Revert "Stop checkov CKV2_AWS_62 errors"

ministryofjustice · Oct 13, 2023 · 89b68e8 · 89b68e8
1 parent 0512c77
commit 89b68e8
Show file tree

Hide file tree

Showing 5 changed files with 3 additions and 88 deletions.
diff --git a/README.md b/README.md
@@ -104,8 +104,6 @@ No modules.
 | [aws_s3_bucket_lifecycle_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
-| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
-| [aws_s3_bucket_notification.bucket_notification_replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
 | [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_policy.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
@@ -136,9 +134,6 @@ No modules.
 | <a name="input_lifecycle_rule"></a> [lifecycle\_rule](#input\_lifecycle\_rule) | List of maps containing configuration of object lifecycle management. | `any` | <pre>[<br>  {<br>    "enabled": "Enabled",<br>    "expiration": {<br>      "days": 730<br>    },<br>    "id": "main",<br>    "noncurrent_version_expiration": {<br>      "days": 730<br>    },<br>    "noncurrent_version_transition": [<br>      {<br>        "days": 90,<br>        "storage_class": "STANDARD_IA"<br>      },<br>      {<br>        "days": 365,<br>        "storage_class": "GLACIER"<br>      }<br>    ],<br>    "prefix": "",<br>    "tags": {<br>      "autoclean": "true",<br>      "rule": "log"<br>    },<br>    "transition": [<br>      {<br>        "days": 90,<br>        "storage_class": "STANDARD_IA"<br>      },<br>      {<br>        "days": 365,<br>        "storage_class": "GLACIER"<br>      }<br>    ]<br>  }<br>]</pre> | no |
 | <a name="input_log_bucket"></a> [log\_bucket](#input\_log\_bucket) | Bucket for server access logging, if applicable | `string` | `""` | no |
 | <a name="input_log_prefix"></a> [log\_prefix](#input\_log\_prefix) | Prefix to use for server access logging, if applicable | `string` | `""` | no |
-| <a name="input_notification_enabled"></a> [notification\_enabled](#input\_notification\_enabled) | Boolean indicating if a notification resource is required for the bucket | `bool` | `false` | no |
-| <a name="input_notification_events"></a> [notification\_events](#input\_notification\_events) | The event for which we send notifications | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
-| <a name="input_notification_sns_arn"></a> [notification\_sns\_arn](#input\_notification\_sns\_arn) | The arn for the bucket notification SNS topic | `string` | `""` | no |
 | <a name="input_ownership_controls"></a> [ownership\_controls](#input\_ownership\_controls) | Bucket Ownership Controls - for use WITH acl var above options are 'BucketOwnerPreferred' or 'ObjectWriter'. To disable ACLs and use new AWS recommended controls set this to 'BucketOwnerEnforced' and which will disabled ACLs and ignore var.acl | `string` | `"ObjectWriter"` | no |
 | <a name="input_replication_enabled"></a> [replication\_enabled](#input\_replication\_enabled) | Activate S3 bucket replication | `bool` | `false` | no |
 | <a name="input_replication_region"></a> [replication\_region](#input\_replication\_region) | Region to create S3 replication bucket | `string` | `"eu-west-2"` | no |

diff --git a/main.tf b/main.tf
@@ -1,15 +1,5 @@
 data "aws_caller_identity" "current" {}
 
-resource "aws_s3_bucket_notification" "bucket_notification" {
-  count  = var.notification_enabled == true ? 1 : 0
-  bucket = aws_s3_bucket.default.id
-
-  topic {
-    topic_arn = var.notification_sns_arn
-    events    = var.notification_events
-  }
-}
-
 # Main S3 bucket, that is replicated from (rather than to)
 # KMS Encryption handled by aws_s3_bucket_server_side_encryption_configuration resource
 # Logging handled by aws_s3_bucket_logging resource
@@ -47,7 +37,6 @@ resource "aws_s3_bucket_acl" "default" {
 
 # Configure bucket lifecycle rules
 resource "aws_s3_bucket_lifecycle_configuration" "default" {
-  #checkov:skip=CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
   bucket = aws_s3_bucket.default.id
 
   dynamic "rule" {
@@ -238,15 +227,6 @@ data "aws_iam_policy_document" "default" {
   }
 }
 
