Release: 1.10.0

AWS · AWS · commit 1c6194d2c10d · 2023-04-19T01:46:21.000Z
diff --git a/README.md b/README.md
@@ -64,13 +64,13 @@ As of version 1.6.0, AFT collects anonymous operational metrics to help AWS impr
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9.0, < 5.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.27.0, < 5.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9.0, < 5.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.27.0, < 5.0.0 |
 | <a name="provider_local"></a> [local](#provider\_local) | n/a |
 
 ## Modules
@@ -134,7 +134,7 @@ As of version 1.6.0, AFT collects anonymous operational metrics to help AWS impr
 | <a name="input_terraform_org_name"></a> [terraform\_org\_name](#input\_terraform\_org\_name) | Organization name for Terraform Cloud or Enterprise | `string` | `"null"` | no |
 | <a name="input_terraform_token"></a> [terraform\_token](#input\_terraform\_token) | Terraform token for Cloud or Enterprise | `string` | `"null"` | no |
 | <a name="input_terraform_version"></a> [terraform\_version](#input\_terraform\_version) | Terraform version being used for AFT | `string` | `"0.15.5"` | no |
-| <a name="input_tf_backend_secondary_region"></a> [tf\_backend\_secondary\_region](#input\_tf\_backend\_secondary\_region) | AFT creates a backend for state tracking for its own state as well as OSS cases. The backend's primary region is the same as the AFT region, but this defines the secondary region to replicate to. | `string` | n/a | yes |
+| <a name="input_tf_backend_secondary_region"></a> [tf\_backend\_secondary\_region](#input\_tf\_backend\_secondary\_region) | AFT creates a backend for state tracking for its own state as well as OSS cases. The backend's primary region is the same as the AFT region, but this defines the secondary region to replicate to. | `string` | `""` | no |
 | <a name="input_vcs_provider"></a> [vcs\_provider](#input\_vcs\_provider) | Customer VCS Provider - valid inputs are codecommit, bitbucket, github, or githubenterprise | `string` | `"codecommit"` | no |
 
 ## Outputs
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.9.2
+1.10.0
diff --git a/main.tf b/main.tf
@@ -143,6 +143,7 @@ module "aft_feature_options" {
   log_archive_bucket_object_expiration_days = local.log_archive_bucket_object_expiration_days
   aft_features_sfn_name                     = local.aft_features_sfn_name
   aft_kms_key_arn                           = module.aft_account_request_framework.aft_kms_key_arn
+  aft_kms_key_id                            = module.aft_account_request_framework.aft_kms_key_id
   aft_common_layer_arn                      = module.aft_lambda_layer.layer_version_arn
   aft_sns_topic_arn                         = module.aft_account_request_framework.sns_topic_arn
   aft_failure_sns_topic_arn                 = module.aft_account_request_framework.failure_sns_topic_arn
diff --git a/modules/aft-backend/main.tf b/modules/aft-backend/main.tf
@@ -17,10 +17,21 @@ resource "aws_s3_bucket" "primary-backend-bucket" {
   }
 }
 
+#tfsec:ignore:aws-s3-enable-bucket-logging
+resource "aws_s3_bucket" "secondary-backend-bucket" {
+  count    = var.secondary_region == "" ? 0 : 1
+  provider = aws.secondary_region
+  bucket   = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"
+  tags = {
+    "Name" = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"
+  }
+}
+
 resource "aws_s3_bucket_replication_configuration" "primary-backend-bucket-replication" {
+  count    = var.secondary_region == "" ? 0 : 1
   provider = aws.primary_region
   bucket   = aws_s3_bucket.primary-backend-bucket.id
-  role     = aws_iam_role.replication.arn
+  role     = aws_iam_role.replication[0].arn
 
   rule {
     id       = "0"
@@ -33,10 +44,10 @@ resource "aws_s3_bucket_replication_configuration" "primary-backend-bucket-repli
     }
 
     destination {
-      bucket        = aws_s3_bucket.secondary-backend-bucket.arn
+      bucket        = aws_s3_bucket.secondary-backend-bucket[0].arn
       storage_class = "STANDARD"
       encryption_configuration {
-        replica_kms_key_id = aws_kms_key.encrypt-secondary-region.arn
+        replica_kms_key_id = aws_kms_key.encrypt-secondary-region[0].arn
       }
     }
   }
@@ -62,12 +73,6 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "primary-backend-b
   }
 }
 
