diff --git a/.checkov-config.yml b/.checkov-config.yml
index a4b5b4f..f2686eb 100644
--- a/.checkov-config.yml
+++ b/.checkov-config.yml
@@ -8,3 +8,9 @@ skip-path: |
skip-check:
# Github: Ensure top-level permissions are not set to write-all
- CKV2_GHA_1
+
+ # Github: Ensure Terraform module sources use a commit hash
+ - CKV_TF_1
+
+ # AWS: Ensure KMS key Policy is defined
+ - CKV2_AWS_64
diff --git a/.github/workflows/pre-commit-and-tests.yml b/.github/workflows/pre-commit-and-tests.yml
index 39c98c4..1b972ee 100644
--- a/.github/workflows/pre-commit-and-tests.yml
+++ b/.github/workflows/pre-commit-and-tests.yml
@@ -47,6 +47,13 @@ jobs:
python -m venv .venv
source .venv/bin/activate
pip install pre-commit checkov
+ - name: Configure ~/.terraformrc
+ run: |
+ cat <<-EOF >> ~/.terraformrc
+ credentials "app.terraform.io" {
+ token = "${{ secrets.TERRAFORM_CLOUD_TOKEN }}"
+ }
+ EOF
- name: pre-commit run
run: |
source .venv/bin/activate
@@ -91,6 +98,13 @@ jobs:
python -m venv .venv
source .venv/bin/activate
pip install -r tests/requirements.txt
+ - name: Configure ~/.terraformrc
+ run: |
+ cat <<-EOF >> ~/.terraformrc
+ credentials "app.terraform.io" {
+ token = "${{ secrets.TERRAFORM_CLOUD_TOKEN }}"
+ }
+ EOF
- name: Run
run: |
source .venv/bin/activate
diff --git a/.gitignore b/.gitignore
index 5dd5166..f9a109a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -49,3 +49,6 @@ test.auto.tfvars*
# Apple
.DS_Store
+
+# Python
+.venv
diff --git a/README.md b/README.md
index a6f0d7e..38d5b15 100644
--- a/README.md
+++ b/README.md
@@ -82,7 +82,7 @@ No outputs.
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | ~> 4.9 |
+| [aws](#provider\_aws) | ~> 5.0 |
----
### Requirements
@@ -90,7 +90,7 @@ No outputs.
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15.5 |
-| [aws](#requirement\_aws) | ~> 4.9 |
+| [aws](#requirement\_aws) | ~> 5.0 |
----
### Resources
diff --git a/examples/basic/README.md b/examples/basic/README.md
index 3660833..c4e6688 100644
--- a/examples/basic/README.md
+++ b/examples/basic/README.md
@@ -25,9 +25,8 @@ resource "aws_kms_key" "source" {
}
module "s3_bucket_source" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-source"
kms_key_id = aws_kms_key.source.arn
@@ -52,9 +51,8 @@ resource "aws_kms_key" "destination" {
}
module "s3_bucket_destination" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-dest"
kms_key_id = aws_kms_key.destination.arn
@@ -125,8 +123,8 @@ module "example" {
| Name | Source | Version |
|------|--------|---------|
| [example](#module\_example) | ../../ | n/a |
-| [s3\_bucket\_destination](#module\_s3\_bucket\_destination) | ../../modules/external/s3_bucket | n/a |
-| [s3\_bucket\_source](#module\_s3\_bucket\_source) | ../../modules/external/s3_bucket | n/a |
+| [s3\_bucket\_destination](#module\_s3\_bucket\_destination) | app.terraform.io/cloudandthings/s3-bucket/aws | 2.0.0 |
+| [s3\_bucket\_source](#module\_s3\_bucket\_source) | app.terraform.io/cloudandthings/s3-bucket/aws | 2.0.0 |
----
### Outputs
@@ -142,7 +140,7 @@ module "example" {
| Name | Version |
|------|---------|
-| [aws.afs1](#provider\_aws.afs1) | ~> 4.9 |
+| [aws.afs1](#provider\_aws.afs1) | ~> 5.0 |
| [random](#provider\_random) | ~> 3.4 |
----
@@ -151,7 +149,7 @@ module "example" {
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15.5 |
-| [aws](#requirement\_aws) | ~> 4.9 |
+| [aws](#requirement\_aws) | ~> 5.0 |
| [random](#requirement\_random) | ~> 3.4 |
----
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
index 9a0a9fe..5e4de99 100644
--- a/examples/basic/main.tf
+++ b/examples/basic/main.tf
@@ -21,9 +21,8 @@ resource "aws_kms_key" "source" {
}
module "s3_bucket_source" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-source"
kms_key_id = aws_kms_key.source.arn
@@ -48,9 +47,8 @@ resource "aws_kms_key" "destination" {
}
module "s3_bucket_destination" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-dest"
kms_key_id = aws_kms_key.destination.arn
diff --git a/examples/basic/terraform.tf b/examples/basic/terraform.tf
index d5773db..95f7da5 100644
--- a/examples/basic/terraform.tf
+++ b/examples/basic/terraform.tf
@@ -2,9 +2,8 @@ terraform {
required_version = ">= 0.15.5"
required_providers {
aws = {
- source = "hashicorp/aws"
- # V5+ does not exist yet, may contain breaking changes.
