Skip to content

Commit 1c6194d

Browse files
author
AWS
committed
Release: 1.10.0
1 parent 60ee77b commit 1c6194d

File tree

20 files changed

+68
-70
lines changed

20 files changed

+68
-70
lines changed

README.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -64,13 +64,13 @@ As of version 1.6.0, AFT collects anonymous operational metrics to help AWS impr
6464
| Name | Version |
6565
|------|---------|
6666
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.15.1, < 2.0.0 |
67-
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9.0, < 5.0.0 |
67+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.27.0, < 5.0.0 |
6868

6969
## Providers
7070

7171
| Name | Version |
7272
|------|---------|
73-
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9.0, < 5.0.0 |
73+
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.27.0, < 5.0.0 |
7474
| <a name="provider_local"></a> [local](#provider\_local) | n/a |
7575

7676
## Modules
@@ -134,7 +134,7 @@ As of version 1.6.0, AFT collects anonymous operational metrics to help AWS impr
134134
| <a name="input_terraform_org_name"></a> [terraform\_org\_name](#input\_terraform\_org\_name) | Organization name for Terraform Cloud or Enterprise | `string` | `"null"` | no |
135135
| <a name="input_terraform_token"></a> [terraform\_token](#input\_terraform\_token) | Terraform token for Cloud or Enterprise | `string` | `"null"` | no |
136136
| <a name="input_terraform_version"></a> [terraform\_version](#input\_terraform\_version) | Terraform version being used for AFT | `string` | `"0.15.5"` | no |
137-
| <a name="input_tf_backend_secondary_region"></a> [tf\_backend\_secondary\_region](#input\_tf\_backend\_secondary\_region) | AFT creates a backend for state tracking for its own state as well as OSS cases. The backend's primary region is the same as the AFT region, but this defines the secondary region to replicate to. | `string` | n/a | yes |
137+
| <a name="input_tf_backend_secondary_region"></a> [tf\_backend\_secondary\_region](#input\_tf\_backend\_secondary\_region) | AFT creates a backend for state tracking for its own state as well as OSS cases. The backend's primary region is the same as the AFT region, but this defines the secondary region to replicate to. | `string` | `""` | no |
138138
| <a name="input_vcs_provider"></a> [vcs\_provider](#input\_vcs\_provider) | Customer VCS Provider - valid inputs are codecommit, bitbucket, github, or githubenterprise | `string` | `"codecommit"` | no |
139139

140140
## Outputs

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
1.9.2
1+
1.10.0

main.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,7 @@ module "aft_feature_options" {
143143
log_archive_bucket_object_expiration_days = local.log_archive_bucket_object_expiration_days
144144
aft_features_sfn_name = local.aft_features_sfn_name
145145
aft_kms_key_arn = module.aft_account_request_framework.aft_kms_key_arn
146+
aft_kms_key_id = module.aft_account_request_framework.aft_kms_key_id
146147
aft_common_layer_arn = module.aft_lambda_layer.layer_version_arn
147148
aft_sns_topic_arn = module.aft_account_request_framework.sns_topic_arn
148149
aft_failure_sns_topic_arn = module.aft_account_request_framework.failure_sns_topic_arn

modules/aft-backend/main.tf

Lines changed: 41 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,21 @@ resource "aws_s3_bucket" "primary-backend-bucket" {
1717
}
1818
}
1919

20+
#tfsec:ignore:aws-s3-enable-bucket-logging
21+
resource "aws_s3_bucket" "secondary-backend-bucket" {
22+
count = var.secondary_region == "" ? 0 : 1
23+
provider = aws.secondary_region
24+
bucket = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"
25+
tags = {
26+
"Name" = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"
27+
}
28+
}
29+
2030
resource "aws_s3_bucket_replication_configuration" "primary-backend-bucket-replication" {
31+
count = var.secondary_region == "" ? 0 : 1
2132
provider = aws.primary_region
2233
bucket = aws_s3_bucket.primary-backend-bucket.id
23-
role = aws_iam_role.replication.arn
34+
role = aws_iam_role.replication[0].arn
2435

2536
rule {
2637
id = "0"
@@ -33,10 +44,10 @@ resource "aws_s3_bucket_replication_configuration" "primary-backend-bucket-repli
3344
}
3445

3546
destination {
36-
bucket = aws_s3_bucket.secondary-backend-bucket.arn
47+
bucket = aws_s3_bucket.secondary-backend-bucket[0].arn
3748
storage_class = "STANDARD"
3849
encryption_configuration {
39-
replica_kms_key_id = aws_kms_key.encrypt-secondary-region.arn
50+
replica_kms_key_id = aws_kms_key.encrypt-secondary-region[0].arn
4051
}
4152
}
4253
}
@@ -62,12 +73,6 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "primary-backend-b
6273
}
6374
}
6475

