Bug fixes and enhancements combined into a single breaking release (#202)

Author: aknysh

.github/renovate.json

@@ -1,13 +1,14 @@
 {
   "extends": [
     "config:base",
-    ":preserveSemverRanges"
+    ":preserveSemverRanges",
+    ":rebaseStalePrs"
   ],
-  "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"],
+  "baseBranches": ["main"],
   "labels": ["auto-update"],
   "dependencyDashboardAutoclose": true,
   "enabledManagers": ["terraform"],
   "terraform": {
-    "ignorePaths": ["**/context.tf", "examples/**"]
+    "ignorePaths": ["**/context.tf"]
   }
 }

.github/workflows/release-branch.yml

@@ -10,6 +10,7 @@ on:
       - 'docs/**'
       - 'examples/**'
       - 'test/**'
+      - 'README.*'
 
 permissions:
   contents: write

.github/workflows/release-published.yml

@@ -11,4 +11,4 @@ permissions:
 
 jobs:
   terraform-module:
-    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main
+    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2019-2022 Cloud Posse, LLC
+   Copyright 2019-2023 Cloud Posse, LLC
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -69,31 +69,42 @@ description: |-
   This module creates an S3 bucket with support for versioning, lifecycles, object locks, replication, encryption, ACL,
   bucket object policies, and static website hosting.
   
-  If `user_enabled` variable is set to `true`, the module will provision a basic IAM user with permissions to access the bucket.
-  This basic IAM system user is suitable for CI/CD systems (_e.g._ TravisCI, CircleCI) or systems which are *external* to AWS that cannot leverage
-  [AWS IAM Instance Profiles](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) 
-  or [AWS OIDC](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) to authenticate and
-  do not already have IAM credentials. Users or systems that have IAM credentials should either be granted access directly based on
-  their IAM identity via `privileged_principal_arns` or be allowed to assume an IAM role with access.
-
-  We do not recommend creating IAM users this way for any other purpose.
-
+  For backward compatibility, it sets the S3 bucket ACL to `private` and the `s3_object_ownership`
+  to `ObjectWriter`. Moving forward, setting `s3_object_ownership` to `BucketOwnerEnforced` is recommended,
+  and doing so automatically disables the ACL.
+  
   This module blocks public access to the bucket by default. See `block_public_acls`, `block_public_policy`,
   `ignore_public_acls`, and `restrict_public_buckets` to change the settings. See [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html)
-  for more details.
+  for more details.  
+
+  This module can optionally create an IAM User with access to the S3 bucket. This is inherently insecure in that
+  to enable anyone to become the User, access keys must be generated, and anything generated by Terraform is stored
+  unencrypted in the Terraform state. See the [Terraform documentation](https://www.terraform.io/docs/state/sensitive-data.html) for more details
+
+  The best way to grant access to the bucket is to grant one or more IAM Roles access to the bucket via `privileged_principal_arns`.
+  This IAM Role can be assumed by EC2 instances via their Instance Profile, or Kubernetes (EKS) services using
+  [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+  Entities outside of AWS can assume the Role via [OIDC](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html). 
+  (See [this example of connecting GitHub](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/)
+  to enable GitHub actions to assume AWS IAM roles, or use [this Cloud Posse component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/github-oidc-provider)
+  if you are already using the Cloud Posse reference architecture.)
+  
+  If neither of those approaches work, then as a last resort you can set `user_enabled = true` and
+  this module will provision a basic IAM user with permissions to access the bucket.
+  We do not recommend creating IAM users this way for any other purpose.
 
   If an IAM user is created, the IAM user name is constructed using [terraform-null-label](https://github.com/cloudposse/terraform-null-label)
   and some input is required. The simplest input is `name`. By default the name will be converted to lower case
   and all non-alphanumeric characters except for hyphen will be removed. See the documentation for `terraform-null-label`
   to learn how to override these defaults if desired.
   
   If an AWS Access Key is created, it is stored either in SSM Parameter Store or is provided as a module output,
-  but not both. Using SSM Parameter Store is recommended because module outputs are stored in plaintext in
-  the Terraform state file.
+  but not both. Using SSM Parameter Store is recommended because that will keep the secret from being easily accessible
+  via Terraform remote state lookup, but the key will still be stored unencrypted in the Terraform state in any case.
 
 # How to use this project
 usage: |-
-  Using a [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html).
+  Using [BucketOwnerEnforced](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html#object-ownership-overview)
 
   ```hcl
   module "s3_bucket" {
@@ -104,7 +115,7 @@ usage: |-
     stage                    = "test"
     namespace                = "eg"
 
-    acl                      = "private"
+    s3_object_ownership      = "BucketOwnerEnforced"
     enabled                  = true
     user_enabled             = false
     versioning_enabled       = false
@@ -156,41 +167,6 @@ usage: |-
   }
   ```
   
-  Using [grants](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html) to enable access 
-  to another account and for logging, and incorporating the above lifecycle configuration.
-
-  ```hcl
-  module "s3_bucket" {
-    source = "cloudposse/s3-bucket/aws"
-    # Cloud Posse recommends pinning every module to a specific version
-    # version = "x.x.x"
-    name                     = "app"
-    stage                    = "test"
-    namespace                = "eg"
-
-    acl                      = ""
-    enabled                  = true
-    user_enabled             = false
-    versioning_enabled       = true
-  
-    lifecycle_configuration_rules = local.lifecycle_configuration_rules
-
-    grants = [
-      {
-        id          = "012abc345def678ghi901" # Canonical user or account id
-        type        = "CanonicalUser"
-        permissions = ["FULL_CONTROL"]
-        uri         = null
-      },
-      {
-        id          = null
-        type        = "Group"
-        permissions = ["READ", "WRITE"]
-        uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
-      },
-    ]
-  }
-  ```
 
   Allowing specific principal ARNs to perform actions on the bucket:
 
@@ -199,7 +175,7 @@ usage: |-
     source = "cloudposse/s3-bucket/aws"
     # Cloud Posse recommends pinning every module to a specific version
     # version = "x.x.x"
-    acl                      = "private"
+    s3_object_ownership      = "BucketOwnerEnforced"
     enabled                  = true
     user_enabled             = true
     versioning_enabled       = false