- version = "~> 4.9"
+ source = "hashicorp/aws"
+ version = "~> 5.0"
}
random = {
source = "hashicorp/random"
diff --git a/examples/cross-account/README.md b/examples/cross-account/README.md
index 82d2b80..5c43d84 100644
--- a/examples/cross-account/README.md
+++ b/examples/cross-account/README.md
@@ -27,9 +27,8 @@ resource "aws_kms_key" "source" {
}
module "s3_bucket_source" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-source"
kms_key_id = aws_kms_key.source.arn
@@ -45,9 +44,8 @@ module "s3_bucket_source" {
}
module "s3_bucket_destination" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-dest"
@@ -116,8 +114,8 @@ module "example" {
| Name | Source | Version |
|------|--------|---------|
| [example](#module\_example) | ../../ | n/a |
-| [s3\_bucket\_destination](#module\_s3\_bucket\_destination) | ../../modules/external/s3_bucket | n/a |
-| [s3\_bucket\_source](#module\_s3\_bucket\_source) | ../../modules/external/s3_bucket | n/a |
+| [s3\_bucket\_destination](#module\_s3\_bucket\_destination) | app.terraform.io/cloudandthings/s3-bucket/aws | 2.0.0 |
+| [s3\_bucket\_source](#module\_s3\_bucket\_source) | app.terraform.io/cloudandthings/s3-bucket/aws | 2.0.0 |
----
### Outputs
@@ -133,8 +131,8 @@ module "example" {
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | ~> 4.9 |
-| [aws.account\_A](#provider\_aws.account\_A) | ~> 4.9 |
+| [aws](#provider\_aws) | ~> 5.0 |
+| [aws.account\_A](#provider\_aws.account\_A) | ~> 5.0 |
| [random](#provider\_random) | ~> 3.4 |
----
@@ -143,7 +141,7 @@ module "example" {
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15.5 |
-| [aws](#requirement\_aws) | ~> 4.9 |
+| [aws](#requirement\_aws) | ~> 5.0 |
| [random](#requirement\_random) | ~> 3.4 |
----
diff --git a/examples/cross-account/main.tf b/examples/cross-account/main.tf
index 3ba1423..43e9d99 100644
--- a/examples/cross-account/main.tf
+++ b/examples/cross-account/main.tf
@@ -23,9 +23,8 @@ resource "aws_kms_key" "source" {
}
module "s3_bucket_source" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-source"
kms_key_id = aws_kms_key.source.arn
@@ -41,9 +40,8 @@ module "s3_bucket_source" {
}
module "s3_bucket_destination" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-dest"
diff --git a/examples/cross-account/terraform.tf b/examples/cross-account/terraform.tf
index d5773db..95f7da5 100644
--- a/examples/cross-account/terraform.tf
+++ b/examples/cross-account/terraform.tf
@@ -2,9 +2,8 @@ terraform {
required_version = ">= 0.15.5"
required_providers {
aws = {
- source = "hashicorp/aws"
- # V5+ does not exist yet, may contain breaking changes.
