Merge branch 'main' into fix/bug-257

Author: abeluck

.github/workflows/feature-branch.yml

@@ -10,7 +10,7 @@ on:
 permissions:
   pull-requests: write
   id-token: write
-  contents: read
+  contents: write
 
 jobs:
   terraform-module:

.github/workflows/release-branch.yml

@@ -10,6 +10,7 @@ on:
       - 'docs/**'
       - 'examples/**'
       - 'test/**'
+      - 'README.*'
 
 permissions:
   contents: write

.github/workflows/release-published.yml

@@ -11,4 +11,4 @@ permissions:
 
 jobs:
   terraform-module:
-    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main
+    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main

README.md

@@ -88,10 +88,6 @@ We highly recommend that in your code you pin the version to the exact version y
 using so that your infrastructure remains stable, and update versions in a
 systematic way so that they do not catch you by surprise.
 
-Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)),
-the registry shows many of our inputs as required when in fact they are optional.
-The table below correctly indicates which inputs are required.
-
 
 
 For a complete example, see [examples/complete](examples/complete).
@@ -387,7 +383,7 @@ module "lambda_at_edge" {
         EOT
         filename = "index.js"
       }]
-      runtime      = "nodejs12.x"
+      runtime      = "nodejs16.x"
       handler      = "index.handler"
       event_type   = "origin-response"
       include_body = false
@@ -436,15 +432,15 @@ Available targets:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.2 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.7 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.2 |
 | <a name="provider_time"></a> [time](#provider\_time) | >= 0.7 |
 
@@ -453,7 +449,7 @@ Available targets:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_dns"></a> [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.13.0 |
-| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.26.0 |
+| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 1.4.2 |
 | <a name="module_origin_label"></a> [origin\_label](#module\_origin\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
@@ -501,7 +497,7 @@ Available targets:
 | <a name="input_cloudfront_access_logging_enabled"></a> [cloudfront\_access\_logging\_enabled](#input\_cloudfront\_access\_logging\_enabled) | Set true to enable delivery of Cloudfront Access Logs to an S3 bucket | `bool` | `true` | no |
 | <a name="input_cloudfront_origin_access_identity_iam_arn"></a> [cloudfront\_origin\_access\_identity\_iam\_arn](#input\_cloudfront\_origin\_access\_identity\_iam\_arn) | Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy | `string` | `""` | no |
 | <a name="input_cloudfront_origin_access_identity_path"></a> [cloudfront\_origin\_access\_identity\_path](#input\_cloudfront\_origin\_access\_identity\_path) | Existing cloudfront origin access identity path used in the cloudfront distribution's s3\_origin\_config content | `string` | `""` | no |
-| <a name="input_comment"></a> [comment](#input\_comment) | Comment for the origin access identity | `string` | `"Managed by Terraform"` | no |
+| <a name="input_comment"></a> [comment](#input\_comment) | Comment for the CloudFront distribution | `string` | `"Managed by Terraform"` | no |
 | <a name="input_compress"></a> [compress](#input\_compress) | Compress content for web requests that include Accept-Encoding: gzip in the request header | `bool` | `true` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
 | <a name="input_cors_allowed_headers"></a> [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | List of allowed headers for S3 bucket | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |

README.yaml

@@ -352,7 +352,7 @@ usage: |-
           EOT
           filename = "index.js"
         }]
-        runtime      = "nodejs12.x"
+        runtime      = "nodejs16.x"
         handler      = "index.handler"
         event_type   = "origin-response"
         include_body = false

docs/terraform.md

@@ -4,15 +4,15 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.2 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.7 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.64.0, != 4.0.0, != 4.1.0, != 4.2.0, != 4.3.0, != 4.4.0, != 4.5.0, != 4.6.0, != 4.7.0, != 4.8.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.2 |
 | <a name="provider_time"></a> [time](#provider\_time) | >= 0.7 |
 
