S3 bucket with built in IAM policy to allow CloudTrail logs
Fix the race condition between the creation of the S3 Bucket policy and the CloudTrail trail by adding a depends_on argument to the bucket_id output which is used as input to the CloudTrail module. This ensures that all the resources in the CloudTrail S3 Bucket module, including the S3 Bucket Policy have been created before the CloudTrail trail is created.
The example used for the tests has also been updated to include the creation of the CloudTrail Trail to verify that this is working.
cldouposse/.github repositoryThis PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-log-storage/aws (source) | module | patch | 1.4.2 -> 1.4.3 |
v1.4.3This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | patch | 3.1.2 -> 3.1.3 |
v3.1.3Unfortunately, this change makes count unknown at plan time in certain situations. In general, you cannot use the output of compact() in count.
The solution is to stop using the deprecated policy input and revert to 3.1.2 or upgrade to 4.0.
var.source_policy_documents to local.source_policy_documents so var.policy usage was still supportedvar,source_policy_documents so var.policy being combined with var.source_policy_documents into local.source_policy_documents does not provide true for the ternary to executeThis PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-log-storage/aws (source) | module | patch | 1.4.1 -> 1.4.2 |
v1.4.2grants inputThis PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-log-storage/aws (source) | module | patch | 1.4.1 -> 1.4.2 |
v1.4.2grants inputThis PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-log-storage/aws (source) | module | patch | 1.4.0 -> 1.4.1 |
v1.4.1Rebuild '.github' dir from the template
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | patch | 3.1.1 -> 3.1.2 |
v3.1.2: Fix Public Bucket CreationFull Changelog: https://github.com/cloudposse/terraform-aws-s3-bucket/compare/3.1.1...3.1.2
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | patch | 3.1.1 -> 3.1.2 |
v3.1.2: Fix Public Bucket CreationFull Changelog: https://github.com/cloudposse/terraform-aws-s3-bucket/compare/3.1.1...3.1.2
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-log-storage/aws (source) | module | patch | 1.4.0 -> 1.4.1 |
v1.4.1Rebuild '.github' dir from the template
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | patch | 3.1.1 -> 3.1.2 |
v3.1.2: Fix Public Bucket CreationFull Changelog: https://github.com/cloudposse/terraform-aws-s3-bucket/compare/3.1.1...3.1.2
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | patch | 3.1.1 -> 3.1.2 |
v3.1.2: Fix Public Bucket CreationFull Changelog: https://github.com/cloudposse/terraform-aws-s3-bucket/compare/3.1.1...3.1.2
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-log-storage/aws (source) | module | major | 0.26.0 -> 1.3.1 |
v1.3.1This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | patch | 3.1.0 -> 3.1.1 |
v3.1.1This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | patch | 3.1.0 -> 3.1.1 |
v3.1.1v1.3.0lifecycle_configuration_rules to be fully defined with optional membersv1.2.0: Support new AWS S3 defaults (ACL prohibited)This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | minor | 3.0.0 -> 3.1.0 |
v3.1.0aws_s3_bucket_accelerate_configuration and aws_s3_bucket_versioning resources even when the feature is disabled, to enable drift detectionaws_s3_bucket_versioning resource to track changes made to bucket versioning configurationaws_s3_bucket_versioning, the expectation is that the bucket versioning is disabled/suspend for the bucket. If bucket versioning is turned on outside of terraform (e.g. through the console), the change is not detected by terraform unless the aws_s3_bucket_versioning resource exists.This is an auto-generated PR that updates the README.md and docs
To have most recent changes of README.md and doc from origin templates
v1.1.0Adding "object_lock_configuration" variable which is used in module "cloudposse/s3-bucket/aws"
Must be able to use the Object Lock option for S3 in this module
v1.0.0bucket_key_enabled flag defaults to false for backward compatibility. At one point we recommend setting it to true for significant savings on KMS usage, but since bucket keys are only reused within a user session, it is not clear if it provides any savings at all. See AWS docs for more information.lifecycle_configuration_rules input replaces the now deprecated individual inputs for individual settings of a single lifecycle rule. See the terraform-aws-s3-bucket documentation for details on how to specify lifecycles using lifecycle_configuration_rules. This mechanism is much more flexible and closely follows the Terraform aws_s3_bucket_lifecycle_configuration resource.source_policy_documents input replaces the now deprecated policy input to match changes to the aws_iam_policy_document resourcenull
force_destroy at its default value of false, and if you have it set to true but want extra safety against the S3 bucket being destroyed, set it to false before upgrading).force_destroy_enabled flag introduced in v0.27.0 has been removedlifecycle_configuration_rules input was introduced. In that version, you would continue to get the old default lifecycle rule even if you supplied new rules via lifecycle_configuration_rules. Now, the default behavior is to ignore all the deprecated lifecycle inputs when the lifecycle_configuration_rules input is not empty, unless you explicitly set lifecycle_rule_enabled to true.moved block functionality introduced in Terraform 1.3.0nullable = false for module input variables which have a default value and where null is not a sensible/handled value for the variable.null, closes #63
v0.28.3: Not recommended, use v0.26.0 or v1.x insteadWith the release of version 1.0.0 of this module, use of this version is no longer recommended. When you are able to use Terraform v1.3.0 or later and Terraform AWS provider v4.9.0 or later, upgrade directly to v1.0.0 or later of this module.