-resource "aws_s3_bucket_acl" "primary-backend-bucket-acl" {
-  provider = aws.primary_region
-  bucket   = aws_s3_bucket.primary-backend-bucket.id
-  acl      = "private"
-}
-
 
 resource "aws_s3_bucket_public_access_block" "primary-backend-bucket" {
   provider = aws.primary_region
@@ -80,47 +85,33 @@ resource "aws_s3_bucket_public_access_block" "primary-backend-bucket" {
   restrict_public_buckets = true
 }
 
-#tfsec:ignore:aws-s3-enable-bucket-logging
-resource "aws_s3_bucket" "secondary-backend-bucket" {
-  provider = aws.secondary_region
-  bucket   = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"
-  tags = {
-    "Name" = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"
-  }
-}
-
 resource "aws_s3_bucket_versioning" "secondary-backend-bucket-versioning" {
+  count    = var.secondary_region == "" ? 0 : 1
   provider = aws.secondary_region
-  bucket   = aws_s3_bucket.secondary-backend-bucket.id
+  bucket   = aws_s3_bucket.secondary-backend-bucket[0].id
   versioning_configuration {
     status = "Enabled"
   }
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "secondary-backend-bucket-encryption" {
+  count    = var.secondary_region == "" ? 0 : 1
   provider = aws.secondary_region
-  bucket   = aws_s3_bucket.secondary-backend-bucket.id
+  bucket   = aws_s3_bucket.secondary-backend-bucket[0].id
 
   rule {
     apply_server_side_encryption_by_default {
-      kms_master_key_id = aws_kms_key.encrypt-secondary-region.arn
+      kms_master_key_id = aws_kms_key.encrypt-secondary-region[0].arn
       sse_algorithm     = "aws:kms"
     }
   }
 }
 
-resource "aws_s3_bucket_acl" "secondary-backend-bucket-acl" {
-  provider = aws.secondary_region
-  bucket   = aws_s3_bucket.secondary-backend-bucket.id
-  acl      = "private"
-}
-
-
-
 resource "aws_s3_bucket_public_access_block" "secondary-backend-bucket" {
+  count    = var.secondary_region == "" ? 0 : 1
   provider = aws.secondary_region
 
-  bucket = aws_s3_bucket.secondary-backend-bucket.id
+  bucket = aws_s3_bucket.secondary-backend-bucket[0].id
 
   block_public_acls       = true
   block_public_policy     = true
@@ -129,6 +120,7 @@ resource "aws_s3_bucket_public_access_block" "secondary-backend-bucket" {
 }
 
 resource "aws_iam_role" "replication" {
+  count    = var.secondary_region == "" ? 0 : 1
   provider = aws.primary_region
   name     = "aft-s3-terraform-backend-replication"
 
@@ -149,6 +141,7 @@ POLICY
 }
 
 resource "aws_iam_policy" "replication" {
+  count    = var.secondary_region == "" ? 0 : 1
   provider = aws.primary_region
   name     = "aft-s3-terraform-backend-replication-policy"
 
@@ -191,11 +184,11 @@ resource "aws_iam_policy" "replication" {
                         "AES256"
                     ],
                     "s3:x-amz-server-side-encryption-aws-kms-key-id": [
-                        "${aws_kms_key.encrypt-secondary-region.arn}"
+                        "${aws_kms_key.encrypt-secondary-region[0].arn}"
                     ]
                 }
             },
-            "Resource": "${aws_s3_bucket.secondary-backend-bucket.arn}/*"
+            "Resource": "${aws_s3_bucket.secondary-backend-bucket[0].arn}/*"
         },
         {
             "Action": [
@@ -240,12 +233,12 @@ resource "aws_iam_policy" "replication" {
                 "StringLike": {
                     "kms:ViaService": "s3.${var.secondary_region}.amazonaws.com",
                     "kms:EncryptionContext:aws:s3:arn": [
-                        "${aws_s3_bucket.secondary-backend-bucket.arn}/*"
+                        "${aws_s3_bucket.secondary-backend-bucket[0].arn}/*"
                     ]
                 }
             },
             "Resource": [
-                "${aws_kms_key.encrypt-secondary-region.arn}"
+                "${aws_kms_key.encrypt-secondary-region[0].arn}"
             ]
         }
     ]
@@ -254,9 +247,10 @@ POLICY
 }
 
 resource "aws_iam_role_policy_attachment" "replication" {
+  count      = var.secondary_region == "" ? 0 : 1
   provider   = aws.primary_region
-  role       = aws_iam_role.replication.name
-  policy_arn = aws_iam_policy.replication.arn
+  role       = aws_iam_role.replication[0].name
+  policy_arn = aws_iam_policy.replication[0].arn
 }
 
