_TOKEN"` | no | -| [source\_credential\_server\_type](#input\_source\_credential\_server\_type) | The source provider used for this project. | `string` | `"GITHUB"` | no | -| [source\_credential\_token](#input\_source\_credential\_token) | For GitHub or GitHub Enterprise, this is the personal access token. For Bitbucket, this is the app password. | `string` | `""` | no | -| [source\_credential\_user\_name](#input\_source\_credential\_user\_name) | The Bitbucket username when the authType is BASIC\_AUTH. This parameter is not valid for other types of source providers or connections. | `string` | `""` | no | -| [source\_location](#input\_source\_location) | The location of the source code from git or s3 | `string` | `""` | no | -| [source\_type](#input\_source\_type) | The type of repository that contains the source code to be built. Valid values for this parameter are: CODECOMMIT, CODEPIPELINE, GITHUB, GITHUB\_ENTERPRISE, BITBUCKET or S3 | `string` | `"CODEPIPELINE"` | no | -| [source\_version](#input\_source\_version) | A version of the build input to be built for this project. If not specified, the latest version is used. | `string` | `""` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [versioning\_enabled](#input\_versioning\_enabled) | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no | -| [vpc\_config](#input\_vpc\_config) | Configuration for the builds to run inside a VPC. | `any` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [badge\_url](#output\_badge\_url) | The URL of the build badge when badge\_enabled is enabled | -| [cache\_bucket\_arn](#output\_cache\_bucket\_arn) | Cache S3 bucket ARN | -| [cache\_bucket\_name](#output\_cache\_bucket\_name) | Cache S3 bucket name | -| [project\_arn](#output\_project\_arn) | Project ARN | -| [project\_id](#output\_project\_id) | Project ID | -| [project\_name](#output\_project\_name) | Project name | -| [role\_arn](#output\_role\_arn) | IAM Role ARN | -| [role\_id](#output\_role\_id) | IAM Role ID | - From 3e33348374d365cb13b64e280ee2c164897a207c Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:13:36 +0100 Subject: [PATCH 24/30] Fix bucket settings --- docs/terraform.md | 135 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) diff --git a/docs/terraform.md b/docs/terraform.md index d5224ec..ccf7326 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -1 +1,136 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 5.0 | +| [random](#requirement\_random) | >= 2.1 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.0 | +| [random](#provider\_random) | >= 2.1 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_codebuild_project.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | +| [aws_codebuild_source_credential.authorization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_source_credential) | resource | +| [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.default_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_s3_bucket.cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_lifecycle_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [random_string.bucket_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [aws_caller_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.combined_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.permissions_cache_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.vpc_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.secondary_artifact](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_log\_bucket\_name](#input\_access\_log\_bucket\_name) | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [artifact\_location](#input\_artifact\_location) | Location of artifact. Applies only for artifact of type S3 | `string` | `""` | no | +| [artifact\_type](#input\_artifact\_type) | The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO\_ARTIFACTS or S3 | `string` | `"CODEPIPELINE"` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [aws\_account\_id](#input\_aws\_account\_id) | (Optional) AWS Account ID. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | +| [aws\_region](#input\_aws\_region) | (Optional) AWS Region, e.g. us-east-1. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `""` | no | +| [badge\_enabled](#input\_badge\_enabled) | Generates a publicly-accessible URL for the projects build badge. Available as badge\_url attribute when enabled | `bool` | `false` | no | +| [build\_compute\_type](#input\_build\_compute\_type) | Instance type of the build instance | `string` | `"BUILD_GENERAL1_SMALL"` | no | +| [build\_image](#input\_build\_image) | Docker image for build environment, e.g. 