@@ -21,7 +21,7 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_dns"></a> [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.13.0 |
-| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.26.0 |
+| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 1.4.2 |
 | <a name="module_origin_label"></a> [origin\_label](#module\_origin\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
@@ -69,7 +69,7 @@
 | <a name="input_cloudfront_access_logging_enabled"></a> [cloudfront\_access\_logging\_enabled](#input\_cloudfront\_access\_logging\_enabled) | Set true to enable delivery of Cloudfront Access Logs to an S3 bucket | `bool` | `true` | no |
 | <a name="input_cloudfront_origin_access_identity_iam_arn"></a> [cloudfront\_origin\_access\_identity\_iam\_arn](#input\_cloudfront\_origin\_access\_identity\_iam\_arn) | Existing cloudfront origin access identity iam arn that is supplied in the s3 bucket policy | `string` | `""` | no |
 | <a name="input_cloudfront_origin_access_identity_path"></a> [cloudfront\_origin\_access\_identity\_path](#input\_cloudfront\_origin\_access\_identity\_path) | Existing cloudfront origin access identity path used in the cloudfront distribution's s3\_origin\_config content | `string` | `""` | no |
-| <a name="input_comment"></a> [comment](#input\_comment) | Comment for the origin access identity | `string` | `"Managed by Terraform"` | no |
+| <a name="input_comment"></a> [comment](#input\_comment) | Comment for the CloudFront distribution | `string` | `"Managed by Terraform"` | no |
 | <a name="input_compress"></a> [compress](#input\_compress) | Compress content for web requests that include Accept-Encoding: gzip in the request header | `bool` | `true` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br>See description of individual variables for details.<br>Leave string and numeric variables as `null` to use default value.<br>Individual variable settings (non-null) override settings in context object,<br>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br>  "additional_tag_map": {},<br>  "attributes": [],<br>  "delimiter": null,<br>  "descriptor_formats": {},<br>  "enabled": true,<br>  "environment": null,<br>  "id_length_limit": null,<br>  "label_key_case": null,<br>  "label_order": [],<br>  "label_value_case": null,<br>  "labels_as_tags": [<br>    "unset"<br>  ],<br>  "name": null,<br>  "namespace": null,<br>  "regex_replace_chars": null,<br>  "stage": null,<br>  "tags": {},<br>  "tenant": null<br>}</pre> | no |
 | <a name="input_cors_allowed_headers"></a> [cors\_allowed\_headers](#input\_cors\_allowed\_headers) | List of allowed headers for S3 bucket | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |

examples/complete/custom-origins.tf

@@ -16,21 +16,37 @@ locals {
   }
   additional_custom_origin_primary = local.additional_custom_origins_enabled ? merge(
     local.default_custom_origin_configuration, {
-      domain_name = module.additional_custom_origin.s3_bucket_website_endpoint
-      origin_id   = module.additional_custom_origin.hostname
+      domain_name = module.additional_custom_origin.bucket_website_endpoint
+      origin_id   = module.additional_custom_origin.bucket_id
     }
   ) : null
   additional_custom_origin_secondary = local.additional_custom_origins_enabled ? merge(
     local.default_custom_origin_configuration, {
-      domain_name = module.additional_custom_failover_origin.s3_bucket_website_endpoint
-      origin_id   = module.additional_custom_failover_origin.hostname
+      domain_name = module.additional_custom_failover_origin.bucket_website_endpoint
+      origin_id   = module.additional_custom_failover_origin.bucket_id
     }
   ) : null
   additional_custom_origin_groups = local.additional_custom_origins_enabled ? [{
     primary_origin_id  = local.additional_custom_origin_primary.origin_id
     failover_origin_id = local.additional_custom_origin_secondary.origin_id
     failover_criteria  = var.origin_group_failover_criteria_status_codes
   }] : []
+  website_configuration = [
+    {
+      index_document = "index.html"
+      error_document = null
+      routing_rules  = []
+    }
+  ]
+  cors_configuration = [
+    {
+      allowed_headers = ["*"]
+      allowed_methods = ["GET"]
+      allowed_origins = ["*"]
+      expose_headers  = ["ETag"]
+      max_age_seconds = 3600
+    }
+  ]
 }
 