 
@@ -277,16 +271,21 @@ resource "aws_dynamodb_table" "lock-table" {
     type = "S"
   }
 
-  replica {
-    region_name = var.secondary_region
+  tags = {
+    "Name" = "aft-backend-${data.aws_caller_identity.current.account_id}"
   }
+}
+
+resource "aws_dynamodb_table_replica" "lock-table-replica" {
+  count            = var.secondary_region == "" ? 0 : 1
+  provider         = aws.secondary_region
+  global_table_arn = aws_dynamodb_table.lock-table.arn
 
   tags = {
     "Name" = "aft-backend-${data.aws_caller_identity.current.account_id}"
   }
 }
 
-
 # KMS Resources
 
 resource "aws_kms_key" "encrypt-primary-region" {
@@ -308,6 +307,7 @@ resource "aws_kms_alias" "encrypt-alias-primary-region" {
 }
 
 resource "aws_kms_key" "encrypt-secondary-region" {
+  count    = var.secondary_region == "" ? 0 : 1
   provider = aws.secondary_region
 
   description             = "Terraform backend KMS key."
@@ -319,8 +319,9 @@ resource "aws_kms_key" "encrypt-secondary-region" {
 }
 
 resource "aws_kms_alias" "encrypt-alias-secondary-region" {
+  count    = var.secondary_region == "" ? 0 : 1
   provider = aws.secondary_region
 
   name          = "alias/aft-backend-${data.aws_caller_identity.current.account_id}-kms-key"
-  target_key_id = aws_kms_key.encrypt-secondary-region.key_id
+  target_key_id = aws_kms_key.encrypt-secondary-region[0].key_id
 }
diff --git a/modules/aft-backend/versions.tf b/modules/aft-backend/versions.tf
@@ -7,7 +7,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = ">= 4.9.0"
+      version               = ">= 4.27.0"
       configuration_aliases = [aws.primary_region, aws.secondary_region]
     }
   }
diff --git a/modules/aft-code-repositories/versions.tf b/modules/aft-code-repositories/versions.tf
@@ -7,7 +7,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9.0"
+      version = ">= 4.27.0"
     }
   }
 }
diff --git a/modules/aft-customizations/s3.tf b/modules/aft-customizations/s3.tf
@@ -33,8 +33,3 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "aft-codepipeline-
     }
   }
 }
-
-resource "aws_s3_bucket_acl" "aft-codepipeline-customizations-bucket-acl" {
-  bucket = aws_s3_bucket.aft_codepipeline_customizations_bucket.id
-  acl    = "private"
-}
diff --git a/modules/aft-customizations/versions.tf b/modules/aft-customizations/versions.tf
@@ -7,7 +7,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9.0"
+      version = ">= 4.27.0"
     }
   }
 }
diff --git a/modules/aft-feature-options/s3.tf b/modules/aft-feature-options/s3.tf
@@ -69,7 +69,7 @@ resource "aws_s3_bucket_public_access_block" "aft_logging_bucket" {
   restrict_public_buckets = true
 }
 
-
+#tfsec:ignore:aws-s3-enable-bucket-logging
 resource "aws_s3_bucket" "aft_access_logs" {
   provider = aws.log_archive
   bucket   = "${var.log_archive_access_logs_bucket_name}-${var.log_archive_account_id}-${data.aws_region.current.name}"
@@ -89,7 +89,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "aft_access_logs_e
 
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
+      kms_master_key_id = var.aft_kms_key_id
+      sse_algorithm     = "aws:kms"
     }
   }
 }
@@ -111,12 +112,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "aft_access_logs_lifecycle_conf
 
