Merge pull request #4 from rhythmictech/aws-provider-v4

update to aws v4, ci, lifecycle policies

Author: sblack4

.github/workflows/check.yml

@@ -1,7 +1,7 @@
 exclude: ".terraform"
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.72.1
+    rev: v1.77.0
     hooks:
       - id: terraform_docs
         always_run: true
@@ -56,7 +56,7 @@ repos:
         files: \.tf(vars)?$
         exclude: examples
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.2.0
+    rev: v4.4.0
     hooks:
       - id: check-case-conflict
       - id: check-json

.pre-commit-config.yaml

@@ -1 +1 @@
-latest:^1.1
+latest:^1

.terraform-version

@@ -12,6 +12,7 @@ Creates an S3 bucket suitable for receiving VPC flow logs from one or more AWS a
 Example:
 
 
+Create the bucket with this module.
 ```
 module "vpcflowlog-bucket" {
   source              = "rhythmictech/aws-vpcflowlogs/terraform"
@@ -21,13 +22,27 @@ module "vpcflowlog-bucket" {
 }
 ```
 
+Then create the flow logs in each of the allowed accounts. Logs will flow back to the bucket in the original account.
+```
+module "vpcflowlogs" {
+  source = "git::https://github.com/rhythmictech/terraform-aws-vpcflowlogs.git"
+
+  create_bucket      = false
+  create_kms_key     = false
+  region             = var.region
+  vpc_ids            = [module.vpc.vpc_id]
+  vpcflowlog_bucket  = module.vpcflowlog-bucket.s3_bucket_name
+  vpcflowlog_kms_key = module.vpcflowlog-bucket.kms_key_id
+}
+```
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.4 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4 |
 
 ## Providers
 
@@ -46,8 +61,13 @@ No modules.
 | [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -58,6 +78,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_account_ids"></a> [allowed\_account\_ids](#input\_allowed\_account\_ids) | Optional list of AWS Account IDs that are permitted to write to the bucket | `list(string)` | `[]` | no |
+| <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | lifecycle rules to apply to the bucket | <pre>list(object(<br>    {<br>      id                            = string<br>      enabled                       = optional(bool, true)<br>      expiration                    = optional(number)<br>      prefix                        = optional(number)<br>      noncurrent_version_expiration = optional(number)<br>      transition = optional(list(object({<br>        days          = number<br>        storage_class = string<br>      })))<br>  }))</pre> | <pre>[<br>  {<br>    "id": "expire-noncurrent-objects-after-ninety-days",<br>    "noncurrent_version_expiration": 90<br>  },<br>  {<br>    "id": "transition-to-IA-after-30-days",<br>    "transition": [<br>      {<br>        "days": 30,<br>        "storage_class": "STANDARD_IA"<br>      }<br>    ]<br>  },<br>  {<br>    "expiration": 2557,<br>    "id": "delete-after-seven-years"<br>  }<br>]</pre> | no |
 | <a name="input_logging_bucket"></a> [logging\_bucket](#input\_logging\_bucket) | S3 bucket to send request logs to the VPC flow log bucket to | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | Region VPC flow logs will be sent to | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to include on resources that support it | `map(string)` | `{}` | no |

.terraform.lock.hcl

@@ -15,7 +15,7 @@ cd ..
 rm -rf tmp
 
 curl -L "$(curl -sL https://api.github.com/repos/terraform-linters/tflint/releases/latest | grep -o -E "https://.+?_linux_amd64.zip")" > tflint.zip && unzip tflint.zip && rm tflint.zip && sudo mv tflint /usr/bin/
-env GO111MODULE=on go get -u github.com/liamg/tfsec/cmd/tfsec
+go install github.com/aquasecurity/tfsec/cmd/tfsec@latest
 git clone https://github.com/tfutils/tfenv.git ~/.tfenv || true
 mkdir -p ~/.local/bin/
 . ~/.profile