65-
resource "aws_s3_bucket_acl" "primary-backend-bucket-acl" {
66-
provider = aws.primary_region
67-
bucket = aws_s3_bucket.primary-backend-bucket.id
68-
acl = "private"
69-
}
70-
7176

7277
resource "aws_s3_bucket_public_access_block" "primary-backend-bucket" {
7378
provider = aws.primary_region
@@ -80,47 +85,33 @@ resource "aws_s3_bucket_public_access_block" "primary-backend-bucket" {
8085
restrict_public_buckets = true
8186
}
8287

83-
#tfsec:ignore:aws-s3-enable-bucket-logging
84-
resource "aws_s3_bucket" "secondary-backend-bucket" {
85-
provider = aws.secondary_region
86-
bucket = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"
87-
tags = {
88-
"Name" = "aft-backend-${data.aws_caller_identity.current.account_id}-secondary-region"
89-
}
90-
}
91-
9288
resource "aws_s3_bucket_versioning" "secondary-backend-bucket-versioning" {
89+
count = var.secondary_region == "" ? 0 : 1
9390
provider = aws.secondary_region
94-
bucket = aws_s3_bucket.secondary-backend-bucket.id
91+
bucket = aws_s3_bucket.secondary-backend-bucket[0].id
9592
versioning_configuration {
9693
status = "Enabled"
9794
}
9895
}
9996

10097
resource "aws_s3_bucket_server_side_encryption_configuration" "secondary-backend-bucket-encryption" {
98+
count = var.secondary_region == "" ? 0 : 1
10199
provider = aws.secondary_region
102-
bucket = aws_s3_bucket.secondary-backend-bucket.id
100+
bucket = aws_s3_bucket.secondary-backend-bucket[0].id
103101

104102
rule {
105103
apply_server_side_encryption_by_default {
106-
kms_master_key_id = aws_kms_key.encrypt-secondary-region.arn
104+
kms_master_key_id = aws_kms_key.encrypt-secondary-region[0].arn
107105
sse_algorithm = "aws:kms"
108106
}
109107
}
110108
}
111109

112-
resource "aws_s3_bucket_acl" "secondary-backend-bucket-acl" {
113-
provider = aws.secondary_region
114-
bucket = aws_s3_bucket.secondary-backend-bucket.id
115-
acl = "private"
116-
}
117-
118-
119-
120110
resource "aws_s3_bucket_public_access_block" "secondary-backend-bucket" {
111+
count = var.secondary_region == "" ? 0 : 1
121112
provider = aws.secondary_region
122113

123-
bucket = aws_s3_bucket.secondary-backend-bucket.id
114+
bucket = aws_s3_bucket.secondary-backend-bucket[0].id
124115

125116
block_public_acls = true
126117
block_public_policy = true
@@ -129,6 +120,7 @@ resource "aws_s3_bucket_public_access_block" "secondary-backend-bucket" {
129120
}
130121

131122
resource "aws_iam_role" "replication" {
123+
count = var.secondary_region == "" ? 0 : 1
132124
provider = aws.primary_region
133125
name = "aft-s3-terraform-backend-replication"
134126

@@ -149,6 +141,7 @@ POLICY
149141
}
150142

151143
resource "aws_iam_policy" "replication" {
144+
count = var.secondary_region == "" ? 0 : 1
152145
provider = aws.primary_region
153146
name = "aft-s3-terraform-backend-replication-policy"
154147

@@ -191,11 +184,11 @@ resource "aws_iam_policy" "replication" {
191184
"AES256"
192185
],
193186
"s3:x-amz-server-side-encryption-aws-kms-key-id": [
194-
"${aws_kms_key.encrypt-secondary-region.arn}"
187+
"${aws_kms_key.encrypt-secondary-region[0].arn}"
195188
]
196189
}
197190
},
198-
"Resource": "${aws_s3_bucket.secondary-backend-bucket.arn}/*"
191+
"Resource": "${aws_s3_bucket.secondary-backend-bucket[0].arn}/*"
199192
},
200193
{
201194
"Action": [
@@ -240,12 +233,12 @@ resource "aws_iam_policy" "replication" {
240233
"StringLike": {
241234
"kms:ViaService": "s3.${var.secondary_region}.amazonaws.com",
242235
"kms:EncryptionContext:aws:s3:arn": [
243-
"${aws_s3_bucket.secondary-backend-bucket.arn}/*"
236+
"${aws_s3_bucket.secondary-backend-bucket[0].arn}/*"
244237
]
245238
}
246239
},
247240
"Resource": [
248-
"${aws_kms_key.encrypt-secondary-region.arn}"
241+
"${aws_kms_key.encrypt-secondary-region[0].arn}"
249242
]
250243
}
251244
]
@@ -254,9 +247,10 @@ POLICY
254247
}
255248

