Merge pull request #1299 from lacework/GROW-1336

chore(lwgenerate): deprecate force_destroy flags

Author: afiune

cli/cmd/generate_aws.go

@@ -24,7 +24,6 @@ var (
 	QuestionConsolidatedCloudtrail      = "Use consolidated CloudTrail?"
 	QuestionUseExistingCloudtrail       = "Use an existing CloudTrail?"
 	QuestionCloudtrailExistingBucketArn = "Specify an existing bucket ARN used for CloudTrail logs:"
-	QuestionForceDestroyS3Bucket        = "Should the new S3 bucket have force destroy enabled?"
 	QuestionExistingIamRoleName         = "Specify an existing IAM role name for CloudTrail access:"
 	QuestionExistingIamRoleArn          = "Specify an existing IAM role ARN for CloudTrail access:"
 	QuestionExistingIamRoleExtID        = "Specify the external ID to be used with the existing IAM role:"
@@ -129,10 +128,6 @@ See help output for more details on the parameter value(s) required for Terrafor
 				aws.WithS3BucketNotification(GenerateAwsCommandState.S3BucketNotification),
 			}
 
-			if GenerateAwsCommandState.ForceDestroyS3Bucket {
-				mods = append(mods, aws.EnableForceDestroyS3Bucket())
-			}
-
 			if GenerateAwsCommandState.ConsolidatedCloudtrail {
 				mods = append(mods, aws.UseConsolidatedCloudtrail())
 			}
@@ -393,11 +388,18 @@ func initGenerateAwsTfCommandFlags() {
 		"consolidated_cloudtrail",
 		false,
 		"use consolidated trail")
+
+	// DEPRECATED
 	generateAwsTfCommand.PersistentFlags().BoolVar(
 		&GenerateAwsCommandState.ForceDestroyS3Bucket,
 		"force_destroy_s3",
-		false,
+		true,
 		"enable force destroy S3 bucket")
+	errcheckWARN(generateAwsTfCommand.PersistentFlags().MarkDeprecated(
+		"force_destroy_s3", "by default, force destroy is enabled.",
+	))
+	// ---
+
 	generateAwsTfCommand.PersistentFlags().StringSliceVar(
 		&GenerateAwsCommandExtraState.AwsSubAccounts,
 		"aws_subaccount",
@@ -513,14 +515,8 @@ func promptAwsCtQuestions(config *aws.GenerateAwsTfConfigurationArgs, extraState
 		return err
 	}
 
-	// If a new bucket is to be created; should the force destroy bit be set?
 	newBucket := config.ExistingCloudtrailBucketArn == ""
 	if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{
-		{
-			Prompt:   &survey.Confirm{Message: QuestionForceDestroyS3Bucket, Default: config.ForceDestroyS3Bucket},
-			Response: &config.ForceDestroyS3Bucket,
-			Checks:   []*bool{&config.Cloudtrail, &newBucket},
-		},
 		// If new bucket created, allow user to optionally name the bucket
 		{
 			Prompt:   &survey.Input{Message: QuestionBucketName, Default: config.BucketName},
@@ -857,7 +853,6 @@ func awsConfigIsEmpty(g *aws.GenerateAwsTfConfigurationArgs) bool {
 		g.ExistingIamRole == nil &&
 		g.ExistingSnsTopicArn == "" &&
 		g.LaceworkProfile == "" &&
-		!g.ForceDestroyS3Bucket &&
 		g.SubAccounts == nil
 }
 

cli/cmd/generate_aws_eks_audit.go

@@ -28,19 +28,18 @@ var (
 	QuestionEksAuditConfigureAdvanced = "Configure advanced integration options?"
 
