Support AWS v4 provider (#71)

.github/renovate.json

@@ -1,3 +1,12 @@
 {
-  "enabled": false
+  "extends": [
+    "config:base",
+    ":preserveSemverRanges"
+  ],
+  "labels": ["auto-update"],
+  "enabledManagers": ["terraform"],
+  "terraform": {
+    "ignorePaths": ["**/context.tf", "examples/**"]
+  }
 }
+

.github/workflows/auto-context.yml

@@ -35,7 +35,7 @@ jobs:
 
     - name: Create Pull Request
       if: steps.update.outputs.create_pull_request == 'true'
-      uses: cloudposse/actions/github/create-pull-request@0.22.0
+      uses: cloudposse/actions/github/create-pull-request@0.30.0
       with:
         token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
         committer: 'cloudpossebot <[email protected]>'

.github/workflows/auto-format.yml

@@ -62,7 +62,7 @@ jobs:
         fi
 
     - name: Auto Test
-      uses: cloudposse/actions/github/repository-dispatch@0.22.0
+      uses: cloudposse/actions/github/repository-dispatch@0.30.0
       # match users by ID because logins (user names) are inconsistent,
       # for example in the REST API Renovate Bot is `renovate[bot]` but
       # in GraphQL it is just `renovate`, plus there is a non-bot

.github/workflows/chatops.yml

@@ -9,7 +9,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: "Handle common commands"
-        uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
+        uses: cloudposse/actions/github/slash-command-dispatch@0.30.0
         with:
           token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}
@@ -24,7 +24,7 @@ jobs:
       - name: "Checkout commit"
         uses: actions/checkout@v2
       - name: "Run tests"
-        uses: cloudposse/actions/github/slash-command-dispatch@0.22.0
+        uses: cloudposse/actions/github/slash-command-dispatch@0.30.0
         with:
           token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -1,6 +1,6 @@
 # Compiled files
 *.tfstate
-*.tfstate.backup
+*.tfstate.backup*
 *.lock.info
 **/.terraform.lock.hcl
 

