diff --git a/README.md b/README.md
index d135866..33e90f3 100644
--- a/README.md
+++ b/README.md
@@ -218,7 +218,7 @@ Available targets:
| [abort\_incomplete\_multipart\_upload\_days](#input\_abort\_incomplete\_multipart\_upload\_days) | (Deprecated, use `lifecycle_configuration_rules` instead)
Maximum time (in days) that you want to allow multipart uploads to remain in progress | `number` | `null` | no |
| [access\_log\_bucket\_name](#input\_access\_log\_bucket\_name) | Name of the S3 bucket where S3 access logs will be sent to | `string` | `""` | no |
| [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Prefix to prepend to the current S3 bucket name, where S3 access logs will be sent to | `string` | `"logs/"` | no |
-| [acl](#input\_acl) | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no |
+| [acl](#input\_acl) | The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.
Deprecated by AWS in favor of bucket policies.
Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced".
Defaults to "private" for backwards compatibility, but we recommend setting `s3_object_ownership` to "BucketOwnerEnforced" instead. | `string` | `"log-delivery-write"` | no |
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| [allow\_encrypted\_uploads\_only](#input\_allow\_encrypted\_uploads\_only) | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | `bool` | `false` | no |
| [allow\_ssl\_requests\_only](#input\_allow\_ssl\_requests\_only) | Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no |
@@ -240,6 +240,7 @@ Available targets:
| [expiration\_days](#input\_expiration\_days) | (Deprecated, use `lifecycle_configuration_rules` instead)
Number of days after which to expunge the objects | `number` | `null` | no |
| [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.
THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier.
Must be set `false` unless `force_destroy_enabled` is also `true`. | `bool` | `false` | no |
| [glacier\_transition\_days](#input\_glacier\_transition\_days) | (Deprecated, use `lifecycle_configuration_rules` instead)
Number of days after which to move the data to the Glacier Flexible Retrieval storage tier | `number` | `null` | no |
+| [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.
Conflicts with `acl`. Set `acl` to `null` to use this.
Deprecated by AWS in favor of bucket policies, but still required for some log delivery services.
Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | list(object({
id = string
type = string
permissions = list(string)
uri = string
})) | `[]` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
| [ignore\_public\_acls](#input\_ignore\_public\_acls) | Set to `false` to disable the ignoring of public access lists on the bucket | `bool` | `true` | no |
| [kms\_master\_key\_arn](#input\_kms\_master\_key\_arn) | The AWS KMS master key ARN used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms | `string` | `""` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index d040a0b..29603bb 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -38,7 +38,7 @@
| [abort\_incomplete\_multipart\_upload\_days](#input\_abort\_incomplete\_multipart\_upload\_days) | (Deprecated, use `lifecycle_configuration_rules` instead)
Maximum time (in days) that you want to allow multipart uploads to remain in progress | `number` | `null` | no |
| [access\_log\_bucket\_name](#input\_access\_log\_bucket\_name) | Name of the S3 bucket where S3 access logs will be sent to | `string` | `""` | no |
| [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Prefix to prepend to the current S3 bucket name, where S3 access logs will be sent to | `string` | `"logs/"` | no |
-| [acl](#input\_acl) | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no |
+| [acl](#input\_acl) | The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.
Deprecated by AWS in favor of bucket policies.
Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced".
Defaults to "private" for backwards compatibility, but we recommend setting `s3_object_ownership` to "BucketOwnerEnforced" instead. | `string` | `"log-delivery-write"` | no |
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| [allow\_encrypted\_uploads\_only](#input\_allow\_encrypted\_uploads\_only) | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | `bool` | `false` | no |
| [allow\_ssl\_requests\_only](#input\_allow\_ssl\_requests\_only) | Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no |
@@ -60,6 +60,7 @@
| [expiration\_days](#input\_expiration\_days) | (Deprecated, use `lifecycle_configuration_rules` instead)
Number of days after which to expunge the objects | `number` | `null` | no |
| [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.
THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier.
Must be set `false` unless `force_destroy_enabled` is also `true`. | `bool` | `false` | no |
| [glacier\_transition\_days](#input\_glacier\_transition\_days) | (Deprecated, use `lifecycle_configuration_rules` instead)
Number of days after which to move the data to the Glacier Flexible Retrieval storage tier | `number` | `null` | no |
+| [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.