 	// S3 Bucket Questions
-	QuestionUseExistingBucket            = "Use existing bucket?"
-	QuestionExistingBucketArn            = "Specify an existing bucket ARN used for EKS audit log:"
-	EksAuditConfigureBucket              = "Configure bucket settings"
-	QuestionEksAuditBucketVersioning     = "Enable access versioning on the new bucket?"
-	QuestionEksAuditMfaDeleteS3Bucket    = "Should MFA object deletion be required for the new bucket?"
-	QuestionEksAuditForceDestroyS3Bucket = "Should force destroy be enabled for the new bucket?"
-	QuestionEksAuditBucketLifecycle      = "Specify the bucket lifecycle expiration days: (optional)"
-	QuestionEksAuditBucketEncryption     = "Enable encryption for the new bucket?"
-	QuestionEksAuditBucketSseAlgorithm   = "Specify the bucket SSE Algorithm: (optional)"
-	QuestionEksAuditBucketExistingKey    = "Use existing KMS key?"
-	QuestionEksAuditBucketKeyArn         = "Specify the bucket existing SSE KMS key ARN:"
-	QuestionEksAuditKmsKeyRotation       = "Should the KMS key have rotation enabled?"
-	QuestionEksAuditKmsKeyDeletionDays   = "Specify the KMS key deletion days: (optional)"
+	QuestionUseExistingBucket          = "Use existing bucket?"
+	QuestionExistingBucketArn          = "Specify an existing bucket ARN used for EKS audit log:"
+	EksAuditConfigureBucket            = "Configure bucket settings"
+	QuestionEksAuditBucketVersioning   = "Enable access versioning on the new bucket?"
+	QuestionEksAuditMfaDeleteS3Bucket  = "Should MFA object deletion be required for the new bucket?"
+	QuestionEksAuditBucketLifecycle    = "Specify the bucket lifecycle expiration days: (optional)"
+	QuestionEksAuditBucketEncryption   = "Enable encryption for the new bucket?"
+	QuestionEksAuditBucketSseAlgorithm = "Specify the bucket SSE Algorithm: (optional)"
+	QuestionEksAuditBucketExistingKey  = "Use existing KMS key?"
+	QuestionEksAuditBucketKeyArn       = "Specify the bucket existing SSE KMS key ARN:"
+	QuestionEksAuditKmsKeyRotation     = "Should the KMS key have rotation enabled?"
+	QuestionEksAuditKmsKeyDeletionDays = "Specify the KMS key deletion days: (optional)"
 
 	// SNS Topic Questions
 	EksAuditConfigureSns                = "Configure SNS settings"
@@ -149,10 +148,6 @@ See help output for more details on the parameter values required for Terraform
 				mods = append(mods, aws_eks_audit.EnableBucketMfaDelete())
 			}
 
-			if GenerateAwsEksAuditCommandState.BucketForceDestroy {
-				mods = append(mods, aws_eks_audit.EnableBucketForceDestroy())
-			}
-
 			// Create new struct
 			data := aws_eks_audit.NewTerraform(mods...)
 
@@ -353,11 +348,18 @@ func initGenerateAwsEksAuditTfCommandFlags() {
 		"enable_encryption_s3",
 		true,
 		"enable encryption on s3 bucket")
+
+	// DEPRECATED
 	generateAwsEksAuditTfCommand.PersistentFlags().BoolVar(
 		&GenerateAwsEksAuditCommandState.BucketForceDestroy,
 		"enable_force_destroy",
-		false,
+		true,
 		"enable force destroy s3 bucket")
+	errcheckWARN(generateAwsEksAuditTfCommand.PersistentFlags().MarkDeprecated(
+		"enable_force_destroy", "by default, force destroy is enabled.",
+	))
+	// ---
+
 	generateAwsEksAuditTfCommand.PersistentFlags().IntVar(
 		&GenerateAwsEksAuditCommandState.BucketLifecycleExpirationDays,
 		"bucket_lifecycle_exp_days",
@@ -519,10 +521,6 @@ func promptAwsEksAuditBucketQuestions(config *aws_eks_audit.GenerateAwsEksAuditT
 			Prompt:   &survey.Confirm{Message: QuestionEksAuditMfaDeleteS3Bucket, Default: config.BucketEnableMfaDelete},
 			Response: &config.BucketEnableMfaDelete,
 		},
-		{
-			Prompt:   &survey.Confirm{Message: QuestionEksAuditForceDestroyS3Bucket, Default: config.BucketForceDestroy},
-			Response: &config.BucketForceDestroy,
-		},
 		{
 			Prompt: &survey.Confirm{Message: QuestionEksAuditBucketEncryption,
 				Default: config.BucketEnableEncryption},

cli/cmd/generate_gcp.go

@@ -29,17 +29,16 @@ var (
 	QuestionExistingServiceAccountName       = "Specify an existing service account name:"
 	QuestionExistingServiceAccountPrivateKey = "Specify an existing service account private key (base64 encoded):"
 