README.yaml

@@ -92,6 +92,54 @@ usage: |-
     expiration_days          = 90
   }
   ```
+  
+  This module supports full S3 [storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) configuration:
+
+  ```hcl
+  locals {
+    lifecycle_configuration_rule = {
+      enabled = true # bool
+      id      = "v2rule"
+
+      abort_incomplete_multipart_upload_days = 1 # number
+
+      filter_and = null
+      expiration = {
+        days = 120 # integer > 0
+      }
+      noncurrent_version_expiration = {
+        newer_noncurrent_versions = 3  # integer > 0
+        noncurrent_days           = 60 # integer >= 0
+      }
+      transition = [{
+        days          = 30            # integer >= 0
+        storage_class = "STANDARD_IA" # string/enum, one of GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.
+        },
+        {
+          days          = 60           # integer >= 0
+          storage_class = "ONEZONE_IA" # string/enum, one of GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.
+      }]
+      noncurrent_version_transition = [{
+        newer_noncurrent_versions = 3            # integer >= 0
+        noncurrent_days           = 30           # integer >= 0
+        storage_class             = "ONEZONE_IA" # string/enum, one of GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.
+      }]
+    }
+  }
+  
+  module "log_storage" {
+    source = "cloudposse/s3-log-storage/aws"
+    # Cloud Posse recommends pinning every module to a specific version
+    # version = "x.x.x"
+    name                     = "logs"
+    stage                    = "test"
+    namespace                = "eg"
+    
+    lifecycle_configuration_rules = [var.lifecycle_configuration_rule]
+  }
+
+  ```
+
 include:
 - docs/targets.md
 - docs/terraform.md

examples/complete/fixtures.us-east-2.tfvars

@@ -7,3 +7,25 @@ stage = "test"
 name = "s3-log-storage"
 
 allow_ssl_requests_only = true
+
+lifecycle_configuration_rules = [
+  {
+    enabled = true # bool
+    id      = "v2rule"
+
+    abort_incomplete_multipart_upload_days = 1 # number
+
+    filter_and = null
+    expiration = null
+    transition = null
+    noncurrent_version_expiration = {
+      newer_noncurrent_versions = 3  # integer > 0
+      noncurrent_days           = 90 # integer >= 0
+    }
+    noncurrent_version_transition = [{
+      newer_noncurrent_versions = 3            # integer >= 0
+      noncurrent_days           = 30           # integer >= 0
+      storage_class             = "ONEZONE_IA" # string/enum, one of GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.
+    }]
+  }
+]

examples/complete/main.tf

@@ -3,8 +3,11 @@ provider "aws" {
 }
 
 module "s3_log_storage" {
-  source        = "../../"
-  force_destroy = false
+  source                = "../../"
+  force_destroy         = true
+  force_destroy_enabled = true
+
+  lifecycle_configuration_rules = var.lifecycle_configuration_rules
 
   context = module.this.context
 }

examples/complete/variables.tf

@@ -6,4 +6,28 @@ variable "allow_ssl_requests_only" {
   type        = bool
   default     = true
   description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests"
-}
+}
+
+variable "lifecycle_configuration_rules" {
+  type = list(object({
+    enabled = bool
+    id      = string
+
+    abort_incomplete_multipart_upload_days = number
+
+    # `filter_and` is the `and` configuration block inside the `filter` configuration.
+    # This is the only place you should specify a prefix.
+    filter_and = any
+    expiration = any
+    transition = list(any)
+
+    noncurrent_version_expiration = any
+    noncurrent_version_transition = list(any)
+  }))
+  default     = []
+  description = <<-EOT
+    A list of S3 bucket v2 lifecycle rules, as specified in [terraform-aws-s3-bucket](https://github.com/cloudposse/terraform-aws-s3-bucket)"
+    These rules are not affected by the deprecated `lifecycle_rule_enabled` flag.
+    **NOTE:** Unless you also set `lifecycle_rule_enabled = false` you will also get the default deprecated rules set on your bucket.
+    EOT
+}

examples/complete/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.15"
+  required_version = ">= 1.0"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0, < 4.0"
+      version = ">= 4.0"
     }
     local = {
       source  = "hashicorp/local"

main.tf

@@ -1,30 +1,7 @@
-locals {
-  lifecycle_rule = {
-    enabled = var.lifecycle_rule_enabled
-    prefix  = var.lifecycle_prefix
-    tags    = var.lifecycle_tags
-
-    abort_incomplete_multipart_upload_days = var.abort_incomplete_multipart_upload_days
-
-    enable_glacier_transition            = var.enable_glacier_transition
-    enable_deeparchive_transition        = false
-    enable_standard_ia_transition        = true