- version = "~> 4.9"
+ source = "hashicorp/aws"
+ version = "~> 5.0"
}
random = {
source = "hashicorp/random"
diff --git a/examples/cross-region/README.md b/examples/cross-region/README.md
index d29158d..a1080e7 100644
--- a/examples/cross-region/README.md
+++ b/examples/cross-region/README.md
@@ -25,9 +25,8 @@ resource "aws_kms_key" "source" {
}
module "s3_bucket_source" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-afs1-source"
kms_key_id = aws_kms_key.source.arn
@@ -52,9 +51,8 @@ resource "aws_kms_key" "destination" {
}
module "s3_bucket_destination" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-euw1-dest"
kms_key_id = aws_kms_key.destination.arn
@@ -121,8 +119,8 @@ module "example" {
| Name | Source | Version |
|------|--------|---------|
| [example](#module\_example) | ../../ | n/a |
-| [s3\_bucket\_destination](#module\_s3\_bucket\_destination) | ../../modules/external/s3_bucket | n/a |
-| [s3\_bucket\_source](#module\_s3\_bucket\_source) | ../../modules/external/s3_bucket | n/a |
+| [s3\_bucket\_destination](#module\_s3\_bucket\_destination) | app.terraform.io/cloudandthings/s3-bucket/aws | 2.0.0 |
+| [s3\_bucket\_source](#module\_s3\_bucket\_source) | app.terraform.io/cloudandthings/s3-bucket/aws | 2.0.0 |
----
### Outputs
@@ -138,8 +136,8 @@ module "example" {
| Name | Version |
|------|---------|
-| [aws.afs1](#provider\_aws.afs1) | ~> 4.9 |
-| [aws.euw1](#provider\_aws.euw1) | ~> 4.9 |
+| [aws.afs1](#provider\_aws.afs1) | ~> 5.0 |
+| [aws.euw1](#provider\_aws.euw1) | ~> 5.0 |
| [random](#provider\_random) | ~> 3.4 |
----
@@ -148,7 +146,7 @@ module "example" {
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15.5 |
-| [aws](#requirement\_aws) | ~> 4.9 |
+| [aws](#requirement\_aws) | ~> 5.0 |
| [random](#requirement\_random) | ~> 3.4 |
----
diff --git a/examples/cross-region/main.tf b/examples/cross-region/main.tf
index c3cbe2c..9e71576 100644
--- a/examples/cross-region/main.tf
+++ b/examples/cross-region/main.tf
@@ -21,9 +21,8 @@ resource "aws_kms_key" "source" {
}
module "s3_bucket_source" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-afs1-source"
kms_key_id = aws_kms_key.source.arn
@@ -48,9 +47,8 @@ resource "aws_kms_key" "destination" {
}
module "s3_bucket_destination" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-euw1-dest"
kms_key_id = aws_kms_key.destination.arn
diff --git a/examples/cross-region/terraform.tf b/examples/cross-region/terraform.tf
index d5773db..95f7da5 100644
--- a/examples/cross-region/terraform.tf
+++ b/examples/cross-region/terraform.tf
@@ -2,9 +2,8 @@ terraform {
required_version = ">= 0.15.5"
required_providers {
aws = {
- source = "hashicorp/aws"
- # V5+ does not exist yet, may contain breaking changes.
- version = "~> 4.9"
+ source = "hashicorp/aws"
+ version = "~> 5.0"
}
random = {
source = "hashicorp/random"
diff --git a/examples/multiple-destinations/README.md b/examples/multiple-destinations/README.md
index 39ba8b9..ffc75ff 100644
--- a/examples/multiple-destinations/README.md
+++ b/examples/multiple-destinations/README.md
@@ -25,9 +25,8 @@ resource "aws_kms_key" "source" {
}
module "s3_bucket_source" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-source"
kms_key_id = aws_kms_key.source.arn
@@ -52,10 +51,10 @@ resource "aws_kms_key" "destination" {
}
module "s3_bucket_destinations" {
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
+
count = 2
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
name = "${local.naming_prefix}-dest-${count.index}"
kms_key_id = aws_kms_key.destination.arn
@@ -125,8 +124,8 @@ module "example" {
| Name | Source | Version |
|------|--------|---------|
| [example](#module\_example) | ../../ | n/a |
-| [s3\_bucket\_destinations](#module\_s3\_bucket\_destinations) | ../../modules/external/s3_bucket | n/a |
-| [s3\_bucket\_source](#module\_s3\_bucket\_source) | ../../modules/external/s3_bucket | n/a |
+| [s3\_bucket\_destinations](#module\_s3\_bucket\_destinations) | app.terraform.io/cloudandthings/s3-bucket/aws | 2.0.0 |
+| [s3\_bucket\_source](#module\_s3\_bucket\_source) | app.terraform.io/cloudandthings/s3-bucket/aws | 2.0.0 |
----
### Outputs
@@ -142,7 +141,7 @@ module "example" {
| Name | Version |
|------|---------|
-| [aws.afs1](#provider\_aws.afs1) | ~> 4.9 |
+| [aws.afs1](#provider\_aws.afs1) | ~> 5.0 |
| [random](#provider\_random) | ~> 3.4 |
----
@@ -151,7 +150,7 @@ module "example" {
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15.5 |
-| [aws](#requirement\_aws) | ~> 4.9 |
+| [aws](#requirement\_aws) | ~> 5.0 |
| [random](#requirement\_random) | ~> 3.4 |
----
diff --git a/examples/multiple-destinations/main.tf b/examples/multiple-destinations/main.tf
index 4de6eb5..71d07ee 100644
--- a/examples/multiple-destinations/main.tf
+++ b/examples/multiple-destinations/main.tf
@@ -21,9 +21,8 @@ resource "aws_kms_key" "source" {
}
module "s3_bucket_source" {
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
name = "${local.naming_prefix}-source"
kms_key_id = aws_kms_key.source.arn
@@ -48,10 +47,10 @@ resource "aws_kms_key" "destination" {
}
module "s3_bucket_destinations" {
+ source = "app.terraform.io/cloudandthings/s3-bucket/aws"
+ version = "2.0.0"
+
count = 2
- # source = "app.terraform.io/cloudandthings/s3-bucket/aws"
- # version = "1.2.0"
- source = "../../modules/external/s3_bucket"
name = "${local.naming_prefix}-dest-${count.index}"
kms_key_id = aws_kms_key.destination.arn
diff --git a/examples/multiple-destinations/terraform.tf b/examples/multiple-destinations/terraform.tf
index d5773db..95f7da5 100644
--- a/examples/multiple-destinations/terraform.tf
+++ b/examples/multiple-destinations/terraform.tf
@@ -2,9 +2,8 @@ terraform {
required_version = ">= 0.15.5"
required_providers {
aws = {
- source = "hashicorp/aws"
- # V5+ does not exist yet, may contain breaking changes.