-	GcpAdvancedOptAuditLog              = "Configure additional Audit Log options"
-	QuestionGcpUseExistingBucket        = "Use an existing bucket?"
-	QuestionGcpExistingBucketName       = "Specify an existing bucket name:"
-	QuestionGcpConfigureNewBucket       = "Configure settings for new bucket?"
-	QuestionGcpBucketRegion             = "Specify the bucket region: (optional)"
-	QuestionGcpCustomBucketName         = "Specify a custom bucket name: (optional)"
-	QuestionGcpBucketLifecycle          = "Specify the bucket lifecycle rule age: (optional)"
-	QuestionGcpEnableUBLA               = "Enable uniform bucket level access(UBLA)?"
-	QuestionGcpEnableBucketForceDestroy = "Enable bucket force destroy?"
-	QuestionGcpUseExistingSink          = "Use an existing sink?"
-	QuestionGcpExistingSinkName         = "Specify the existing sink name"
+	GcpAdvancedOptAuditLog        = "Configure additional Audit Log options"
+	QuestionGcpUseExistingBucket  = "Use an existing bucket?"
+	QuestionGcpExistingBucketName = "Specify an existing bucket name:"
+	QuestionGcpConfigureNewBucket = "Configure settings for new bucket?"
+	QuestionGcpBucketRegion       = "Specify the bucket region: (optional)"
+	QuestionGcpCustomBucketName   = "Specify a custom bucket name: (optional)"
+	QuestionGcpBucketLifecycle    = "Specify the bucket lifecycle rule age: (optional)"
+	QuestionGcpEnableUBLA         = "Enable uniform bucket level access(UBLA)?"
+	QuestionGcpUseExistingSink    = "Use an existing sink?"
+	QuestionGcpExistingSinkName   = "Specify the existing sink name"
 
 	GcpAdvancedOptIntegrationName           = "Customize integration name(s)"
 	QuestionGcpConfigurationIntegrationName = "Specify a custom configuration integration name: (optional)"
@@ -127,10 +126,6 @@ See help output for more details on the parameter value(s) required for Terrafor
 				mods = append(mods, gcp.WithOrganizationIntegration(GenerateGcpCommandState.OrganizationIntegration))
 			}
 
-			if GenerateGcpCommandState.EnableForceDestroyBucket {
-				mods = append(mods, gcp.WithEnableForceDestroyBucket())
-			}
-
 			if len(GenerateGcpCommandState.FoldersToExclude) > 0 {
 				mods = append(mods, gcp.WithIncludeRootProjects(GenerateGcpCommandState.IncludeRootProjects))
 			}
@@ -366,11 +361,18 @@ func initGenerateGcpTfCommandFlags() {
 		"existing_sink_name",
 		"",
 		"specify existing sink name")
+
+	// DEPRECATED
 	generateGcpTfCommand.PersistentFlags().BoolVar(
 		&GenerateGcpCommandState.EnableForceDestroyBucket,
 		"enable_force_destroy_bucket",
-		false,
+		true,
 		"enable force bucket destroy")
+	errcheckWARN(generateGcpTfCommand.PersistentFlags().MarkDeprecated(
+		"enable_force_destroy_bucket", "by default, force destroy is enabled.",
+	))
+	// ---
+
 	generateGcpTfCommand.PersistentFlags().BoolVar(
 		&GenerateGcpCommandState.EnableUBLA,
 		"enable_ubla",
@@ -562,12 +564,6 @@ func promptGcpBucketConfiguration(config *gcp.GenerateGcpTfConfigurationArgs, ex
 			Required: true,
 			Response: &config.EnableUBLA,
 		},
-		{
-			Prompt:   &survey.Confirm{Message: QuestionGcpEnableBucketForceDestroy, Default: config.EnableForceDestroyBucket},
-			Checks:   []*bool{&config.AuditLog, &newBucket, &extraState.UseExistingBucket, usePubSubActivityDisabled(config)},
-			Required: true,
-			Response: &config.EnableForceDestroyBucket,
-		},
 	}, config.AuditLog)
 
 	return err

cli/docs/lacework_generate_k8s_eks.md

@@ -45,7 +45,6 @@ lacework generate k8s eks [flags]
       --enable_bucket_versioning                  enable s3 bucket versioning (default true)
       --enable_encryption_s3                      enable encryption on s3 bucket (default true)
       --enable_firehose_encryption                enable firehose encryption (default true)
-      --enable_force_destroy                      enable force destroy s3 bucket
       --enable_kms_key_rotation                   enable automatic kms key rotation (default true)
       --enable_mfa_delete_s3                      enable mfa delete on s3 bucket. Requires bucket versioning.
       --enable_sns_topic_encryption               enable encryption on the sns topic (default true)