-    enable_current_object_expiration     = true
-    enable_noncurrent_version_expiration = var.enable_noncurrent_version_expiration
-
-    noncurrent_version_glacier_transition_days     = var.noncurrent_version_transition_days
-    noncurrent_version_deeparchive_transition_days = null
-    noncurrent_version_expiration_days             = var.noncurrent_version_expiration_days
-
-    standard_transition_days    = var.standard_transition_days
-    glacier_transition_days     = var.glacier_transition_days
-    deeparchive_transition_days = null
-    expiration_days             = var.expiration_days
-  }
-}
 
 # Terraform prior to 1.1 does not support a `moved` block.
-# Terraform 1.1 does not a support move to an object declared in external module package.
+# Terraform 1.1 supports `moved` blocks in general, but does not a support
+# a move to an object declared in external module package.
 # Leaving this here for documentation and in case Terraform later supports it.
 /*
 moved {
@@ -45,26 +22,59 @@ moved {
 }
 */
 
+locals {
+  # This is a big hack to enable us to generate something close to a custom error message
+  force_destroy_error_message = <<-EOT
+
+    ** ERROR: You must set `force_destroy_enabled = true` to enable `force_destroy`. **n/
+    ** WARNING: Upgrading this module from a version prior to 0.27.0 to this version **n/
+    **  will cause Terraform to delete your existing S3 bucket CAUSING COMPLETE DATA LOSS **n/
+    **  unless you follow the upgrade instructions on the Wiki [here](https://github.com/cloudposse/terraform-aws-s3-log-storage/wiki/Upgrading-to-v0.27.0-(POTENTIAL-DATA-LOSS)). **n/
+    **  See additional instructions for upgrading from v0.27.0 to v0.28.0 [here](https://github.com/cloudposse/terraform-aws-s3-log-storage/wiki/Upgrading-to-v0.28.0-and-AWS-provider-v4-(POTENTIAL-DATA-LOSS)). **n/
+
+    EOT
+  force_destroy_safety = {
+    true = {
+      true  = "true"
+      false = "false"
+    },
+    false = {
+      true  = local.force_destroy_error_message
+      false = "false"
+    }
+  }
+  # Generate an error message when `force_destroy == true && force_destroy_enabled == false`
+  force_destroy = tobool(local.force_destroy_safety[var.force_destroy_enabled][var.force_destroy])
+
+  bucket_name = var.bucket_name == null || var.bucket_name == "" ? module.this.id : var.bucket_name
+}
+
 module "aws_s3_bucket" {
   source  = "cloudposse/s3-bucket/aws"
-  version = "0.47.1"
+  version = "0.49.0"
 
-  bucket_name        = module.this.id
+  bucket_name        = local.bucket_name
   acl                = var.acl
-  force_destroy      = var.force_destroy
-  policy             = var.policy
+  force_destroy      = local.force_destroy
   versioning_enabled = var.versioning_enabled
 
-  lifecycle_rule_ids = [module.this.id]
-  lifecycle_rules    = [local.lifecycle_rule]
+  source_policy_documents = var.source_policy_documents
+  # Support deprecated `policy` input
+  policy = var.policy
+
+  lifecycle_configuration_rules = var.lifecycle_configuration_rules
+  # Support deprecated lifecycle inputs
+  lifecycle_rule_ids = local.deprecated_lifecycle_rule.enabled ? [module.this.id] : null
+  lifecycle_rules    = local.deprecated_lifecycle_rule.enabled ? [local.deprecated_lifecycle_rule] : null
 
   logging = var.access_log_bucket_name == "" ? null : {
     bucket_name = var.access_log_bucket_name
-    prefix      = "${var.access_log_bucket_prefix}${module.this.id}/"
+    prefix      = "${var.access_log_bucket_prefix}${local.bucket_name}/"
   }
 
   sse_algorithm      = var.sse_algorithm
   kms_master_key_arn = var.kms_master_key_arn
+  bucket_key_enabled = var.bucket_key_enabled
 
   allow_encrypted_uploads_only = var.allow_encrypted_uploads_only
   allow_ssl_requests_only      = var.allow_ssl_requests_only
@@ -74,7 +84,7 @@ module "aws_s3_bucket" {
   ignore_public_acls      = var.ignore_public_acls
   restrict_public_buckets = var.restrict_public_buckets
 
-  s3_object_ownership = "BucketOwnerPreferred"
+  s3_object_ownership = var.s3_object_ownership
 
   context = module.this.context
 }

test/Makefile

@@ -33,9 +33,7 @@ clean:
 all: module examples/complete
 
 ## Run basic sanity checks against the module itself
-# Temporarily remove provider pinning test while working on AWS provider v4.0 support
-#module: export TESTS ?= installed lint module-pinning provider-pinning validate terraform-docs input-descriptions output-descriptions
-module: export TESTS ?= installed lint module-pinning validate terraform-docs input-descriptions output-descriptions
+module: export TESTS ?= installed lint module-pinning provider-pinning validate terraform-docs input-descriptions output-descriptions
 module: deps
 	$(call RUN_TESTS, ../)