256249
resource "aws_iam_role_policy_attachment" "replication" {
250+
count = var.secondary_region == "" ? 0 : 1
257251
provider = aws.primary_region
258-
role = aws_iam_role.replication.name
259-
policy_arn = aws_iam_policy.replication.arn
252+
role = aws_iam_role.replication[0].name
253+
policy_arn = aws_iam_policy.replication[0].arn
260254
}
261255

262256

@@ -277,16 +271,21 @@ resource "aws_dynamodb_table" "lock-table" {
277271
type = "S"
278272
}
279273

280-
replica {
281-
region_name = var.secondary_region
274+
tags = {
275+
"Name" = "aft-backend-${data.aws_caller_identity.current.account_id}"
282276
}
277+
}
278+
279+
resource "aws_dynamodb_table_replica" "lock-table-replica" {
280+
count = var.secondary_region == "" ? 0 : 1
281+
provider = aws.secondary_region
282+
global_table_arn = aws_dynamodb_table.lock-table.arn
283283

284284
tags = {
285285
"Name" = "aft-backend-${data.aws_caller_identity.current.account_id}"
286286
}
287287
}
288288

289-
290289
# KMS Resources
291290

292291
resource "aws_kms_key" "encrypt-primary-region" {
@@ -308,6 +307,7 @@ resource "aws_kms_alias" "encrypt-alias-primary-region" {
308307
}
309308

310309
resource "aws_kms_key" "encrypt-secondary-region" {
310+
count = var.secondary_region == "" ? 0 : 1
311311
provider = aws.secondary_region
312312

313313
description = "Terraform backend KMS key."
@@ -319,8 +319,9 @@ resource "aws_kms_key" "encrypt-secondary-region" {
319319
}
320320

321321
resource "aws_kms_alias" "encrypt-alias-secondary-region" {
322+
count = var.secondary_region == "" ? 0 : 1
322323
provider = aws.secondary_region
323324

324325
name = "alias/aft-backend-${data.aws_caller_identity.current.account_id}-kms-key"
325-
target_key_id = aws_kms_key.encrypt-secondary-region.key_id
326+
target_key_id = aws_kms_key.encrypt-secondary-region[0].key_id
326327
}

modules/aft-backend/versions.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ terraform {
77
required_providers {
88
aws = {
99
source = "hashicorp/aws"
10-
version = ">= 4.9.0"
10+
version = ">= 4.27.0"
1111
configuration_aliases = [aws.primary_region, aws.secondary_region]
1212
}
1313
}

modules/aft-code-repositories/versions.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ terraform {
77
required_providers {
88
aws = {
99
source = "hashicorp/aws"
10-
version = ">= 4.9.0"
10+
version = ">= 4.27.0"
1111
}
1212
}
1313
}

modules/aft-customizations/s3.tf

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -33,8 +33,3 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "aft-codepipeline-
3333
}
3434
}
3535
}
36-
37-
resource "aws_s3_bucket_acl" "aft-codepipeline-customizations-bucket-acl" {
38-
bucket = aws_s3_bucket.aft_codepipeline_customizations_bucket.id
39-
acl = "private"
40-
}

modules/aft-customizations/versions.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ terraform {
77
required_providers {
88
aws = {
99
source = "hashicorp/aws"
10-
version = ">= 4.9.0"
10+
version = ">= 4.27.0"
1111
}
1212
}
1313
}

modules/aft-feature-options/s3.tf

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ resource "aws_s3_bucket_public_access_block" "aft_logging_bucket" {
6969
restrict_public_buckets = true
7070
}
7171

72-
72+
#tfsec:ignore:aws-s3-enable-bucket-logging
7373
resource "aws_s3_bucket" "aft_access_logs" {
7474
provider = aws.log_archive
7575
bucket = "${var.log_archive_access_logs_bucket_name}-${var.log_archive_account_id}-${data.aws_region.current.name}"
@@ -89,7 +89,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "aft_access_logs_e
8989

9090
rule {
9191
apply_server_side_encryption_by_default {
92-
sse_algorithm = "AES256"
92+
kms_master_key_id = var.aft_kms_key_id
93+
sse_algorithm = "aws:kms"
9394
}
9495
}
9596
}
@@ -111,12 +112,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "aft_access_logs_lifecycle_conf
111112

112113
}
113114

114-
resource "aws_s3_bucket_acl" "aft_access_logs_acl" {
115-
provider = aws.log_archive
116-
bucket = aws_s3_bucket.aft_access_logs.id
117-
acl = "log-delivery-write"
118-
}
119-
120115
resource "aws_s3_bucket_public_access_block" "aft_access_logs" {
121116
provider = aws.log_archive
122117
bucket = aws_s3_bucket.aft_access_logs.id

modules/aft-feature-options/variables.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,10 @@ variable "aft_kms_key_arn" {
2121
type = string
2222
}
2323

24+
variable "aft_kms_key_id" {
25+
type = string
26+
}
27+
2428
variable "aft_sns_topic_arn" {
2529
type = string
2630
}

0 commit comments

Comments
 (0)