README.md

@@ -13,46 +13,65 @@ locals {
 
   # Format account IDs into necessary resource lists.
   bucket_policy_put_resources = formatlist("${aws_s3_bucket.this.arn}/AWSLogs/%s/*", local.account_ids)
-  kms_key_encrypt_resources   = formatlist("arn:${local.partition}:cloudtrail:*:%s:trail/*", local.account_ids)
 }
 
 resource "aws_s3_bucket" "this" {
   bucket = "${local.account_id}-${var.region}-vpcflowlog"
-  acl    = "private"
   tags   = var.tags
 
-  lifecycle_rule {
-    enabled = true
+  lifecycle {
+    prevent_destroy = true
+  }
+}
 
-    transition {
-      days          = 30
-      storage_class = "STANDARD_IA"
-    }
+resource "aws_s3_bucket_acl" "this" {
+  bucket = aws_s3_bucket.this.id
+  acl    = "private"
+}
 
-  }
+resource "aws_s3_bucket_lifecycle_configuration" "this" {
+  count = var.lifecycle_rules == null ? 0 : 1
 
-  logging {
-    target_bucket = var.logging_bucket
-    target_prefix = "${local.account_id}-${var.region}-vpcflowlog/"
-  }
+  bucket = aws_s3_bucket.this.id
+
+  dynamic "rule" {
+    iterator = rule
+    for_each = var.lifecycle_rules
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm     = "aws:kms"
-        kms_master_key_id = aws_kms_key.this.arn
+    content {
+      id     = rule.value.id
+      status = rule.value.enabled ? "Enabled" : "Disabled"
+
+      filter {
+        prefix = lookup(rule.value, "prefix", null)
       }
-    }
 
-  }
+      expiration {
+        days = lookup(rule.value, "expiration", 2147483647)
+      }
 
-  versioning {
-    enabled = true
-  }
+      noncurrent_version_expiration {
+        noncurrent_days = lookup(rule.value, "noncurrent_version_expiration", 2147483647)
+      }
 
-  lifecycle {
-    prevent_destroy = true
+      dynamic "transition" {
+        for_each = coalesce(rule.value.transition, [])
+
+        content {
+          days          = transition.value.days
+          storage_class = transition.value.storage_class
+        }
+      }
+    }
   }
+
+  depends_on = [aws_s3_bucket_versioning.this]
+}
+
+resource "aws_s3_bucket_logging" "this" {
+  bucket        = aws_s3_bucket.this.id
+  target_bucket = var.logging_bucket
+  target_prefix = "${local.account_id}-${var.region}-vpcflowlog/"
 }
 
 resource "aws_s3_bucket_public_access_block" "this" {
@@ -63,6 +82,26 @@ resource "aws_s3_bucket_public_access_block" "this" {
   restrict_public_buckets = true
 }
 
+resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+  bucket = aws_s3_bucket.this.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.this.arn
+      sse_algorithm     = "aws:kms"
+    }
+  }
+}
+
+resource "aws_s3_bucket_versioning" "this" {
+  bucket = aws_s3_bucket.this.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+
 data "aws_iam_policy_document" "this" {
   statement {
     actions   = ["s3:GetBucketAcl"]

bin/install-ubuntu.sh

@@ -4,6 +4,41 @@ variable "allowed_account_ids" {
   type        = list(string)
 }
 
+variable "lifecycle_rules" {
+  description = "lifecycle rules to apply to the bucket"
+
+  default = [
+    {
+      id                            = "expire-noncurrent-objects-after-ninety-days"
+      noncurrent_version_expiration = 90
+    },
+    {
+      id = "transition-to-IA-after-30-days"
+      transition = [{
+        days          = 30
+        storage_class = "STANDARD_IA"
+      }]
+    },
+    {
+      id         = "delete-after-seven-years"
+      expiration = 2557
+    },
+  ]
+
+  type = list(object(
+    {
+      id                            = string
+      enabled                       = optional(bool, true)
+      expiration                    = optional(number)
+      prefix                        = optional(number)
+      noncurrent_version_expiration = optional(number)
+      transition = optional(list(object({
+        days          = number
+        storage_class = string
+      })))
+  }))
+}
+
 variable "logging_bucket" {
   description = "S3 bucket to send request logs to the VPC flow log bucket to"
   type        = string

main.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.8"
+      version = ">= 4"
     }
   }
 }