Conflicts with `acl`. Set `acl` to `null` to use this.
Deprecated by AWS in favor of bucket policies, but still required for some log delivery services.
Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | list(object({
id = string
type = string
permissions = list(string)
uri = string
})) | `[]` | no |
| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
| [ignore\_public\_acls](#input\_ignore\_public\_acls) | Set to `false` to disable the ignoring of public access lists on the bucket | `bool` | `true` | no |
| [kms\_master\_key\_arn](#input\_kms\_master\_key\_arn) | The AWS KMS master key ARN used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index bbc6343..a458fd2 100644
--- a/main.tf
+++ b/main.tf
@@ -21,6 +21,7 @@ module "aws_s3_bucket" {
bucket_name = local.bucket_name
acl = var.acl
+ grants = var.grants
force_destroy = var.force_destroy
versioning_enabled = var.versioning_enabled
diff --git a/outputs.tf b/outputs.tf
index 8c8d4fb..05c8d43 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -19,7 +19,7 @@ output "prefix" {
}
output "bucket_notifications_sqs_queue_arn" {
- value = join("", aws_sqs_queue.notifications.*.arn)
+ value = join("", aws_sqs_queue.notifications[*].arn)
description = "Notifications SQS queue ARN"
}
diff --git a/sqs_notifications.tf b/sqs_notifications.tf
index 97c4799..593efe2 100644
--- a/sqs_notifications.tf
+++ b/sqs_notifications.tf
@@ -2,7 +2,7 @@ locals {
enabled = module.this.enabled
sqs_notifications_enabled = local.enabled && var.bucket_notifications_enabled && var.bucket_notifications_type == "SQS"
sqs_queue_name = module.this.id
- partition = join("", data.aws_partition.current.*.partition)
+ partition = join("", data.aws_partition.current[*].partition)
}
data "aws_caller_identity" "current" { count = local.enabled ? 1 : 0 }
@@ -12,7 +12,7 @@ resource "aws_sqs_queue" "notifications" {
#bridgecrew:skip=BC_AWS_GENERAL_16:Skipping `AWS SQS server side encryption is not enabled` check because this queue does not have sensitive data. Enabling the encryption for S3 publisher requires the new CMK which is extra here.
count = local.sqs_notifications_enabled ? 1 : 0
name = local.sqs_queue_name
- policy = join("", data.aws_iam_policy_document.sqs_policy.*.json)
+ policy = join("", data.aws_iam_policy_document.sqs_policy[*].json)
tags = module.this.tags
}
@@ -39,7 +39,7 @@ data "aws_iam_policy_document" "sqs_policy" {
test = "StringEquals"
variable = "aws:SourceAccount"
values = [
- join("", data.aws_caller_identity.current.*.account_id)]
+ join("", data.aws_caller_identity.current[*].account_id)]
}
}
}
@@ -49,7 +49,7 @@ resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = join("", module.aws_s3_bucket.bucket_id)
queue {
- queue_arn = join("", aws_sqs_queue.notifications.*.arn)
+ queue_arn = join("", aws_sqs_queue.notifications[*].arn)
events = [
"s3:ObjectCreated:*"
]
diff --git a/variables.tf b/variables.tf
index f56a88e..fd2513b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -20,8 +20,29 @@ variable "object_lock_configuration" {
variable "acl" {
type = string
- description = "The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services"
+ description = <<-EOT
+ The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.
+ Deprecated by AWS in favor of bucket policies.
+ Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced".
+ Defaults to "private" for backwards compatibility, but we recommend setting `s3_object_ownership` to "BucketOwnerEnforced" instead.
+ EOT
default = "log-delivery-write"
+}
+
+variable "grants" {
+ type = list(object({
+ id = string
+ type = string
+ permissions = list(string)
+ uri = string
+ }))
+ description = <<-EOT
+ A list of policy grants for the bucket, taking a list of permissions.
+ Conflicts with `acl`. Set `acl` to `null` to use this.
+ Deprecated by AWS in favor of bucket policies, but still required for some log delivery services.
+ Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced".
+ EOT
+ default = []
nullable = false
}