From 89b68e8f5feeb7c43a828d98a43bf2ee736cade6 Mon Sep 17 00:00:00 2001 From: dms1981 Date: Fri, 13 Oct 2023 10:36:41 +0100 Subject: [PATCH] Revert "Stop checkov CKV2_AWS_62 errors" --- README.md | 5 ----- main.tf | 22 -------------------- test/s3_bucket_creation_test.go | 9 +------- test/unit-test/main.tf | 37 ++------------------------------- variables.tf | 18 ---------------- 5 files changed, 3 insertions(+), 88 deletions(-) diff --git a/README.md b/README.md index 5e66a3a..e6ca370 100644 --- a/README.md +++ b/README.md @@ -104,8 +104,6 @@ No modules. | [aws_s3_bucket_lifecycle_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | | [aws_s3_bucket_lifecycle_configuration.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | | [aws_s3_bucket_logging.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | -| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource | -| [aws_s3_bucket_notification.bucket_notification_replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource | | [aws_s3_bucket_ownership_controls.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | | [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_policy.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | @@ -136,9 +134,6 @@ No modules. | [lifecycle\_rule](#input\_lifecycle\_rule) | List of maps containing configuration of object lifecycle management. | `any` |
[
{
"enabled": "Enabled",
"expiration": {
"days": 730
},
"id": "main",
"noncurrent_version_expiration": {
"days": 730
},
"noncurrent_version_transition": [
{
"days": 90,
"storage_class": "STANDARD_IA"
},
{
"days": 365,
"storage_class": "GLACIER"
}
],
"prefix": "",
"tags": {
"autoclean": "true",
"rule": "log"
},
"transition": [
{
"days": 90,
"storage_class": "STANDARD_IA"
},
{
"days": 365,
"storage_class": "GLACIER"
}
]
}
]
| no | | [log\_bucket](#input\_log\_bucket) | Bucket for server access logging, if applicable | `string` | `""` | no | | [log\_prefix](#input\_log\_prefix) | Prefix to use for server access logging, if applicable | `string` | `""` | no | -| [notification\_enabled](#input\_notification\_enabled) | Boolean indicating if a notification resource is required for the bucket | `bool` | `false` | no | -| [notification\_events](#input\_notification\_events) | The event for which we send notifications | `list(string)` |
[
""
]
| no | -| [notification\_sns\_arn](#input\_notification\_sns\_arn) | The arn for the bucket notification SNS topic | `string` | `""` | no | | [ownership\_controls](#input\_ownership\_controls) | Bucket Ownership Controls - for use WITH acl var above options are 'BucketOwnerPreferred' or 'ObjectWriter'. To disable ACLs and use new AWS recommended controls set this to 'BucketOwnerEnforced' and which will disabled ACLs and ignore var.acl | `string` | `"ObjectWriter"` | no | | [replication\_enabled](#input\_replication\_enabled) | Activate S3 bucket replication | `bool` | `false` | no | | [replication\_region](#input\_replication\_region) | Region to create S3 replication bucket | `string` | `"eu-west-2"` | no | diff --git a/main.tf b/main.tf index 13c3a8b..05bd2bc 100644 --- a/main.tf +++ b/main.tf @@ -1,15 +1,5 @@ data "aws_caller_identity" "current" {} -resource "aws_s3_bucket_notification" "bucket_notification" { - count = var.notification_enabled == true ? 1 : 0 - bucket = aws_s3_bucket.default.id - - topic { - topic_arn = var.notification_sns_arn - events = var.notification_events - } -} - # Main S3 bucket, that is replicated from (rather than to) # KMS Encryption handled by aws_s3_bucket_server_side_encryption_configuration resource # Logging handled by aws_s3_bucket_logging resource @@ -47,7 +37,6 @@ resource "aws_s3_bucket_acl" "default" { # Configure bucket lifecycle rules resource "aws_s3_bucket_lifecycle_configuration" "default" { - #checkov:skip=CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads" bucket = aws_s3_bucket.default.id dynamic "rule" { @@ -238,15 +227,6 @@ data "aws_iam_policy_document" "default" { } } -resource "aws_s3_bucket_notification" "bucket_notification_replication" { - count = var.replication_enabled && var.notification_events != [""] ? 