- version = "~> 4.9"
+ source = "hashicorp/aws"
+ version = "~> 5.0"
}
random = {
source = "hashicorp/random"
diff --git a/modules/external/s3_bucket/.flake8 b/modules/external/s3_bucket/.flake8
deleted file mode 100644
index 737dd5d..0000000
--- a/modules/external/s3_bucket/.flake8
+++ /dev/null
@@ -1,9 +0,0 @@
-[flake8]
-extend-ignore =
- # whitespace before ':'
- E203
-max-line-length = 90
-max-complexity = 10
-exclude =
- __pycache__
- .venv
diff --git a/modules/external/s3_bucket/CHANGELOG.md b/modules/external/s3_bucket/CHANGELOG.md
deleted file mode 100644
index b349d94..0000000
--- a/modules/external/s3_bucket/CHANGELOG.md
+++ /dev/null
@@ -1,50 +0,0 @@
-# Changelog
-
-## [1.2.0](https://github.com/cloudandthings/terraform-aws-s3-bucket/compare/v1.1.1...v1.2.0) (2023-03-06)
-
-
-### Features
-
-* Add `enable_public_access_block` ([#7](https://github.com/cloudandthings/terraform-aws-s3-bucket/issues/7)) ([a89b332](https://github.com/cloudandthings/terraform-aws-s3-bucket/commit/a89b332da4170381443757fe3d0429c200cb5ae6))
-
-## [1.1.1](https://github.com/cloudandthings/terraform-aws-s3-bucket/compare/v1.1.0...v1.1.1) (2023-02-10)
-
-
-### Bug Fixes
-
-* Avoid dependency on bucket id ([#5](https://github.com/cloudandthings/terraform-aws-s3-bucket/issues/5)) ([069cbd2](https://github.com/cloudandthings/terraform-aws-s3-bucket/commit/069cbd229a13845a0ad06bb04b1277a8fd7e38bd))
-
-## [1.1.0](https://github.com/cloudandthings/terraform-aws-s3-bucket/compare/v1.0.0...v1.1.0) (2023-02-10)
-
-
-### Features
-
-* New naming methods ([7c8f3b9](https://github.com/cloudandthings/terraform-aws-s3-bucket/commit/7c8f3b9fb282d4d748cb1576ff1e86f5fcc43a54))
-
-## 1.0.0 (2023-02-10)
-
-
-### Features
-
-* Initial release ([c49cfe4](https://github.com/cloudandthings/terraform-aws-s3-bucket/commit/c49cfe4c567cfd69282296dcc1ebca3689bcbaeb))
-* Initial release ([c69614f](https://github.com/cloudandthings/terraform-aws-s3-bucket/commit/c69614fd11182d9a0e59c0b8d121028dcd424d76))
-
-## [1.0.1](https://github.com/cloudandthings/terraform-aws-template/compare/v1.0.0...v1.0.1) (2022-12-22)
-
-
-### Bug Fixes
-
-* **simplify:** Cleanup tests and docs ([#8](https://github.com/cloudandthings/terraform-aws-template/issues/8)) ([92b1297](https://github.com/cloudandthings/terraform-aws-template/commit/92b1297fe8f9f202ba6fc80875f4f64c090c32e1))
-
-## 1.0.0 (2022-12-21)
-
-
-### Features
-
-* Module tests and standardisation ([#1](https://github.com/cloudandthings/terraform-aws-template/issues/1)) ([cfbc665](https://github.com/cloudandthings/terraform-aws-template/commit/cfbc6653f103118764e99bc98a0f70ea42098338))
-
-
-### Bug Fixes
-
-* **ci:** Terraform min-max ([#7](https://github.com/cloudandthings/terraform-aws-template/issues/7)) ([71acf4a](https://github.com/cloudandthings/terraform-aws-template/commit/71acf4a932b5a210217279265bc707e29711620d))
-* **ci:** Update workflow triggers ([#6](https://github.com/cloudandthings/terraform-aws-template/issues/6)) ([a37afcb](https://github.com/cloudandthings/terraform-aws-template/commit/a37afcbaa54e3c6918d5206694844eb25f87930c))
diff --git a/modules/external/s3_bucket/Dockerfile b/modules/external/s3_bucket/Dockerfile
deleted file mode 100644
index 47df935..0000000
--- a/modules/external/s3_bucket/Dockerfile
+++ /dev/null
@@ -1,32 +0,0 @@
-# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.0/containers/ubuntu/.devcontainer/base.Dockerfile
-
-# [Choice] Ubuntu version (use ubuntu-22.04 or ubuntu-18.04 on local arm64/Apple Silicon): ubuntu-22.04, ubuntu-20.04, ubuntu-18.04
-ARG VARIANT="jammy"
-FROM mcr.microsoft.com/vscode/devcontainers/base:0-${VARIANT}
-
-# Install additional OS packages.
-RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
- && apt-get -y install --no-install-recommends python3 python3-pip
-
-# python-is-python3
-RUN ln -s $(which python3) /usr/bin/python
-
-# terraform-docs
-COPY .tfdocs-config.yml .
-RUN curl -sSLo ./terraform-docs.tar.gz https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz
-RUN tar -xzf terraform-docs.tar.gz && chmod +x terraform-docs && mv terraform-docs /usr/local/bin/terraform-docs
-
-# tfsec
-RUN curl -sSLo ./tfsec.tar.gz https://github.com/aquasecurity/tfsec/releases/download/v1.28.0/tfsec_1.28.0_linux_amd64.tar.gz
-RUN tar -xzf tfsec.tar.gz && chmod +x tfsec && mv tfsec /usr/local/bin/tfsec
-
-COPY requirements.txt .
-RUN pip install -r requirements.txt
-
-COPY .pre-commit-config.yaml .
-
-COPY .devcontainer/.bashrc_extra .
-RUN cat .bashrc_extra >> /home/vscode/.bashrc
-
-# checkov:skip=CKV_DOCKER_2: No need for HEALTHCHECK on local container
-# checkov:skip=CKV_DOCKER_3: Use default root & vscode users
diff --git a/modules/external/s3_bucket/README.md b/modules/external/s3_bucket/README.md
deleted file mode 100644
index 689e36a..0000000
--- a/modules/external/s3_bucket/README.md
+++ /dev/null
@@ -1,135 +0,0 @@
-# Terraform AWS Template
-
-## Description
-
-*...example content; edit as needed...*
-
-Terraform module for...
-
-Features:
-
- - Creates an...
-
-[AWS documentation](https://docs.aws.amazon.com...)
-
-----
-## Prerequisites
-
-*...example content; edit as needed...*
-
-None.
-
-----
-## Usage
-
-*...example content; edit as needed...*
-
-See `examples` dropdown on Terraform Cloud, or [browse here](/examples/).
-
-----
-## Testing
-
-*...example content; edit as needed...*
-
-This module is tested during development using [`pytest`](https://docs.pytest.org/en/7.2.x/) and [`tftest`](https://pypi.org/project/tftest/). See the `tests` folder for further details, and in particular the [testing readme](./tests/README.md).
-
-----
-## Notes
-
-*...example content; edit as needed...*
-
-*This repo was created from [terraform-aws-template](https://github.com/cloudandthings/terraform-aws-template)*
-
-
-----
-## Known issues
-
-*...example content; edit as needed...*
-
-This project is currently unlicenced. Please contact the maintaining team to add a licence.
-
-----
-## Contributing
-
-*...example content; edit as needed...*
-
-Direct contributions are welcome.
-
-See [`CONTRIBUTING.md`](./.github/CONTRIBUTING.md) for further information.
