From aa3d8016b78bfbbd6349b32669338318eae0cd4f Mon Sep 17 00:00:00 2001
From: David Elliott <david.elliott@digital.justice.gov.uk>
Date: Fri, 13 Oct 2023 14:52:20 +0100
Subject: [PATCH] Refactor config aggregation bucket to use s3 module

This resolves deprecation warnings.
---
 modules/config-aggregation-bucket/main.tf    | 36 +++++++++-----------
 modules/config-aggregation-bucket/outputs.tf |  4 +--
 2 files changed, 18 insertions(+), 22 deletions(-)

diff --git a/modules/config-aggregation-bucket/main.tf b/modules/config-aggregation-bucket/main.tf
index f4591a09..2b8092c0 100644
--- a/modules/config-aggregation-bucket/main.tf
+++ b/modules/config-aggregation-bucket/main.tf
@@ -7,7 +7,7 @@ data "aws_caller_identity" "current" {}
 
 locals {
   caller_identity                     = data.aws_caller_identity.current
-  bucket_policy_allowed_object_prefix = formatlist("${aws_s3_bucket.bucket.arn}/AWSLogs/%s/Config/*", concat([local.caller_identity.id], var.enrolled_account_ids))
+  bucket_policy_allowed_object_prefix = formatlist("${module.bucket.bucket.arn}/AWSLogs/%s/Config/*", concat([local.caller_identity.id], var.enrolled_account_ids))
 }
 
 # S3 bucket policy for a logging bucket in another account
@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "bucket_policy" {
     sid       = "AWSConfigBucketPermissionsCheck"
     effect    = "Allow"
     actions   = ["s3:GetBucketAcl"]
-    resources = [aws_s3_bucket.bucket.arn]
+    resources = [module.bucket.bucket.arn]
 
     principals {
       type        = "Service"
@@ -33,7 +33,7 @@ data "aws_iam_policy_document" "bucket_policy" {
     sid       = "AWSConfigBucketExistenceCheck"
     effect    = "Allow"
     actions   = ["s3:ListBucket"]
-    resources = [aws_s3_bucket.bucket.arn]
+    resources = [module.bucket.bucket.arn]
 
     principals {
       type        = "Service"
@@ -61,32 +61,28 @@ data "aws_iam_policy_document" "bucket_policy" {
   }
 }
 
-resource "aws_s3_bucket" "bucket" {
+module "bucket" {
+  source = "../s3"
+
   bucket_prefix = var.bucket_prefix
-  acl           = "private"
 
-  # NB: AWS Config can't deliver to buckets with object lock turned on, which is why
-  # it's not configured.
+  bucket_acl = "private"
+
+  attach_policy = true
+  policy        = data.aws_iam_policy_document.bucket_policy.json
 
-  server_side_encryption_configuration {
-    rule {
+  enable_versioning = true
+
+  server_side_encryption_configuration = {
+    rule = {
       # You can't use a different KMS key as Config stores objects already encrypted with
       # the AWS managed S3 KMS key
-      apply_server_side_encryption_by_default {
+      apply_server_side_encryption_by_default = {
         kms_master_key_id = "aws/s3"
         sse_algorithm     = "aws:kms"
       }
     }
   }
 
-  versioning {
-    enabled = true
-  }
-
-  tags = var.tags
-}
-
-resource "aws_s3_bucket_policy" "bucket_policy" {
-  bucket = aws_s3_bucket.bucket.id
-  policy = data.aws_iam_policy_document.bucket_policy.json
+  additional_tags = var.tags
 }
diff --git a/modules/config-aggregation-bucket/outputs.tf b/modules/config-aggregation-bucket/outputs.tf
index c2460530..e739027e 100644
--- a/modules/config-aggregation-bucket/outputs.tf
+++ b/modules/config-aggregation-bucket/outputs.tf
@@ -1,7 +1,7 @@
 output "s3_bucket_arn" {
-  value = aws_s3_bucket.bucket.arn
+  value = module.bucket.bucket.arn
 }
 
 output "s3_bucket_name" {
-  value = aws_s3_bucket.bucket.bucket
+  value = module.bucket.bucket.bucket
 }