-resource "aws_s3_bucket_notification" "bucket_notification_replication" {
-  count  = var.replication_enabled && var.notification_events != [""] ? 1 : 0
-  bucket = aws_s3_bucket.replication[count.index]
-
-  topic {
-    topic_arn = var.notification_sns_arn
-    events    = var.notification_events
-  }
-}
 # Replication S3 bucket, to replicate to (rather than from)
 # Logging not deemed required for replication bucket
 # tfsec:ignore:aws-s3-enable-bucket-logging
@@ -275,9 +255,7 @@ resource "aws_s3_bucket_acl" "replication" {
 }
 
 # Configure bucket lifecycle rules
-
 resource "aws_s3_bucket_lifecycle_configuration" "replication" {
-  #checkov:skip=CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
   count = var.replication_enabled ? 1 : 0
 
   provider = aws.bucket-replication

diff --git a/test/s3_bucket_creation_test.go b/test/s3_bucket_creation_test.go
@@ -7,7 +7,6 @@ import (
 	"github.com/gruntwork-io/terratest/modules/aws"
 	"github.com/gruntwork-io/terratest/modules/terraform"
 	"github.com/stretchr/testify/assert"
-
 )
 
 func TestS3Creation(t *testing.T) {
@@ -33,18 +32,12 @@ func TestS3Creation(t *testing.T) {
 	bucketAES256 := terraform.Output(t, terraformOptions, "bucket_aes256")
 	assert.Regexp(t, regexp.MustCompile(`AES256`), bucketAES256)
 
-	assert.Regexp(t, regexp.MustCompile(`arn:aws:s3:::unit-test-bucket*`), bucketArn)
+	assert.Regexp(t, regexp.MustCompile(`^arn:aws:s3:::s3-bucket-*`), bucketArn)
 	// Verify that our Bucket has a policy attached
 	aws.AssertS3BucketPolicyExists(t, awsRegion, bucketID)
 
 	// Verify that our Bucket has versioning enabled
 	actualStatus := aws.GetS3BucketVersioning(t, awsRegion, bucketID)
 	expectedStatus := "Enabled"
 	assert.Equal(t, expectedStatus, actualStatus)
-
-	// Verify bucket notification is created
-	//bucketNotification := terraform.Output(t, terraformOptions, "bucket_notification")
-	//if bucketNotification != "" {
-	//		fmt.Println("OK")
-	//} else {fmt.Println("NOOOO")}
 }
diff --git a/test/unit-test/main.tf b/test/unit-test/main.tf
@@ -4,7 +4,7 @@ module "s3" {
   providers = {
     aws.bucket-replication = aws
   }
-  bucket_prefix = "unit-test-bucket"
+  bucket_prefix = "s3-bucket"
   force_destroy = true
   tags          = local.tags
 }
@@ -14,41 +14,8 @@ module "s3_with_AES256" {
   providers = {
     aws.bucket-replication = aws
   }
-  bucket_prefix = "unit-test-bucket"
+  bucket_prefix = "s3-bucket"
   force_destroy = true
   sse_algorithm = "AES256"
   tags          = local.tags
 }
-
-data "aws_iam_policy_document" "topic" {
-  statement {
-    effect = "Allow"
-
-    principals {
-      type        = "Service"
-      identifiers = ["s3.amazonaws.com"]
-    }
-
-    actions   = ["SNS:Publish"]
-    resources = ["arn:aws:sns:*:*:s3-event-notification-topic"]
-
-  }
-}
-resource "aws_sns_topic" "topic" {
-  name   = "s3-event-notification-topic"
-  policy = data.aws_iam_policy_document.topic.json
-}
-
-module "s3_with_notification" {
-  #checkov:skip=CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads - This is not needed in our tests"
-  source = "../.."
-  providers = {
-    aws.bucket-replication = aws
-  }
-  bucket_prefix = "unit-test-bucket"
-  force_destroy = true
-  notification_enabled = true
-  notification_events = ["s3:ObjectCreated:*"]
-  notification_sns_arn = aws_sns_topic.topic.arn
-  tags          = local.tags
-}
diff --git a/variables.tf b/variables.tf
@@ -148,21 +148,3 @@ variable "sse_algorithm" {
   description = "The server-side encryption algorithm to use"
   default     = "aws:kms"
 }
-
-variable "notification_sns_arn" {
-  type        = string
-  description = "The arn for the bucket notification SNS topic"
-  default     = ""
-}
-
-variable "notification_enabled" {
-  type        = bool
-  description = "Boolean indicating if a notification resource is required for the bucket"
-  default     = false
-}
-
-variable "notification_events" {
-  type        = list(string)
-  description = "The event for which we send notifications"
-  default     = [""]
-}