integration/aws_eks_audit_generation_test.go

@@ -92,7 +92,6 @@ func TestGenerationEksSingleRegionAdvancedBucket(t *testing.T) {
 				MsgRsp{cmd.QuestionUseExistingBucket, "n"},
 				MsgRsp{cmd.QuestionEksAuditBucketVersioning, "y"},
 				MsgRsp{cmd.QuestionEksAuditMfaDeleteS3Bucket, "y"},
-				MsgRsp{cmd.QuestionEksAuditForceDestroyS3Bucket, "y"},
 				MsgRsp{cmd.QuestionEksAuditBucketEncryption, "y"},
 				MsgRsp{cmd.QuestionEksAuditBucketExistingKey, "n"},
 				MsgRsp{cmd.QuestionEksAuditBucketSseAlgorithm, ""},
@@ -118,7 +117,6 @@ func TestGenerationEksSingleRegionAdvancedBucket(t *testing.T) {
 		aws_eks_audit.WithParsedRegionClusterMap(regionClusterMap),
 		aws_eks_audit.EnableBucketVersioning(true),
 		aws_eks_audit.EnableBucketMfaDelete(),
-		aws_eks_audit.EnableBucketForceDestroy(),
 		aws_eks_audit.EnableBucketEncryption(true),
 		aws_eks_audit.EnableKmsKeyRotation(true),
 		aws_eks_audit.WithKmsKeyDeletionDays(30),
@@ -143,7 +141,6 @@ func TestGenerationEksSingleRegionAdvancedBucketExistingKey(t *testing.T) {
 				MsgRsp{cmd.QuestionUseExistingBucket, "n"},
 				MsgRsp{cmd.QuestionEksAuditBucketVersioning, "y"},
 				MsgRsp{cmd.QuestionEksAuditMfaDeleteS3Bucket, "y"},
-				MsgRsp{cmd.QuestionEksAuditForceDestroyS3Bucket, "y"},
 				MsgRsp{cmd.QuestionEksAuditBucketEncryption, "y"},
 				MsgRsp{cmd.QuestionEksAuditBucketExistingKey, "y"},
 				MsgRsp{cmd.QuestionEksAuditBucketSseAlgorithm, ""},
@@ -168,7 +165,6 @@ func TestGenerationEksSingleRegionAdvancedBucketExistingKey(t *testing.T) {
 		aws_eks_audit.WithParsedRegionClusterMap(regionClusterMap),
 		aws_eks_audit.EnableBucketVersioning(true),
 		aws_eks_audit.EnableBucketMfaDelete(),
-		aws_eks_audit.EnableBucketForceDestroy(),
 		aws_eks_audit.EnableBucketEncryption(true),
 		aws_eks_audit.WithBucketSseKeyArn("arn:aws:kms:us-west-2:249446771485:key/2537e820-be82-4ded-8dca-504e199b0903"),
 		aws_eks_audit.WithBucketLifecycleExpirationDays(30),

integration/aws_generation_test.go

@@ -197,8 +197,8 @@ func TestGenerationAwsAdvancedOptsDone(t *testing.T) {
 	assert.Equal(t, buildTf, tfResult)
 }
 