 # additional labels are required because they will be used for the 'hostname' variables for each of the additional website origins.
@@ -45,16 +61,44 @@ module "additional_custom_origin_label" {
 }
 
 module "additional_custom_origin" {
-  source  = "cloudposse/s3-website/aws"
-  version = "0.16.1"
+  source  = "cloudposse/s3-bucket/aws"
+  version = "3.1.2"
+
   enabled = local.additional_custom_origins_enabled
 
-  force_destroy = true
-  hostname      = format("%s.%s", module.additional_custom_origin_label.id, var.parent_zone_name)
+  bucket_name           = format("%s.%s", module.additional_custom_origin_label.id, var.parent_zone_name)
+  force_destroy         = true
+  website_configuration = local.website_configuration
+  cors_configuration    = local.cors_configuration
 
   context = module.additional_custom_origin_label.context
 }
 
+resource "aws_s3_bucket_public_access_block" "additional_custom_origin" {
+  count = local.additional_custom_origins_enabled ? 1 : 0
+
+  # The bucket used for a public static website.
+  #bridgecrew:skip=BC_AWS_S3_19:Skipping `Ensure S3 bucket has block public ACLS enabled`
+  #bridgecrew:skip=BC_AWS_S3_20:Skipping `Ensure S3 Bucket BlockPublicPolicy is set to True`
+  #bridgecrew:skip=BC_AWS_S3_21:Skipping `Ensure S3 bucket IgnorePublicAcls is set to True`
+  #bridgecrew:skip=BC_AWS_S3_22:Skipping `Ensure S3 bucket RestrictPublicBucket is set to True`
+  bucket = module.additional_custom_origin.bucket_id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_ownership_controls" "additional_custom_origin" {
+  count = local.additional_custom_origins_enabled ? 1 : 0
+
+  bucket = module.additional_custom_origin.bucket_id
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+
 module "additional_custom_failover_origin_label" {
   source  = "cloudposse/label/null"
   version = "0.24.1"
@@ -66,12 +110,41 @@ module "additional_custom_failover_origin_label" {
 }
 
 module "additional_custom_failover_origin" {
-  source  = "cloudposse/s3-website/aws"
-  version = "0.16.1"
+  source  = "cloudposse/s3-bucket/aws"
+  version = "3.1.2"
+
   enabled = local.additional_custom_origins_enabled
 
-  force_destroy = true
-  hostname      = format("%s.%s", module.additional_custom_failover_origin_label.id, var.parent_zone_name)
+  bucket_name           = format("%s.%s", module.additional_custom_failover_origin_label.id, var.parent_zone_name)
+  force_destroy         = true
+  website_configuration = local.website_configuration
+  cors_configuration    = local.cors_configuration
 
   context = module.additional_custom_failover_origin_label.context
 }
+
+resource "aws_s3_bucket_public_access_block" "additional_custom_failover_origin" {
+  count = local.additional_custom_origins_enabled ? 1 : 0
+
+  # The bucket used for a public static website.
+  #bridgecrew:skip=BC_AWS_S3_19:Skipping `Ensure S3 bucket has block public ACLS enabled`
+  #bridgecrew:skip=BC_AWS_S3_20:Skipping `Ensure S3 Bucket BlockPublicPolicy is set to True`
+  #bridgecrew:skip=BC_AWS_S3_21:Skipping `Ensure S3 bucket IgnorePublicAcls is set to True`
+  #bridgecrew:skip=BC_AWS_S3_22:Skipping `Ensure S3 bucket RestrictPublicBucket is set to True`
+  bucket = module.additional_custom_failover_origin.bucket_id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_ownership_controls" "additional_custom_failover_origin" {
+  count = local.additional_custom_origins_enabled ? 1 : 0
+
+  bucket = module.additional_custom_failover_origin.bucket_id
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+

examples/complete/deployment.tf

@@ -7,7 +7,7 @@ locals {
   } : {}
 
   our_account_id            = local.enabled ? data.aws_caller_identity.current[0].account_id : ""
-  our_role_arn_prefix       = "arn:${join("", data.aws_partition.current.*.partition)}:iam::${local.our_account_id}:role"
+  our_role_arn_prefix       = "arn:${join("", data.aws_partition.current[*].partition)}:iam::${local.our_account_id}:role"
   role_names                = { for k, v in local.test_deployment_role_prefix_map : k => module.role_labels[k].id }
   deployment_principal_arns = { for k, v in local.role_names : format("%v/%v", local.our_role_arn_prefix, v) => local.test_deployment_role_prefix_map[k] }
 }