 }
 
-resource "aws_s3_bucket_acl" "aft_access_logs_acl" {
-  provider = aws.log_archive
-  bucket   = aws_s3_bucket.aft_access_logs.id
-  acl      = "log-delivery-write"
-}
-
 resource "aws_s3_bucket_public_access_block" "aft_access_logs" {
   provider                = aws.log_archive
   bucket                  = aws_s3_bucket.aft_access_logs.id
diff --git a/modules/aft-feature-options/variables.tf b/modules/aft-feature-options/variables.tf
@@ -21,6 +21,10 @@ variable "aft_kms_key_arn" {
   type = string
 }
 
+variable "aft_kms_key_id" {
+  type = string
+}
+
 variable "aft_sns_topic_arn" {
   type = string
 }
diff --git a/modules/aft-feature-options/versions.tf b/modules/aft-feature-options/versions.tf
@@ -7,7 +7,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = ">= 4.9.0"
+      version               = ">= 4.27.0"
       configuration_aliases = [aws.ct_management, aws.log_archive, aws.audit, aws.aft_management]
     }
   }
diff --git a/modules/aft-iam-roles/admin-role/main.tf b/modules/aft-iam-roles/admin-role/main.tf
@@ -5,7 +5,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9.0"
+      version = ">= 4.27.0"
     }
   }
 }
diff --git a/modules/aft-iam-roles/service-role/main.tf b/modules/aft-iam-roles/service-role/main.tf
@@ -6,7 +6,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9.0"
+      version = ">= 4.27.0"
     }
   }
 }
diff --git a/modules/aft-iam-roles/versions.tf b/modules/aft-iam-roles/versions.tf
@@ -7,7 +7,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = ">= 4.9.0"
+      version               = ">= 4.27.0"
       configuration_aliases = [aws.ct_management, aws.log_archive, aws.audit, aws.aft_management]
     }
   }
diff --git a/modules/aft-lambda-layer/versions.tf b/modules/aft-lambda-layer/versions.tf
@@ -7,7 +7,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9.0"
+      version = ">= 4.27.0"
     }
   }
 }
diff --git a/modules/aft-ssm-parameters/ssm.tf b/modules/aft-ssm-parameters/ssm.tf
@@ -236,6 +236,7 @@ resource "aws_ssm_parameter" "aft_config_backend_primary_region" {
 }
 
 resource "aws_ssm_parameter" "aft_config_backend_secondary_region" {
+  count = var.aft_config_backend_secondary_region == "" ? 0 : 1
   name  = "/aft/config/oss-backend/secondary-region"
   type  = "String"
   value = var.aft_config_backend_secondary_region
diff --git a/modules/aft-ssm-parameters/versions.tf b/modules/aft-ssm-parameters/versions.tf
@@ -7,7 +7,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9.0"
+      version = ">= 4.27.0"
     }
   }
 }
diff --git a/sources/aft-customizations-common/templates/customizations_pipeline/versions.tf b/sources/aft-customizations-common/templates/customizations_pipeline/versions.tf
@@ -7,7 +7,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9.0"
+      version = ">= 4.27.0"
     }
   }
 }
diff --git a/variables.tf b/variables.tf
diff --git a/versions.tf b/versions.tf