-
-
-----
-## Documentation
-
-----
-### Inputs
-
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [bucket\_logging\_target\_bucket](#input\_bucket\_logging\_target\_bucket) | Target S3 bucket name for logging. | `string` | `""` | no |
-| [bucket\_logging\_target\_prefix](#input\_bucket\_logging\_target\_prefix) | Target S3 bucket prefix for logging. | `string` | `""` | no |
-| [create\_aws\_s3\_bucket\_lifecycle\_configuration](#input\_create\_aws\_s3\_bucket\_lifecycle\_configuration) | Whether to enable the default aws\_s3\_bucket\_lifecycle\_configuration on the bucket. | `bool` | `true` | no |
-| [enable\_attach\_default\_bucket\_policy](#input\_enable\_attach\_default\_bucket\_policy) | Whether to attach the default bucket policy or not (default=true). You may wish to attach the bucket policy document separately, in which case it is an output from this module. | `bool` | `true` | no |
-| [enable\_public\_access\_block](#input\_enable\_public\_access\_block) | Whether to enable public\_access\_block on the bucket. | `bool` | `true` | no |
-| [enable\_versioning](#input\_enable\_versioning) | Whether to enable versioning on the bucket. | `bool` | `true` | no |
-| [force\_destroy](#input\_force\_destroy) | **Caution** Whether to automatically delete all objects from the bucket when it is destroyed. These objects are NOT recoverable. | `bool` | `false` | no |
-| [general\_read\_only\_aws\_principals](#input\_general\_read\_only\_aws\_principals) | List of AWS principals to give read access to all bucket objects via bucket policy resource. | `list(string)` | `[]` | no |
-| [general\_read\_write\_aws\_principals](#input\_general\_read\_write\_aws\_principals) | List of AWS principals to give read and write access to all bucket objects via bucket policy resource. | `list(string)` | `[]` | no |
-| [kms\_key\_id](#input\_kms\_key\_id) | KMS key ID to use for encrypting bucket objects. | `string` | `null` | no |
-| [name](#input\_name) | Name for S3 bucket. Also see `naming_method` | `string` | `null` | no |
-| [naming\_method](#input\_naming\_method) | Whether to use `bucket`, `bucket_prefix` or neither when creating the `aws_s3_bucket` resource. | `string` | `"BUCKET"` | no |
-| [tags](#input\_tags) | Map of additional tags to assign to created resources. If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. | `map(string)` | `{}` | no |
-
-----
-### Modules
-
-No modules.
-
-----
-### Outputs
-
-| Name | Description |
-|------|-------------|
-| [bucket](#output\_bucket) | The bucket that is created. |
-| [bucket\_arn](#output\_bucket\_arn) | The bucket ARN that is created. |
-| [bucket\_id](#output\_bucket\_id) | The bucket id that is created. |
-| [default\_bucket\_policy\_document](#output\_default\_bucket\_policy\_document) | Default bucket policy document, attached to the bucket if `var.attach_default_bucket_policy=true`. |
-| [kms\_key\_id](#output\_kms\_key\_id) | The KMS key ID used for encrypting bucket objects. |
-| [region](#output\_region) | The bucket region. |
-
-----
-### Providers
-
-| Name | Version |
-|------|---------|
-| [aws](#provider\_aws) | ~> 4.9 |
-
-----
-### Requirements
-
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13.1 |
-| [aws](#requirement\_aws) | ~> 4.9 |
-| [null](#requirement\_null) | ~> 3.1 |
-
-----
-### Resources
-
-| Name | Type |
-|------|------|
-| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_lifecycle_configuration.abort_incomplete_multipart_upload](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
-| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
-| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
-| [aws_s3_bucket_policy.default_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
-| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
-| [aws_iam_policy_document.default_bucket_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.deny_unencrypted_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.general_read_only_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.general_read_write_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-
-----
-
diff --git a/modules/external/s3_bucket/data.tf b/modules/external/s3_bucket/data.tf
deleted file mode 100644
index 6ed955d..0000000
--- a/modules/external/s3_bucket/data.tf
+++ /dev/null
@@ -1,79 +0,0 @@
-######################################################################
-## General access
-######################################################################
-
-data "aws_iam_policy_document" "deny_unencrypted_policy_document" {
-
- statement {
- sid = "DenyUnencryptedCommunication"
- actions = [
- "s3:*"
- ]
- effect = "Deny"
- principals {
- identifiers = [
- "*"
- ]
- type = "AWS"
- }
- resources = [
- aws_s3_bucket.this.arn,
- "${aws_s3_bucket.this.arn}/*"
- ]
- condition {
- test = "Bool"
- values = [false]
- variable = "aws:SecureTransport"
- }
- }
-}
-
-data "aws_iam_policy_document" "general_read_only_policy_document" {
-
- statement {
- sid = "GeneralReadOnlyObjectAccess"
- actions = [
- "s3:List*",
- "s3:Get*"
- ]
- effect = "Allow"
- principals {
- identifiers = var.general_read_only_aws_principals
- type = "AWS"
- }
- resources = [
- aws_s3_bucket.this.arn,
- "${aws_s3_bucket.this.arn}/*"
- ]
- }
-}
-
-data "aws_iam_policy_document" "general_read_write_policy_document" {
-
- statement {
- sid = "GeneralReadWriteObjectAccess"
- actions = [
- "s3:List*",
- "s3:Get*",
- "s3:PutObject",
- "s3:DeleteObject"
- ]
- effect = "Allow"
- principals {
- identifiers = var.general_read_write_aws_principals
- type = "AWS"
- }
- resources = [
- aws_s3_bucket.this.arn,
- "${aws_s3_bucket.this.arn}/*"
- ]
- }
-}
-
-data "aws_iam_policy_document" "default_bucket_policy_document" {
- source_policy_documents = concat(
- [data.aws_iam_policy_document.deny_unencrypted_policy_document.json]
- , length(var.general_read_only_aws_principals) > 0 ? [data.aws_iam_policy_document.general_read_only_policy_document.json] : []
- , length(var.general_read_write_aws_principals) > 0 ? [data.aws_iam_policy_document.general_read_write_policy_document.json] : []
- )
-}
diff --git a/modules/external/s3_bucket/main.tf b/modules/external/s3_bucket/main.tf
deleted file mode 100644
index f1a017f..0000000
--- a/modules/external/s3_bucket/main.tf
+++ /dev/null
@@ -1,96 +0,0 @@
-######################################################################
-## Bucket
-######################################################################
-## Bucket
-#tfsec:ignore:aws-s3-enable-bucket-logging
-resource "aws_s3_bucket" "this" {
-
- # Naming.