'aws/codebuild/standard:2.0' or 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref.html | `string` | `"aws/codebuild/standard:2.0"` | no | +| [build\_image\_pull\_credentials\_type](#input\_build\_image\_pull\_credentials\_type) | Type of credentials AWS CodeBuild uses to pull images in your build.Valid values: CODEBUILD, SERVICE\_ROLE. When you use a cross-account or private registry image, you must use SERVICE\_ROLE credentials. | `string` | `"CODEBUILD"` | no | +| [build\_timeout](#input\_build\_timeout) | How long in minutes, from 5 to 480 (8 hours), for AWS CodeBuild to wait until timing out any related build that does not get marked as completed | `number` | `60` | no | +| [build\_type](#input\_build\_type) | The type of build environment, e.g. 'LINUX\_CONTAINER' or 'WINDOWS\_CONTAINER' | `string` | `"LINUX_CONTAINER"` | no | +| [buildspec](#input\_buildspec) | Optional buildspec declaration to use for building the project | `string` | `""` | no | +| [cache\_bucket\_suffix\_enabled](#input\_cache\_bucket\_suffix\_enabled) | The cache bucket generates a random 13 character string to generate a unique bucket name. If set to false it uses terraform-null-label's id value. It only works when cache\_type is 'S3 | `bool` | `true` | no | +| [cache\_expiration\_days](#input\_cache\_expiration\_days) | How many days should the build cache be kept. It only works when cache\_type is 'S3' | `number` | `7` | no | +| [cache\_type](#input\_cache\_type) | The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO\_CACHE, LOCAL, and S3. Defaults to NO\_CACHE. If cache\_type is S3, it will create an S3 bucket for storing codebuild cache inside | `string` | `"NO_CACHE"` | no | +| [concurrent\_build\_limit](#input\_concurrent\_build\_limit) | Specify a maximum number of concurrent builds for the project. The value specified must be greater than 0 and less than the account concurrent running builds limit. | `number` | `null` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input\_description) | Short description of the CodeBuild project | `string` | `"Managed by Terraform"` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [encryption\_enabled](#input\_encryption\_enabled) | When set to 'true' the resource will have AES256 encryption enabled by default | `bool` | `false` | no | +| [encryption\_key](#input\_encryption\_key) | AWS Key Management Service (AWS KMS) customer master key (CMK) to be used for encrypting the build project's build output artifacts. | `string` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [environment\_variables](#input\_environment\_variables) | A list of maps, that contain the keys 'name', 'value', and 'type' to be used as additional environment variables for the build. Valid types are 'PLAINTEXT', 'PARAMETER\_STORE', or 'SECRETS\_MANAGER' | 
list(object(
    {
      name  = string
      value = string
      type  = string
    }
  ))
| 
[
  {
    "name": "NO_ADDITIONAL_BUILD_VARS",
    "type": "PLAINTEXT",
    "value": "TRUE"
  }
]
| no | +| [extra\_permissions](#input\_extra\_permissions) | List of action strings which will be added to IAM service account permissions. | `list(any)` | `[]` | no | +| [fetch\_git\_submodules](#input\_fetch\_git\_submodules) | If set to true, fetches Git submodules for the AWS CodeBuild build project. | `bool` | `false` | no | +| [file\_system\_locations](#input\_file\_system\_locations) | A set of file system locations to to mount inside the build. File system locations are documented below. | `any` | `{}` | no | +| [git\_clone\_depth](#input\_git\_clone\_depth) | Truncate git history to this many commits. | `number` | `null` | no | +| [github\_token](#input\_github\_token) | (Optional) GitHub auth token environment variable (`GITHUB_TOKEN`) | `string` | `""` | no | +| [github\_token\_type](#input\_github\_token\_type) | Storage type of GITHUB\_TOKEN environment variable (`PARAMETER_STORE`, `PLAINTEXT`, `SECRETS_MANAGER`) | `string` | `"PARAMETER_STORE"` | no | +| [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the role. | `string` | `null` | no | +| [iam\_policy\_path](#input\_iam\_policy\_path) | Path to the policy. | `string` | `"/service-role/"` | no | +| [iam\_role\_path](#input\_iam\_role\_path) | Path to the role. | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [image\_repo\_name](#input\_image\_repo\_name) | (Optional) ECR repository name to store the Docker image built by this module. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"UNSET"` | no | +| [image\_tag](#input\_image\_tag) | (Optional) Docker image tag in the ECR repository, e.g. 