Original file line number	Diff line number	Diff line change
`@@ -17,10 +17,21 @@ resource "aws_s3_bucket" "primary-backend-bucket" {`
`17`	`17`	`}`
`18`	`18`	`}`
`19`	`19`
	`20`	`+#tfsec:ignore:aws-s3-enable-bucket-logging`
	`21`	`+resource "aws_s3_bucket" "secondary-backend-bucket" {`
	`22`	`+ count = var.secondary_region == "" ? 0 : 1`
	`23`	`+ provider = aws.secondary_region`
	`24`	`+ bucket = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"`
	`25`	`+ tags = {`
	`26`	`+ "Name" = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"`
	`27`	`+ }`
	`28`	`+}`
	`29`	`+`
`20`	`30`	`resource "aws_s3_bucket_replication_configuration" "primary-backend-bucket-replication" {`
	`31`	`+ count = var.secondary_region == "" ? 0 : 1`
`21`	`32`	`provider = aws.primary_region`
`22`	`33`	`bucket = aws_s3_bucket.primary-backend-bucket.id`
`23`		`- role = aws_iam_role.replication.arn`
	`34`	`+ role = aws_iam_role.replication[0].arn`
`24`	`35`
`25`	`36`	`rule {`
`26`	`37`	`id = "0"`
`@@ -33,10 +44,10 @@ resource "aws_s3_bucket_replication_configuration" "primary-backend-bucket-repli`
`33`	`44`	`}`
`34`	`45`
`35`	`46`	`destination {`
`36`		`- bucket = aws_s3_bucket.secondary-backend-bucket.arn`
	`47`	`+ bucket = aws_s3_bucket.secondary-backend-bucket[0].arn`
`37`	`48`	`storage_class = "STANDARD"`
`38`	`49`	`encryption_configuration {`
`39`		`- replica_kms_key_id = aws_kms_key.encrypt-secondary-region.arn`
	`50`	`+ replica_kms_key_id = aws_kms_key.encrypt-secondary-region[0].arn`
`40`	`51`	`}`
`41`	`52`	`}`
`42`	`53`	`}`
`@@ -62,12 +73,6 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "primary-backend-b`
`62`	`73`	`}`
`63`	`74`	`}`
`64`	`75`
`65`		`-resource "aws_s3_bucket_acl" "primary-backend-bucket-acl" {`
`66`		`- provider = aws.primary_region`
`67`		`- bucket = aws_s3_bucket.primary-backend-bucket.id`
`68`		`- acl = "private"`
`69`		`-}`
`70`		`-`
`71`	`76`
`72`	`77`	`resource "aws_s3_bucket_public_access_block" "primary-backend-bucket" {`
`73`	`78`	`provider = aws.primary_region`
`@@ -80,47 +85,33 @@ resource "aws_s3_bucket_public_access_block" "primary-backend-bucket" {`
`80`	`85`	`restrict_public_buckets = true`
`81`	`86`	`}`
`82`	`87`
`83`		`-#tfsec:ignore:aws-s3-enable-bucket-logging`
`84`		`-resource "aws_s3_bucket" "secondary-backend-bucket" {`
`85`		`- provider = aws.secondary_region`
`86`		`- bucket = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"`
`87`		`- tags = {`
`88`		`- "Name" = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"`
`89`		`- }`
`90`		`-}`
`91`		`-`
`92`	`88`	`resource "aws_s3_bucket_versioning" "secondary-backend-bucket-versioning" {`
	`89`	`+ count = var.secondary_region == "" ? 0 : 1`
`93`	`90`	`provider = aws.secondary_region`
`94`		`- bucket = aws_s3_bucket.secondary-backend-bucket.id`
	`91`	`+ bucket = aws_s3_bucket.secondary-backend-bucket[0].id`
`95`	`92`	`versioning_configuration {`
`96`	`93`	`status = "Enabled"`
`97`	`94`	`}`
`98`	`95`	`}`
`99`	`96`
`100`	`97`	`resource "aws_s3_bucket_server_side_encryption_configuration" "secondary-backend-bucket-encryption" {`
	`98`	`+ count = var.secondary_region == "" ? 0 : 1`
`101`	`99`	`provider = aws.secondary_region`
`102`		`- bucket = aws_s3_bucket.secondary-backend-bucket.id`
	`100`	`+ bucket = aws_s3_bucket.secondary-backend-bucket[0].id`
`103`	`101`
`104`	`102`	`rule {`
`105`	`103`	`apply_server_side_encryption_by_default {`
`106`		`- kms_master_key_id = aws_kms_key.encrypt-secondary-region.arn`
	`104`	`+ kms_master_key_id = aws_kms_key.encrypt-secondary-region[0].arn`