- bucket = var.naming_method == "BUCKET" ? var.name : null
- bucket_prefix = var.naming_method == "BUCKET_PREFIX" ? var.name : null
- # If neither are provided then a unique name is generated.
-
- force_destroy = var.force_destroy
- #checkov:skip=CKV_AWS_144:S3 replication is intentionally disabled by default.
- #checkov:skip=CKV2_AWS_62:Bucket notifications are not required by default.
-
- tags = var.tags
-}
-
-## Public Access Block
-resource "aws_s3_bucket_public_access_block" "this" {
- count = var.enable_public_access_block ? 1 : 0
-
- bucket = aws_s3_bucket.this.id
-
- block_public_acls = true
- block_public_policy = true
- ignore_public_acls = true
- restrict_public_buckets = true
-}
-
-## Bucket Ownership Controls
-# This disables bucket ACLs
-# https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-s3-object-ownership-simplify-access-management-data-s3/
-resource "aws_s3_bucket_ownership_controls" "this" {
- bucket = aws_s3_bucket.this.id
-
- rule {
- object_ownership = "BucketOwnerEnforced"
- }
-}
-
-
-## Bucket Server Side Encryption Configuration
-resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
- bucket = aws_s3_bucket.this.bucket
-
- rule {
- apply_server_side_encryption_by_default {
- kms_master_key_id = var.kms_key_id == null ? null : var.kms_key_id
- sse_algorithm = var.kms_key_id == null ? "AES256" : "aws:kms"
- }
- bucket_key_enabled = var.kms_key_id == null ? null : true
- }
-}
-
-## Bucket Versioning
-resource "aws_s3_bucket_versioning" "this" {
- bucket = aws_s3_bucket.this.id
- versioning_configuration {
- status = var.enable_versioning ? "Enabled" : "Suspended"
- }
-}
-
-## Bucket Logging
-resource "aws_s3_bucket_logging" "this" {
- count = length(var.bucket_logging_target_bucket) > 0 ? 1 : 0
- bucket = aws_s3_bucket.this.id
-
- target_bucket = var.bucket_logging_target_bucket
- target_prefix = var.bucket_logging_target_prefix
-}
-
-## Bucket Lifecycle Configuration
-resource "aws_s3_bucket_lifecycle_configuration" "abort_incomplete_multipart_upload" {
- #checkov:skip=CKV_AWS_300: There is a period set for aborting failed uploads.
- bucket = aws_s3_bucket.this.bucket
- count = var.create_aws_s3_bucket_lifecycle_configuration ? 1 : 0
- rule {
- id = "CleanIncompleteMultipartUploads"
- status = "Enabled"
- filter {
- prefix = ""
- }
- abort_incomplete_multipart_upload {
- days_after_initiation = 5
- }
- }
-}
-
-## Bucket Policy
-resource "aws_s3_bucket_policy" "default_bucket_policy" {
- count = var.enable_attach_default_bucket_policy ? 1 : 0
- bucket = aws_s3_bucket.this.id
- policy = data.aws_iam_policy_document.default_bucket_policy_document.json
-}
diff --git a/modules/external/s3_bucket/outputs.tf b/modules/external/s3_bucket/outputs.tf
deleted file mode 100644
index c0ab2bc..0000000
--- a/modules/external/s3_bucket/outputs.tf
+++ /dev/null
@@ -1,29 +0,0 @@
-output "bucket_arn" {
- description = "The bucket ARN that is created."
