fixed deprecated issues with bucket encryption, lifecylce, bucket_acl and key algorithm (#303)

sviatoslav6 · web-flow · commit 917000caf563 · 2022-08-16T11:56:06.000+06:00
* fix: fixed deprecated issues with bucket encryption, lifecylce, bucket_acl and key algorithm

* fix: fixed deprecated issues with bucket encryption, lifecylce, bucket_acl and key algorithm

* update terraform docs
diff --git a/terraform/layer2-k8s/README.md b/terraform/layer2-k8s/README.md
@@ -62,8 +62,13 @@
 | [aws_route53_record.default_ingress](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/route53_record) | resource |
 | [aws_s3_bucket.elastic_stack](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.gitlab_runner_cache](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.elastic_stack_acl](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_acl.gitlab_runner_acl](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_lifecycle_configuration.gitlab_runner_lifecycle](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_public_access_block.elastic_stack_public_access_block](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_public_access_block.gitlab_runner_cache_public_access_block](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.elastic_stack_encryption](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.gitlab_runner_encryption](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [helm_release.aws_loadbalancer_controller](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
 | [helm_release.aws_node_termination_handler](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
 | [helm_release.cert_manager](https://registry.terraform.io/providers/helm/2.5.1/docs/resources/release) | resource |
@@ -142,4 +147,4 @@
 | <a name="output_victoria_metrics_k8s_stack_get_grafana_admin_password"></a> [victoria\_metrics\_k8s\_stack\_get\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret |
 | <a name="output_victoria_metrics_k8s_stack_grafana_admin_password"></a> [victoria\_metrics\_k8s\_stack\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_grafana\_admin\_password) | Grafana admin password |
 | <a name="output_victoria_metrics_k8s_stack_grafana_domain_name"></a> [victoria\_metrics\_k8s\_stack\_grafana\_domain\_name](#output\_victoria\_metrics\_k8s\_stack\_grafana\_domain\_name) | Grafana dashboards address |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/terraform/layer2-k8s/eks-elk.tf b/terraform/layer2-k8s/eks-elk.tf
@@ -798,22 +798,32 @@ resource "aws_s3_bucket" "elastic_stack" {
   count = local.elk.enabled ? 1 : 0
 
   bucket        = "${local.name}-elastic-stack"
-  acl           = "private"
   force_destroy = true
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "aws:kms"
-      }
-    }
-  }
-
   tags = {
     Name        = "${local.name}-elastic-stack"
     Environment = local.env
   }
 }
 
+resource "aws_s3_bucket_acl" "elastic_stack_acl" {
+  count = local.elk.enabled ? 1 : 0
+
+  bucket = aws_s3_bucket.elastic_stack[0].id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "elastic_stack_encryption" {
+  count = local.elk.enabled ? 1 : 0
+
+  bucket = aws_s3_bucket.elastic_stack[0].bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+  }
+}
+
 resource "aws_s3_bucket_public_access_block" "elastic_stack_public_access_block" {
   count = local.elk.enabled ? 1 : 0
 
diff --git a/terraform/layer2-k8s/eks-gitlab-runner.tf b/terraform/layer2-k8s/eks-gitlab-runner.tf
@@ -116,30 +116,50 @@ resource "aws_s3_bucket" "gitlab_runner_cache" {
   count = local.gitlab_runner.enabled ? 1 : 0
 
   bucket        = "${local.name}-gitlab-runner-cache"
-  acl           = "private"
   force_destroy = true
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "aws:kms"
-      }
-    }
-  }
-
   tags = {
     Name        = "${local.name}-gitlab-runner-cache"
     Environment = local.env
   }
 
-  lifecycle_rule {
-    id      = "gitlab-runner-cache-lifecycle-rule"
-    enabled = true
-    tags = {
-      "rule" = "gitlab-runner-cache-lifecycle-rule"
+}
+
+resource "aws_s3_bucket_acl" "gitlab_runner_acl" {
+  count = local.gitlab_runner.enabled ? 1 : 0
+
+  bucket = aws_s3_bucket.gitlab_runner_cache[0].id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_runner_encryption" {
+  count = local.gitlab_runner.enabled ? 1 : 0
+
+  bucket = aws_s3_bucket.gitlab_runner_cache[0].bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
     }
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "gitlab_runner_lifecycle" {
+  bucket = aws_s3_bucket.gitlab_runner_cache[0].id
+
+  rule {
+    id = "gitlab-runner-cache-lifecycle-rule"
     expiration {
       days = 120
     }
+
+    filter {
+      and {
+        tags = {
+          rule = "gitlab-runner-cache-lifecycle-rule"
+        }
+      }
+    }
+    status = "Enabled"
   }
 }
 
diff --git a/terraform/modules/self-signed-certificate/README.md b/terraform/modules/self-signed-certificate/README.md
@@ -39,4 +39,4 @@ No modules.
 | <a name="output_cert_pem"></a> [cert\_pem](#output\_cert\_pem) | n/a |
 | <a name="output_p8"></a> [p8](#output\_p8) | n/a |
 | <a name="output_private_key_pem"></a> [private\_key\_pem](#output\_private\_key\_pem) | n/a |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/terraform/modules/self-signed-certificate/main.tf b/terraform/modules/self-signed-certificate/main.tf
@@ -3,7 +3,6 @@ resource "tls_private_key" "this" {
 }
 
 resource "tls_self_signed_cert" "this" {
-  key_algorithm         = tls_private_key.this.algorithm
   private_key_pem       = tls_private_key.this.private_key_pem
   validity_period_hours = var.validity_period_hours
   early_renewal_hours   = var.early_renewal_hours

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,6 @@ resource "tls_private_key" "this" {`
`3`	`3`	`}`
`4`	`4`
`5`	`5`	`resource "tls_self_signed_cert" "this" {`
`6`		`- key_algorithm = tls_private_key.this.algorithm`
`7`	`6`	`private_key_pem = tls_private_key.this.private_key_pem`
`8`	`7`	`validity_period_hours = var.validity_period_hours`
`9`	`8`	`early_renewal_hours = var.early_renewal_hours`