`107`	`105`	`sse_algorithm = "aws:kms"`
`108`	`106`	`}`
`109`	`107`	`}`
`110`	`108`	`}`
`111`	`109`
`112`		`-resource "aws_s3_bucket_acl" "secondary-backend-bucket-acl" {`
`113`		`- provider = aws.secondary_region`
`114`		`- bucket = aws_s3_bucket.secondary-backend-bucket.id`
`115`		`- acl = "private"`
`116`		`-}`
`117`		`-`
`118`		`-`
`119`		`-`
`120`	`110`	`resource "aws_s3_bucket_public_access_block" "secondary-backend-bucket" {`
	`111`	`+ count = var.secondary_region == "" ? 0 : 1`
`121`	`112`	`provider = aws.secondary_region`
`122`	`113`
`123`		`- bucket = aws_s3_bucket.secondary-backend-bucket.id`
	`114`	`+ bucket = aws_s3_bucket.secondary-backend-bucket[0].id`
`124`	`115`
`125`	`116`	`block_public_acls = true`
`126`	`117`	`block_public_policy = true`
`@@ -129,6 +120,7 @@ resource "aws_s3_bucket_public_access_block" "secondary-backend-bucket" {`
`129`	`120`	`}`
`130`	`121`
`131`	`122`	`resource "aws_iam_role" "replication" {`
	`123`	`+ count = var.secondary_region == "" ? 0 : 1`
`132`	`124`	`provider = aws.primary_region`
`133`	`125`	`name = "aft-s3-terraform-backend-replication"`
`134`	`126`
`@@ -149,6 +141,7 @@ POLICY`
`149`	`141`	`}`
`150`	`142`
`151`	`143`	`resource "aws_iam_policy" "replication" {`
	`144`	`+ count = var.secondary_region == "" ? 0 : 1`
`152`	`145`	`provider = aws.primary_region`
`153`	`146`	`name = "aft-s3-terraform-backend-replication-policy"`
`154`	`147`
`@@ -191,11 +184,11 @@ resource "aws_iam_policy" "replication" {`
`191`	`184`	`"AES256"`
`192`	`185`	`],`
`193`	`186`	`"s3:x-amz-server-side-encryption-aws-kms-key-id": [`
`194`		`- "${aws_kms_key.encrypt-secondary-region.arn}"`
	`187`	`+ "${aws_kms_key.encrypt-secondary-region[0].arn}"`
`195`	`188`	`]`
`196`	`189`	`}`
`197`	`190`	`},`
`198`		`- "Resource": "${aws_s3_bucket.secondary-backend-bucket.arn}/*"`
	`191`	`+ "Resource": "${aws_s3_bucket.secondary-backend-bucket[0].arn}/*"`
`199`	`192`	`},`
`200`	`193`	`{`
`201`	`194`	`"Action": [`
`@@ -240,12 +233,12 @@ resource "aws_iam_policy" "replication" {`
`240`	`233`	`"StringLike": {`
`241`	`234`	`"kms:ViaService": "s3.${var.secondary_region}.amazonaws.com",`
`242`	`235`	`"kms:EncryptionContext:aws:s3:arn": [`
`243`		`- "${aws_s3_bucket.secondary-backend-bucket.arn}/*"`
	`236`	`+ "${aws_s3_bucket.secondary-backend-bucket[0].arn}/*"`
`244`	`237`	`]`
`245`	`238`	`}`
`246`	`239`	`},`
`247`	`240`	`"Resource": [`
`248`		`- "${aws_kms_key.encrypt-secondary-region.arn}"`
	`241`	`+ "${aws_kms_key.encrypt-secondary-region[0].arn}"`
`249`	`242`	`]`
`250`	`243`	`}`
`251`	`244`	`]`
`@@ -254,9 +247,10 @@ POLICY`
`254`	`247`	`}`
`255`	`248`
`256`	`249`	`resource "aws_iam_role_policy_attachment" "replication" {`
	`250`	`+ count = var.secondary_region == "" ? 0 : 1`
`257`	`251`	`provider = aws.primary_region`
`258`		`- role = aws_iam_role.replication.name`
`259`		`- policy_arn = aws_iam_policy.replication.arn`
	`252`	`+ role = aws_iam_role.replication[0].name`
	`253`	`+ policy_arn = aws_iam_policy.replication[0].arn`
`260`	`254`	`}`
`261`	`255`
`262`	`256`
`@@ -277,16 +271,21 @@ resource "aws_dynamodb_table" "lock-table" {`
`277`	`271`	`type = "S"`
`278`	`272`	`}`
`279`	`273`
`280`		`- replica {`
`281`		`- region_name = var.secondary_region`
	`274`	`+ tags = {`
	`275`	`+ "Name" = "aft-backend-${data.aws_caller_identity.current.account_id}"`
`282`	`276`	`}`
	`277`	`+}`
	`278`	`+`
	`279`	`+resource "aws_dynamodb_table_replica" "lock-table-replica" {`
	`280`	`+ count = var.secondary_region == "" ? 0 : 1`
	`281`	`+ provider = aws.secondary_region`