-// Test enabling consolidated trail and force destroy s3
-func TestGenerationAwsAdvancedOptsConsolidatedAndForceDestroy(t *testing.T) {
+// Test enabling consolidated trail
+func TestGenerationAwsAdvancedOptsConsolidated(t *testing.T) {
 	os.Setenv("LW_NOCACHE", "true")
 	defer os.Setenv("LW_NOCACHE", "")
 	var final string
@@ -217,7 +217,6 @@ func TestGenerationAwsAdvancedOptsConsolidatedAndForceDestroy(t *testing.T) {
 				MsgRsp{cmd.QuestionUseExistingCloudtrail, "n"},
 				MsgRsp{cmd.QuestionCloudtrailName, ""},
 				// S3 Bucket Questions
-				MsgRsp{cmd.QuestionForceDestroyS3Bucket, "y"},
 				MsgRsp{cmd.QuestionBucketName, ""},
 				MsgRsp{cmd.QuestionBucketEnableEncryption, "y"},
 				MsgRsp{cmd.QuestionBucketSseKeyArn, ""},
@@ -247,7 +246,6 @@ func TestGenerationAwsAdvancedOptsConsolidatedAndForceDestroy(t *testing.T) {
 	// Create the TF directly with lwgenerate and validate same result via CLI
 	buildTf, _ := aws.NewTerraform(region, true, true,
 		aws.UseConsolidatedCloudtrail(),
-		aws.EnableForceDestroyS3Bucket(),
 		aws.WithBucketEncryptionEnabled(true),
 		aws.WithSnsTopicEncryptionEnabled(true),
 		aws.WithSqsEncryptionEnabled(true),
@@ -326,7 +324,6 @@ func TestGenerationAwsAdvancedOptsConsolidatedWithSubAccounts(t *testing.T) {
 				MsgRsp{cmd.QuestionConsolidatedCloudtrail, "y"},
 				MsgRsp{cmd.QuestionUseExistingCloudtrail, "n"},
 				MsgRsp{cmd.QuestionCloudtrailName, ""},
-				MsgRsp{cmd.QuestionForceDestroyS3Bucket, "n"},
 				MsgRsp{cmd.QuestionBucketName, ""},
 				MsgRsp{cmd.QuestionBucketEnableEncryption, "y"},
 				MsgRsp{cmd.QuestionBucketSseKeyArn, ""},
@@ -592,7 +589,6 @@ func TestGenerationAwsAdvancedOptsCreateNewElements(t *testing.T) {
 				MsgRsp{cmd.QuestionUseExistingCloudtrail, "n"},
 				MsgRsp{cmd.QuestionCloudtrailName, trailName},
 				// S3 Questions
-				MsgRsp{cmd.QuestionForceDestroyS3Bucket, "y"},
 				MsgRsp{cmd.QuestionBucketName, bucketName},
 				MsgRsp{cmd.QuestionBucketEnableEncryption, "y"},
 				MsgRsp{cmd.QuestionBucketSseKeyArn, kmsArn},
@@ -622,7 +618,6 @@ func TestGenerationAwsAdvancedOptsCreateNewElements(t *testing.T) {
 	// Create the TF directly with lwgenerate and validate same result via CLI
 	buildTf, _ := aws.NewTerraform(region, true, true,
 		aws.WithCloudtrailName(trailName),
-		aws.EnableForceDestroyS3Bucket(),
 		aws.WithBucketName(bucketName),
 		aws.WithBucketEncryptionEnabled(true),
 		aws.WithBucketSSEKeyArn(kmsArn),
@@ -881,7 +876,6 @@ func TestGenerationAwsS3BucketNotificationInteractive(t *testing.T) {
 				MsgRsp{cmd.QuestionUseExistingCloudtrail, ""},
 				MsgRsp{cmd.QuestionCloudtrailName, ""},
 				// S3 Questions
-				MsgRsp{cmd.QuestionForceDestroyS3Bucket, ""},
 				MsgRsp{cmd.QuestionBucketName, ""},
 				MsgRsp{cmd.QuestionBucketEnableEncryption, ""},
 				MsgRsp{cmd.QuestionBucketSseKeyArn, ""},

lwgenerate/aws/aws.go

@@ -97,6 +97,7 @@ type GenerateAwsTfConfigurationArgs struct {
 	ConsolidatedCloudtrail bool
 
 	// Should we force destroy the bucket if it has stuff in it? (only relevant on new Cloudtrail creation)
+	// DEPRECATED
 	ForceDestroyS3Bucket bool
 
 	// Enable encryption of bucket if it is created
@@ -241,13 +242,6 @@ func UseConsolidatedCloudtrail() AwsTerraformModifier {
 	}
 }
 
-// EnableForceDestroyS3Bucket Set the S3 ForceDestroy parameter to true for newly created buckets
-func EnableForceDestroyS3Bucket() AwsTerraformModifier {
-	return func(c *GenerateAwsTfConfigurationArgs) {
-		c.ForceDestroyS3Bucket = true
-	}
-}
-
 // UseExistingIamRole Set an existing IAM role configuration to use with the created Terraform code
 func UseExistingIamRole(iamDetails *ExistingIamRoleDetails) AwsTerraformModifier {
 	return func(c *GenerateAwsTfConfigurationArgs) {
@@ -525,9 +519,6 @@ func createCloudtrail(args *GenerateAwsTfConfigurationArgs) (*hclwrite.Block, er
 			attributes["use_existing_cloudtrail"] = true
 			attributes["bucket_arn"] = args.ExistingCloudtrailBucketArn
 		} else {
-			if args.ForceDestroyS3Bucket {
-				attributes["bucket_force_destroy"] = true
-			}
 			if args.BucketName != "" {
 				attributes["bucket_name"] = args.BucketName
 			}