'latest'. Used as CodeBuild ENV variable when building Docker images. For more info: http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html | `string` | `"latest"` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | +| [local\_cache\_modes](#input\_local\_cache\_modes) | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL\_SOURCE\_CACHE, LOCAL\_DOCKER\_LAYER\_CACHE, and LOCAL\_CUSTOM\_CACHE | `list(string)` | `[]` | no | +| [logs\_config](#input\_logs\_config) | Configuration for the builds to store log data to CloudWatch or S3. | `any` | `{}` | no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [private\_repository](#input\_private\_repository) | Set to true to login into private repository with credentials supplied in source\_credential variable. | `bool` | `false` | no | +| [privileged\_mode](#input\_privileged\_mode) | (Optional) If set to true, enables running the Docker daemon inside a Docker container on the CodeBuild instance. Used when building Docker images | `bool` | `false` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [report\_build\_status](#input\_report\_build\_status) | Set to true to report the status of a build's start and finish to your source provider. This option is only valid when the source\_type is BITBUCKET or GITHUB | `bool` | `false` | no | +| [s3\_cache\_bucket\_name](#input\_s3\_cache\_bucket\_name) | Use an existing s3 bucket name for cache. Relevant if `cache_type` is set to `S3`. | `string` | `null` | no | +| [secondary\_artifact\_encryption\_enabled](#input\_secondary\_artifact\_encryption\_enabled) | Set to true to enable encryption on the secondary artifact bucket | `bool` | `false` | no | +| [secondary\_artifact\_identifier](#input\_secondary\_artifact\_identifier) | Secondary artifact identifier. Must match the identifier in the build spec | `string` | `null` | no | +| [secondary\_artifact\_location](#input\_secondary\_artifact\_location) | Location of secondary artifact. Must be an S3 reference | `string` | `null` | no | +| [secondary\_sources](#input\_secondary\_sources) | (Optional) secondary source for the codebuild project in addition to the primary location | 
list(object(
    {
      git_clone_depth     = number
      location            = string
      source_identifier   = string
      type                = string
      fetch_submodules    = bool
      insecure_ssl        = bool
      report_build_status = bool
  }))
| `[]` | no | +| [source\_credential\_auth\_type](#input\_source\_credential\_auth\_type) | The type of authentication used to connect to a GitHub, GitHub Enterprise, or Bitbucket repository. | `string` | `"PERSONAL_ACCESS_TOKEN"` | no | +| [source\_credential\_server\_type](#input\_source\_credential\_server\_type) | The source provider used for this project. | `string` | `"GITHUB"` | no | +| [source\_credential\_token](#input\_source\_credential\_token) | For GitHub or GitHub Enterprise, this is the personal access token. For Bitbucket, this is the app password. | `string` | `""` | no | +| [source\_credential\_user\_name](#input\_source\_credential\_user\_name) | The Bitbucket username when the authType is BASIC\_AUTH. This parameter is not valid for other types of source providers or connections. | `string` | `""` | no | +| [source\_location](#input\_source\_location) | The location of the source code from git or s3 | `string` | `""` | no | +| [source\_type](#input\_source\_type) | The type of repository that contains the source code to be built. Valid values for this parameter are: CODECOMMIT, CODEPIPELINE, GITHUB, GITHUB\_ENTERPRISE, BITBUCKET or S3 | `string` | `"CODEPIPELINE"` | no | +| [source\_version](#input\_source\_version) | A version of the build input to be built for this project. If not specified, the latest version is used. | `string` | `""` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [versioning\_enabled](#input\_versioning\_enabled) | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no | +| [vpc\_config](#input\_vpc\_config) | Configuration for the builds to run inside a VPC. | `any` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [badge\_url](#output\_badge\_url) | The URL of the build badge when badge\_enabled is enabled | +| [cache\_bucket\_arn](#output\_cache\_bucket\_arn) | Cache S3 bucket ARN | +| [cache\_bucket\_name](#output\_cache\_bucket\_name) | Cache S3 bucket name | +| [project\_arn](#output\_project\_arn) | Project ARN | +| [project\_id](#output\_project\_id) | Project ID | +| [project\_name](#output\_project\_name) | Project name | +| [role\_arn](#output\_role\_arn) | IAM Role ARN | +| [role\_id](#output\_role\_id) | IAM Role ID | + From 1a1bd208be4a8d261ab0e3c3e18b2bea8179316c Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:18:17 +0100 Subject: [PATCH 25/30] Fix bucket settings --- README.md | 1 + docs/terraform.md | 1 + main.tf | 8 ++++++++ 3 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 2392f53..5e45884 100644 --- a/README.md +++ b/README.md @@ -185,6 +185,7 @@ Available targets: | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_lifecycle_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | | [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | diff --git a/docs/terraform.md b/docs/terraform.md index ccf7326..650f149 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -35,6 +35,7 @@ | [aws_s3_bucket_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_lifecycle_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | | [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | diff --git a/main.tf b/main.tf index ad0c156..399273f 100644 --- a/main.tf +++ b/main.tf @@ -8,6 +8,14 @@ resource "aws_s3_bucket_acl" "default" { acl = "private" } +resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" { + count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 + bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) + rule { + object_ownership = "ObjectWriter" + } +} + resource "aws_s3_bucket_versioning" "default" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) From e414b70a7d3840e6b7ddd6483f14fa33e040273d Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:37:33 +0100 Subject: [PATCH 26/30] Fix bucket settings --- main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 399273f..92eb7db 100644 --- a/main.tf +++ b/main.tf @@ -12,8 +12,9 @@ resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) rule { - object_ownership = "ObjectWriter" + object_ownership = "BucketOwnerEnforced" } + depends_on = [ aws_s3_bucket_acl.default[count.index] ] } resource "aws_s3_bucket_versioning" "default" { From 95c87432cc1cca9bd019647606f9ba4a7832a05d Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:42:27 +0100 Subject: [PATCH 27/30] Fix bucket settings --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 92eb7db..69db87a 100644 --- a/main.tf +++ b/main.tf @@ -14,7 +14,7 @@ resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" { rule { object_ownership = "BucketOwnerEnforced" } - depends_on = [ aws_s3_bucket_acl.default[count.index] ] + depends_on = [aws_s3_bucket_acl.default] } resource "aws_s3_bucket_versioning" "default" { From 2f559884190e257573162391faee943ade53a92d Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:50:13 +0100 Subject: [PATCH 28/30] Fix bucket settings --- main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 69db87a..1d46a35 100644 --- a/main.tf +++ b/main.tf @@ -3,9 +3,10 @@ data "aws_caller_identity" "default" {} data "aws_region" "default" {} resource "aws_s3_bucket_acl" "default" { - count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 - bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) - acl = "private" + count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 + bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) + acl = "private" + depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership] } resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" { @@ -14,7 +15,6 @@ resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" { rule { object_ownership = "BucketOwnerEnforced" } - depends_on = [aws_s3_bucket_acl.default] } resource "aws_s3_bucket_versioning" "default" { From b46ea9d80a5dda54acb279486ac31bc6c76810e9 Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 00:58:49 +0100 Subject: [PATCH 29/30] Fix bucket settings --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 1d46a35..01e23c9 100644 --- a/main.tf +++ b/main.tf @@ -5,7 +5,7 @@ data "aws_region" "default" {} resource "aws_s3_bucket_acl" "default" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) - acl = "private" + acl = "private" depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership] } @@ -13,7 +13,7 @@ resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) rule { - object_ownership = "BucketOwnerEnforced" + object_ownership = "BucketOwnerPreferred" } } From a6922656dd40a4757e4c0270e6a5ae4b487f209d Mon Sep 17 00:00:00 2001 From: Max Lobur Date: Sat, 11 Nov 2023 01:09:19 +0100 Subject: [PATCH 30/30] Fix bucket settings --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 01e23c9..fab8a3c 100644 --- a/main.tf +++ b/main.tf @@ -5,7 +5,7 @@ data "aws_region" "default" {} resource "aws_s3_bucket_acl" "default" { count = module.this.enabled && local.create_s3_cache_bucket ? 1 : 0 bucket = join("", resource.aws_s3_bucket.cache_bucket[*].id) - acl = "private" + acl = "private" depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership] }