examples/complete/lambda-at-edge.tf

@@ -30,22 +30,22 @@ module "lambda_at_edge" {
         EOT
         filename = "index.js"
       }]
-      runtime      = "nodejs12.x"
+      runtime      = "nodejs16.x"
       handler      = "index.handler"
       event_type   = "viewer-request"
       include_body = false
     },
     # Add custom header to the response
     viewer_response = {
       source_dir   = "lib"
-      runtime      = "nodejs12.x"
+      runtime      = "nodejs16.x"
       handler      = "index.handler"
       event_type   = "viewer-response"
       include_body = false
     },
     origin_request = {
       source_zip   = "origin-request.zip"
-      runtime      = "nodejs12.x"
+      runtime      = "nodejs16.x"
       handler      = "index.handler"
       event_type   = "origin-request"
       include_body = false
@@ -77,7 +77,7 @@ module "lambda_at_edge" {
         EOT
         filename = "index.js"
       }]
-      runtime      = "nodejs12.x"
+      runtime      = "nodejs16.x"
       handler      = "index.handler"
       event_type   = "origin-response"
       include_body = false

examples/complete/main.tf

@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "document" {
 
     actions = ["s3:GetObject"]
     resources = [
-      "arn:${join("", data.aws_partition.current.*.partition)}:s3:::$${bucket_name}$${origin_path}testprefix/*"
+      "arn:${join("", data.aws_partition.current[*].partition)}:s3:::$${bucket_name}$${origin_path}testprefix/*"
     ]
 
     principals {
@@ -36,14 +36,16 @@ data "aws_canonical_user_id" "current" {
 
 module "s3_bucket" {
   source  = "cloudposse/s3-bucket/aws"
-  version = "0.36.0"
+  version = "3.1.2"
 
-  acl                = null
-  force_destroy      = true
-  user_enabled       = false
-  versioning_enabled = false
-  attributes         = ["existing-bucket"]
+  force_destroy       = true
+  user_enabled        = false
+  versioning_enabled  = false
+  block_public_policy = false
+  attributes          = ["existing-bucket"]
 
+  acl                 = null
+  s3_object_ownership = "BucketOwnerPreferred"
   grants = [
     {
       id          = local.enabled ? data.aws_canonical_user_id.current[0].id : ""
@@ -62,9 +64,27 @@ module "s3_bucket" {
   context = module.this.context
 }
 
+# Workaround for S3 eventual consistency for settings relating to objects
+resource "time_sleep" "wait_for_aws_s3_bucket_settings" {
+  count = local.enabled ? 1 : 0
+
+  create_duration  = "30s"
+  destroy_duration = "30s"
+
+  depends_on = [
+    data.aws_iam_policy_document.document,
+    module.s3_bucket
+  ]
+}
+
 module "cloudfront_s3_cdn" {
   source = "../../"
 
+  depends_on = [
+    time_sleep.wait_for_aws_s3_bucket_settings,
+    time_sleep.wait_for_additional_s3_origins
+  ]
+
   parent_zone_name     = var.parent_zone_name
   dns_alias_enabled    = true
   origin_force_destroy = true
@@ -81,6 +101,7 @@ module "cloudfront_s3_cdn" {
 
   cloudfront_access_logging_enabled = true
   cloudfront_access_log_prefix      = "logs/cf_access"
+  s3_object_ownership               = "BucketOwnerPreferred"
 
   additional_bucket_policy = local.enabled ? data.aws_iam_policy_document.document[0].json : ""
 
@@ -105,7 +126,7 @@ module "cloudfront_s3_cdn" {
   context = module.this.context
 }
 
-resource "aws_s3_bucket_object" "index" {
+resource "aws_s3_object" "index" {
   count = local.enabled ? 1 : 0
 
   bucket       = module.cloudfront_s3_cdn.s3_bucket