feat: add ability to deny non-SSL transport on log forwarder S3 bucket

Author: bryantbiggs

README.md

@@ -105,6 +105,7 @@ Examples codified under the [`examples`](./examples) are intended to give users
 | <a name="input_api_vpce_security_group_ids"></a> [api\_vpce\_security\_group\_ids](#input\_api\_vpce\_security\_group\_ids) | IDs of security groups to attach to API endpoint | `list(string)` | `[]` | no |
 | <a name="input_api_vpce_subnet_ids"></a> [api\_vpce\_subnet\_ids](#input\_api\_vpce\_subnet\_ids) | IDs of subnets to associate with API endpoint | `list(string)` | `[]` | no |
 | <a name="input_api_vpce_tags"></a> [api\_vpce\_tags](#input\_api\_vpce\_tags) | A map of tags to apply to the API endpoint | `map(string)` | `{}` | no |
+| <a name="input_bucket_attach_deny_insecure_transport_policy"></a> [bucket\_attach\_deny\_insecure\_transport\_policy](#input\_bucket\_attach\_deny\_insecure\_transport\_policy) | Controls if S3 bucket should have deny non-SSL transport policy attacheds | `bool` | `false` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Lambda artifact S3 bucket name | `string` | `""` | no |
 | <a name="input_create_agent_vpce"></a> [create\_agent\_vpce](#input\_create\_agent\_vpce) | Controls whether an agent endpoint should be created | `bool` | `false` | no |
 | <a name="input_create_api_vpce"></a> [create\_api\_vpce](#input\_create\_api\_vpce) | Controls whether a API endpoint should be created | `bool` | `false` | no |

examples/complete/README.md

@@ -30,8 +30,8 @@ Note that this example may create resources which will incur monetary charges on
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.25.0 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.0.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.50.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
 
 ## Modules
 

main.tf

@@ -26,9 +26,11 @@ module "log_forwarder" {
   lambda_tags                    = var.log_forwarder_lambda_tags
   log_retention_days             = var.log_forwarder_log_retention_days
 
-  create_bucket                 = var.create_bucket
-  bucket_name                   = var.bucket_name
-  bucket_prefix                 = var.log_forwarder_bucket_prefix
+  create_bucket                                = var.create_bucket
+  bucket_name                                  = var.bucket_name
+  bucket_prefix                                = var.log_forwarder_bucket_prefix
+  bucket_attach_deny_insecure_transport_policy = var.bucket_attach_deny_insecure_transport_policy
+
   s3_zip_storage_class          = var.log_forwarder_s3_zip_storage_class
   s3_zip_server_side_encryption = var.log_forwarder_s3_zip_server_side_encryption
   s3_zip_kms_key_id             = var.log_forwarder_s3_zip_kms_key_id

modules/log_forwarder/README.md

@@ -55,7 +55,7 @@ module "datadog_log_forwarder" {
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_this_s3_bucket"></a> [this\_s3\_bucket](#module\_this\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | v1.25.0 |
+| <a name="module_this_s3_bucket"></a> [this\_s3\_bucket](#module\_this\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | v2.6.0 |
 
 ## Resources
 
@@ -78,6 +78,7 @@ module "datadog_log_forwarder" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_bucket_attach_deny_insecure_transport_policy"></a> [bucket\_attach\_deny\_insecure\_transport\_policy](#input\_bucket\_attach\_deny\_insecure\_transport\_policy) | Controls if S3 bucket should have deny non-SSL transport policy attacheds | `bool` | `false` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Forwarder S3 bucket name | `string` | `""` | no |
 | <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | S3 object key prefix to prepend to zip archive name | `string` | `""` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls whether the forwarder resources should be created | `bool` | `true` | no |

modules/log_forwarder/main.tf

@@ -24,12 +24,14 @@ data "aws_region" "current" {}
 
 module "this_s3_bucket" {
   source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "v1.25.0"
+  version = "v2.6.0"
 
   create_bucket = var.create && var.create_bucket
   bucket        = local.bucket_name
   force_destroy = true
 
+  attach_deny_insecure_transport_policy = var.bucket_attach_deny_insecure_transport_policy
+
   block_public_acls       = true
   block_public_policy     = true
   ignore_public_acls      = true
@@ -129,7 +131,7 @@ resource "null_resource" "this" {
 resource "aws_s3_bucket_object" "this" {
   count = var.create ? 1 : 0
 
-  bucket = var.create_bucket ? module.this_s3_bucket.this_s3_bucket_id : var.bucket_name
+  bucket = var.create_bucket ? module.this_s3_bucket.s3_bucket_id : var.bucket_name
   key    = join("/", compact([var.bucket_prefix, local.zip_name]))
   source = local.forwarder_zip
 
@@ -150,7 +152,7 @@ resource "aws_s3_bucket_object" "this" {
 resource "aws_lambda_function" "this" {
   count = var.create ? 1 : 0
 
-  s3_bucket         = var.create_bucket ? module.this_s3_bucket.this_s3_bucket_id : var.bucket_name
+  s3_bucket         = var.create_bucket ? module.this_s3_bucket.s3_bucket_id : var.bucket_name
   s3_key            = aws_s3_bucket_object.this[0].key
   s3_object_version = aws_s3_bucket_object.this[0].version_id
   function_name     = var.name

modules/log_forwarder/outputs.tf

@@ -1,22 +1,22 @@
 # Forwarder bucket
 output "s3_bucket_id" {
   description = "The name of the bucket"
-  value       = module.this_s3_bucket.this_s3_bucket_id
+  value       = module.this_s3_bucket.s3_bucket_id
 }
 
 output "s3_bucket_arn" {
   description = "The ARN of the bucket. Will be of format arn:aws:s3:::bucketname"
-  value       = module.this_s3_bucket.this_s3_bucket_arn
+  value       = module.this_s3_bucket.s3_bucket_arn
 }
 
 output "s3_bucket_domain_name" {
   description = "The bucket domain name. Will be of format bucketname.s3.amazonaws.com"
-  value       = module.this_s3_bucket.this_s3_bucket_bucket_domain_name
+  value       = module.this_s3_bucket.s3_bucket_bucket_domain_name
 }
 
 output "s3_bucket_regional_domain_name" {
   description = "The bucket region-specific domain name. The bucket domain name including the region name"
-  value       = module.this_s3_bucket.this_s3_bucket_bucket_regional_domain_name
+  value       = module.this_s3_bucket.s3_bucket_bucket_regional_domain_name
 }
 
 # Forwarder role

modules/log_forwarder/variables.tf

@@ -42,6 +42,12 @@ variable "bucket_name" {
   default     = ""
 }
 
+variable "bucket_attach_deny_insecure_transport_policy" {
+  description = "Controls if S3 bucket should have deny non-SSL transport policy attacheds"
+  type        = bool
+  default     = false
+}
+
 # Forwarder S3 Zip Objcet
 variable "bucket_prefix" {
   description = "S3 object key prefix to prepend to zip archive name"

variables.tf

@@ -47,6 +47,12 @@ variable "bucket_name" {
   default     = ""
 }
 
+variable "bucket_attach_deny_insecure_transport_policy" {
+  description = "Controls if S3 bucket should have deny non-SSL transport policy attacheds"
+  type        = bool
+  default     = false
+}
+
 # Log Forwarder S3 Objcet
 variable "log_forwarder_bucket_prefix" {
   description = "S3 object key prefix to prepend to zip archive name"