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | major | 2.0.1 -> 3.0.0 |
v0.28.2: Action required if updating from prior to v0.28.0With the release of version 1.0.0 of this module, use of this version is no longer recommended. When you are able to use Terraform v1.3.0 or later and Terraform AWS provider v4.9.0 or later, upgrade directly to v1.0.0 or later of this module.
v0.28.0 introduced breaking changes with high risk of permanent data loss. See release notes there. This is only a safe upgrade if upgrading from v0.28.0.
We will convert to semantic versioning (incrementing the major version number for breaking changes), but having missed the opportunity to do that for earlier versions of this module, we are waiting for the next major change, expected to be soon after Terraform v1.3 is released.
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | patch | 2.0.0 -> 2.0.1 |
v0.28.1: accidental release, do not usev0.28.0 introduced breaking changes with high risk of permanent data loss. See release notes there. This is only a safe upgrade if upgrading from v0.28.0.
We will convert to semantic versioning (incrementing the major version number for breaking changes), but having missed the opportunity to do that for earlier versions of this module, we are waiting for the next major change, expected to be soon after Terraform v1.3 is released.
Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-bucket/aws (source) | module | major | 0.49.0 -> 2.0.3 |
v0.28.0: (Action Needed) Support AWS v4 providernull-label
force_destroy_enabled
v0.27.0: (WARNING: Potential Data Loss) Prepare for AWS provider v4With the release of version 1.0.0 of this module, use of this version is no longer recommended. When you are able to use Terraform v1.3.0 or later and Terraform AWS provider v4.9.0 or later, upgrade directly to v1.0.0 or later of this module.
This release is a refactoring in preparation for supporting Terraform AWS Provider v4. One feature was removed, but otherwise there are no changes to inputs or behavior. However, the Terraform "addresses" of resources have changed, so you are need to run several terraform state mv commands.
Warning: failure to run the required terraform state mv commands will cause Terraform to delete your existing S3 bucket and create a new one, deleting all the data stored in the bucket in the process.
Details on how to safely upgrade are in this repository's Wiki here
In #54 a contributor added support for MFA delete via the versioning_mfa_delete_enabled. In AWS provider version 3.x this argument was documented with the caveat
This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS.
With AWS provider version 4.0, this argument now does toggle the setting. Unfortunately, that adds the requirement then when it is enabled, you must supply a current MFA token every time you run terraform apply. That is not compatible with automation, and therefore we have no intention to support it and have removed the versioning_mfa_delete_enabled input.
mfa_delete
< 4.0 and disable Renovate bot, closes #64mfa_delete enabled requires entering an MFA token for every Terraform operation, which is incompatible with automation. Users requiring mfa_delete should either not use Terraform or create their own fork.This is the first of 2 upgrade releases to get this module to support Terraform AWS Provider v4. We are breaking it into 2 releases so that users have the option of upgrading step-by-step rather than all at once. Upgrade instructions are here.
force_destroy is true
force_destroy is true then an automated, unattended process could cause the S3 bucket to be deleted and all data in it irretrievably lostCloses Renovate PRs:
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| cloudposse/s3-log-storage/aws (source) | module | minor | 0.25.0 -> 0.26.0 |
v0.26.0📅 Schedule: At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.
Inherit https://github.com/cloudposse/terraform-aws-s3-log-storage/pull/61
https://github.com/cloudposse/terraform-aws-s3-log-storage/pull/60