1 : 0 - bucket = aws_s3_bucket.replication[count.index] - - topic { - topic_arn = var.notification_sns_arn - events = var.notification_events - } -} # Replication S3 bucket, to replicate to (rather than from) # Logging not deemed required for replication bucket # tfsec:ignore:aws-s3-enable-bucket-logging @@ -275,9 +255,7 @@ resource "aws_s3_bucket_acl" "replication" { } # Configure bucket lifecycle rules - resource "aws_s3_bucket_lifecycle_configuration" "replication" { - #checkov:skip=CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads" count = var.replication_enabled ? 1 : 0 provider = aws.bucket-replication diff --git a/test/s3_bucket_creation_test.go b/test/s3_bucket_creation_test.go index 72f6558..34bf9af 100644 --- a/test/s3_bucket_creation_test.go +++ b/test/s3_bucket_creation_test.go @@ -7,7 +7,6 @@ import ( "github.com/gruntwork-io/terratest/modules/aws" "github.com/gruntwork-io/terratest/modules/terraform" "github.com/stretchr/testify/assert" - ) func TestS3Creation(t *testing.T) { @@ -33,7 +32,7 @@ func TestS3Creation(t *testing.T) { bucketAES256 := terraform.Output(t, terraformOptions, "bucket_aes256") assert.Regexp(t, regexp.MustCompile(`AES256`), bucketAES256) - assert.Regexp(t, regexp.MustCompile(`arn:aws:s3:::unit-test-bucket*`), bucketArn) + assert.Regexp(t, regexp.MustCompile(`^arn:aws:s3:::s3-bucket-*`), bucketArn) // Verify that our Bucket has a policy attached aws.AssertS3BucketPolicyExists(t, awsRegion, bucketID) @@ -41,10 +40,4 @@ func TestS3Creation(t *testing.T) { actualStatus := aws.GetS3BucketVersioning(t, awsRegion, bucketID) expectedStatus := "Enabled" assert.Equal(t, expectedStatus, actualStatus) - - // Verify bucket notification is created - //bucketNotification := terraform.Output(t, terraformOptions, "bucket_notification") - //if bucketNotification != "" { - // fmt.Println("OK") - //} else {fmt.Println("NOOOO")} } diff --git a/test/unit-test/main.tf b/test/unit-test/main.tf index 874ac24..c039f5d 100644 --- a/test/unit-test/main.tf +++ b/test/unit-test/main.tf @@ -4,7 +4,7 @@ module "s3" { providers = { aws.bucket-replication = aws } - bucket_prefix = "unit-test-bucket" + bucket_prefix = "s3-bucket" force_destroy = true tags = local.tags } @@ -14,41 +14,8 @@ module "s3_with_AES256" { providers = { aws.bucket-replication = aws } - bucket_prefix = "unit-test-bucket" + bucket_prefix = "s3-bucket" force_destroy = true sse_algorithm = "AES256" tags = local.tags } - -data "aws_iam_policy_document" "topic" { - statement { - effect = "Allow" - - principals { - type = "Service" - identifiers = ["s3.amazonaws.com"] - } - - actions = ["SNS:Publish"] - resources = ["arn:aws:sns:*:*:s3-event-notification-topic"] - - } -} -resource "aws_sns_topic" "topic" { - name = "s3-event-notification-topic" - policy = data.aws_iam_policy_document.topic.json -} - -module "s3_with_notification" { - #checkov:skip=CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads - This is not needed in our tests" - source = "../.." - providers = { - aws.bucket-replication = aws - } - bucket_prefix = "unit-test-bucket" - force_destroy = true - notification_enabled = true - notification_events = ["s3:ObjectCreated:*"] - notification_sns_arn = aws_sns_topic.topic.arn - tags = local.tags -} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 6144ea6..34f71a8 100644 --- a/variables.tf +++ b/variables.tf @@ -148,21 +148,3 @@ variable "sse_algorithm" { description = "The server-side encryption algorithm to use" default = "aws:kms" } - -variable "notification_sns_arn" { - type = string - description = "The arn for the bucket notification SNS topic" - default = "" -} - -variable "notification_enabled" { - type = bool - description = "Boolean indicating if a notification resource is required for the bucket" - default = false -} - -variable "notification_events" { - type = list(string) - description = "The event for which we send notifications" - default = [""] -}