	`282`	`+ global_table_arn = aws_dynamodb_table.lock-table.arn`
`283`	`283`
`284`	`284`	`tags = {`
`285`	`285`	`"Name" = "aft-backend-${data.aws_caller_identity.current.account_id}"`
`286`	`286`	`}`
`287`	`287`	`}`
`288`	`288`
`289`		`-`
`290`	`289`	`# KMS Resources`
`291`	`290`
`292`	`291`	`resource "aws_kms_key" "encrypt-primary-region" {`
`@@ -308,6 +307,7 @@ resource "aws_kms_alias" "encrypt-alias-primary-region" {`
`308`	`307`	`}`
`309`	`308`
`310`	`309`	`resource "aws_kms_key" "encrypt-secondary-region" {`
	`310`	`+ count = var.secondary_region == "" ? 0 : 1`
`311`	`311`	`provider = aws.secondary_region`
`312`	`312`
`313`	`313`	`description = "Terraform backend KMS key."`
`@@ -319,8 +319,9 @@ resource "aws_kms_key" "encrypt-secondary-region" {`
`319`	`319`	`}`
`320`	`320`
`321`	`321`	`resource "aws_kms_alias" "encrypt-alias-secondary-region" {`
	`322`	`+ count = var.secondary_region == "" ? 0 : 1`
`322`	`323`	`provider = aws.secondary_region`
`323`	`324`
`324`	`325`	`name = "alias/aft-backend-${data.aws_caller_identity.current.account_id}-kms-key"`
`325`		`- target_key_id = aws_kms_key.encrypt-secondary-region.key_id`
	`326`	`+ target_key_id = aws_kms_key.encrypt-secondary-region[0].key_id`
`326`	`327`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ terraform {`
`7`	`7`	`required_providers {`
`8`	`8`	`aws = {`
`9`	`9`	`source = "hashicorp/aws"`
`10`		`- version = ">= 4.9.0"`
	`10`	`+ version = ">= 4.27.0"`
`11`	`11`	`configuration_aliases = [aws.primary_region, aws.secondary_region]`
`12`	`12`	`}`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,3 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "aft-codepipeline-`
`33`	`33`	`}`
`34`	`34`	`}`
`35`	`35`	`}`
`36`		`-`
`37`		`-resource "aws_s3_bucket_acl" "aft-codepipeline-customizations-bucket-acl" {`
`38`		`- bucket = aws_s3_bucket.aft_codepipeline_customizations_bucket.id`
`39`		`- acl = "private"`
`40`		`-}`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ resource "aws_s3_bucket_public_access_block" "aft_logging_bucket" {`
`69`	`69`	`restrict_public_buckets = true`
`70`	`70`	`}`
`71`	`71`
`72`		`-`
	`72`	`+#tfsec:ignore:aws-s3-enable-bucket-logging`
`73`	`73`	`resource "aws_s3_bucket" "aft_access_logs" {`
`74`	`74`	`provider = aws.log_archive`
`75`	`75`	`bucket = "${var.log_archive_access_logs_bucket_name}-${var.log_archive_account_id}-${data.aws_region.current.name}"`
`@@ -89,7 +89,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "aft_access_logs_e`
`89`	`89`
`90`	`90`	`rule {`
`91`	`91`	`apply_server_side_encryption_by_default {`
`92`		`- sse_algorithm = "AES256"`
	`92`	`+ kms_master_key_id = var.aft_kms_key_id`
	`93`	`+ sse_algorithm = "aws:kms"`
`93`	`94`	`}`
`94`	`95`	`}`
`95`	`96`	`}`
`@@ -111,12 +112,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "aft_access_logs_lifecycle_conf`
`111`	`112`
`112`	`113`	`}`
`113`	`114`
`114`		`-resource "aws_s3_bucket_acl" "aft_access_logs_acl" {`
`115`		`- provider = aws.log_archive`
`116`		`- bucket = aws_s3_bucket.aft_access_logs.id`
`117`		`- acl = "log-delivery-write"`
`118`		`-}`
`119`		`-`
`120`	`115`	`resource "aws_s3_bucket_public_access_block" "aft_access_logs" {`
`121`	`116`	`provider = aws.log_archive`
`122`	`117`	`bucket = aws_s3_bucket.aft_access_logs.id`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,10 @@ variable "aft_kms_key_arn" {`
`21`	`21`	`type = string`
`22`	`22`	`}`
`23`	`23`
	`24`	`+variable "aft_kms_key_id" {`
	`25`	`+ type = string`
	`26`	`+}`
	`27`	`+`
`24`	`28`	`variable "aft_sns_topic_arn" {`
`25`	`29`	`type = string`
`26`	`30`	`}`