- value = aws_s3_bucket.this.arn
-}
-
-output "bucket" {
- description = "The bucket that is created."
- value = aws_s3_bucket.this.bucket
-}
-
-output "bucket_id" {
- description = "The bucket id that is created."
- value = aws_s3_bucket.this.id
-}
-
-output "kms_key_id" {
- description = "The KMS key ID used for encrypting bucket objects."
- value = var.kms_key_id
-}
-
-output "region" {
- description = "The bucket region."
- value = aws_s3_bucket.this.region
-}
-
-output "default_bucket_policy_document" {
- description = "Default bucket policy document, attached to the bucket if `var.attach_default_bucket_policy=true`."
- value = data.aws_iam_policy_document.default_bucket_policy_document
-}
diff --git a/modules/external/s3_bucket/requirements.txt b/modules/external/s3_bucket/requirements.txt
deleted file mode 100644
index def3bb8..0000000
--- a/modules/external/s3_bucket/requirements.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-# DEV REQUIREMENTS
-
-# To use: pip install -r requirements.txt
-
-# Include test requirements
--r tests/requirements.txt
-
-# Additional packages to install when doing development
-black
-flake8
diff --git a/modules/external/s3_bucket/terraform.tf b/modules/external/s3_bucket/terraform.tf
deleted file mode 100644
index 9281cc7..0000000
--- a/modules/external/s3_bucket/terraform.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-# TODO versions.tf or terraform.tf ?
-terraform {
- required_version = ">= 0.13.1"
-
- required_providers {
- aws = {
- source = "hashicorp/aws"
- # V5+ does not exist yet, may contain breaking changes.
- version = "~> 4.9"
- }
- null = { # Delete me
- source = "hashicorp/null"
- version = "~> 3.1"
- }
- }
-}
diff --git a/modules/external/s3_bucket/variables.tf b/modules/external/s3_bucket/variables.tf
deleted file mode 100644
index e9db3d1..0000000
--- a/modules/external/s3_bucket/variables.tf
+++ /dev/null
@@ -1,91 +0,0 @@
-######################################################################
-## Required
-######################################################################
-
-######################################################################
-## Optional
-######################################################################
-variable "enable_attach_default_bucket_policy" {
- description = "Whether to attach the default bucket policy or not (default=true). You may wish to attach the bucket policy document separately, in which case it is an output from this module."
- type = bool
- default = true
-}
-
-variable "enable_versioning" {
- description = "Whether to enable versioning on the bucket."
- type = bool
- default = true
-}
-
-variable "enable_public_access_block" {
- description = "Whether to enable public_access_block on the bucket."
- type = bool
- default = true
-}
-
-variable "create_aws_s3_bucket_lifecycle_configuration" {
- description = "Whether to enable the default aws_s3_bucket_lifecycle_configuration on the bucket."
- type = bool
- default = true
-}
-
-variable "name" {
- type = string
- description = "Name for S3 bucket. Also see `naming_method`"
- default = null
-}
-
-variable "naming_method" {
- type = string
- description = "Whether to use `bucket`, `bucket_prefix` or neither when creating the `aws_s3_bucket` resource."
- default = "BUCKET"
- validation {
- condition = contains(["BUCKET", "BUCKET_PREFIX", "NONE"], var.naming_method)
- error_message = "Must be one of: \"BUCKET\", \"BUCKET_PREFIX\" or \"NONE\"."
- }
-}
-
-variable "tags" {
- description = "Map of additional tags to assign to created resources. If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level."
- type = map(string)
- default = {}
-}
-
-## KMS
-variable "kms_key_id" {
- type = string
- description = "KMS key ID to use for encrypting bucket objects."
- default = null
-}
-
-## Access
-variable "general_read_only_aws_principals" {
- description = "List of AWS principals to give read access to all bucket objects via bucket policy resource."
- type = list(string)
- default = []
-}
-
-variable "general_read_write_aws_principals" {
- description = "List of AWS principals to give read and write access to all bucket objects via bucket policy resource."
- type = list(string)
- default = []
-}
-
-# Logging
-variable "bucket_logging_target_bucket" {
- description = "Target S3 bucket name for logging."
- type = string
- default = ""
-}
-
-variable "bucket_logging_target_prefix" {
- description = "Target S3 bucket prefix for logging."
- type = string
- default = ""
-}
-
-variable "force_destroy" {
- description = "**Caution** Whether to automatically delete all objects from the bucket when it is destroyed. These objects are NOT recoverable."
- type = bool
- default = false
-}
diff --git a/terraform.tf b/terraform.tf
index 7884bc9..ad82e77 100644
--- a/terraform.tf
+++ b/terraform.tf
@@ -3,7 +3,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 4.9"
+ version = "~> 5.0"
}
}
}