From 4d81be88ab6ce2d08d3d006387b5e69382ebb449 Mon Sep 17 00:00:00 2001 From: Barry Morrison <689591+esacteksab@users.noreply.github.com> Date: Mon, 13 Jan 2025 08:36:19 -0600 Subject: [PATCH 1/8] chore: remove unnecessary file --- .golangci.yml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 .golangci.yml diff --git a/.golangci.yml b/.golangci.yml deleted file mode 100644 index e193496..0000000 --- a/.golangci.yml +++ /dev/null @@ -1,6 +0,0 @@ -linters: - enable: - - gosec - - golint - - gofmt - - goimports From e43f5651d7a4f415b2098cc1e643bebf104e2a26 Mon Sep 17 00:00:00 2001 From: Barry Morrison <689591+esacteksab@users.noreply.github.com> Date: Mon, 13 Jan 2025 08:36:54 -0600 Subject: [PATCH 2/8] chore: pinning github action --- .github/workflows/validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 705a013..c04990f 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -10,4 +10,4 @@ on: jobs: validate-tf: - uses: trussworks/shared-actions/.github/workflows/validate-tf.yml@main + uses: trussworks/shared-actions/.github/workflows/validate-tf.yml@3cab03ab95045711da37ad6d63a93c666fc22398 # v0.0.2 From 0b647454208d46fdd0aab050f0f5e760158a12fd Mon Sep 17 00:00:00 2001 From: Barry Morrison <689591+esacteksab@users.noreply.github.com> Date: Mon, 13 Jan 2025 08:37:52 -0600 Subject: [PATCH 3/8] chore: renovate renovate config --- renovate.json | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/renovate.json b/renovate.json index 838e66f..e0d727e 100644 --- a/renovate.json +++ b/renovate.json @@ -1,11 +1,22 @@ { "extends": [ - "config:base" + "config:base", + "helpers:pinGitHubActionDigests" ], "labels": [ "dependencies" ], "packageRules": [ + { + "automerge": true, + "description": "Automerge all updates except major versions", + "matchUpdateTypes": [ + "patch", + "pin", + "digest", + "minor" + ] + }, { "description": "Tag the waddlers Github Team for major updates", "matchUpdateTypes": [ @@ -19,14 +30,18 @@ "automerge": true, "description": "Group minor and patch updates into a single PR", "groupName": "dependencies", + "managers": [ + "terraform", + "pre-commit", + "github-actions" + ], "matchUpdateTypes": [ "minor", - "patch", - "pin", - "digest" + "patch" ] } ], + "prConcurrentLimit": 2, "schedule": [ "every weekend" ], From 241e86ca067d3088d508616cdd2f2a5b96cd5d14 Mon Sep 17 00:00:00 2001 From: Barry Morrison <689591+esacteksab@users.noreply.github.com> Date: Mon, 13 Jan 2025 08:38:15 -0600 Subject: [PATCH 4/8] chore: ignore lock file --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 9dd74fc..8d30b1b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ .DS_Store .terraform +.terraform.lock.hcl terraform.tfstate terraform.tfstate.backup terraform.tfstate.*.backup -.envrc.local +.envrc* From 0fd2cc36ee5ef94aff3586385eefcdade4b14474 Mon Sep 17 00:00:00 2001 From: Barry Morrison <689591+esacteksab@users.noreply.github.com> Date: Mon, 13 Jan 2025 08:38:51 -0600 Subject: [PATCH 5/8] chore: pre-commit autoupdate --- .markdownlintrc | 3 ++- .pre-commit-config.yaml | 22 ++++++---------------- .terraform-docs.yml | 31 +++++++++++++++++++++++++++++++ 3 files changed, 39 insertions(+), 17 deletions(-) diff --git a/.markdownlintrc b/.markdownlintrc index 83eb43d..3e0ef98 100644 --- a/.markdownlintrc +++ b/.markdownlintrc @@ -4,5 +4,6 @@ "first-line-h1": false, "line_length": false, "no-multiple-blanks": false, - "no-inline-html": false + "no-inline-html": false, + "no-alt-text": false } diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bfd87bb..34dd2cc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v5.0.0 hooks: - id: check-json - id: check-merge-conflict @@ -14,27 +14,17 @@ repos: - id: end-of-file-fixer - id: mixed-line-ending - - repo: https://github.com/executablebooks/mdformat - rev: 0.7.16 - hooks: - - id: mdformat - additional_dependencies: - - mdformat-gfm - - mdformat-toc - # mdformat fights with terraform_docs - exclude: README.m(ark)?d(own)? - - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.33.0 + rev: v0.43.0 hooks: - id: markdownlint - - repo: https://github.com/detailyang/pre-commit-shell - rev: 1.0.5 + - repo: https://github.com/terraform-docs/terraform-docs + rev: "v0.19.0" hooks: - - id: shell-lint + - id: terraform-docs-system - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.1 + rev: v1.96.3 hooks: - id: terraform_fmt diff --git a/.terraform-docs.yml b/.terraform-docs.yml index fb05467..39ca235 100644 --- a/.terraform-docs.yml +++ b/.terraform-docs.yml @@ -1,4 +1,35 @@ +version: ">= 0.19.0, < 1.0.0" + settings: html: false anchor: false + escape: false + lockfile: false + hide-empty: true formatter: "markdown table" + +sort: + enabled: true + by: required + +sections: + show: + - requirements + - providers + - modules + - data-sources + - resources + - inputs + - outputs + +recursive: + enabled: false + include-main: false + +output: + file: README.md + mode: inject + template: |- + + {{ .Content }} + From 86aadf4248e41ae761ce9e48a8c13907d05e4995 Mon Sep 17 00:00:00 2001 From: Barry Morrison <689591+esacteksab@users.noreply.github.com> Date: Mon, 13 Jan 2025 08:39:15 -0600 Subject: [PATCH 6/8] feat: pass KMS key to bucket encryption --- README.md | 90 +++++---- examples/logging_target_bucket/main.tf | 5 +- main.tf | 6 +- variables.tf | 241 +++++++++++++------------ 4 files changed, 178 insertions(+), 164 deletions(-) diff --git a/README.md b/README.md index 9d8b3d4..be835a4 100644 --- a/README.md +++ b/README.md @@ -94,10 +94,6 @@ module "aws_logs" { |------|---------| | aws | >= 3.75.0 | -## Modules - -No modules. - ## Resources | Name | Type | @@ -121,54 +117,56 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| alb\_account | Account for ALB logs. By default limits to the current account. | `string` | `""` | no | -| alb\_logs\_prefixes | S3 key prefixes for ALB logs. | `list(string)` | ```[ "alb" ]``` | no | -| allow\_alb | Allow ALB service to log to bucket. | `bool` | `false` | no | -| allow\_cloudtrail | Allow Cloudtrail service to log to bucket. | `bool` | `false` | no | -| allow\_cloudwatch | Allow Cloudwatch service to export logs to bucket. | `bool` | `false` | no | -| allow\_config | Allow Config service to log to bucket. | `bool` | `false` | no | -| allow\_elb | Allow ELB service to log to bucket. | `bool` | `false` | no | -| allow\_nlb | Allow NLB service to log to bucket. | `bool` | `false` | no | -| allow\_redshift | Allow Redshift service to log to bucket. | `bool` | `false` | no | -| allow\_s3 | Allow S3 service to log to bucket. | `bool` | `false` | no | -| cloudtrail\_accounts | List of accounts for CloudTrail logs. By default limits to the current account. | `list(string)` | `[]` | no | -| cloudtrail\_logs\_prefix | S3 prefix for CloudTrail logs. | `string` | `"cloudtrail"` | no | -| cloudtrail\_org\_id | AWS Organization ID for CloudTrail. | `string` | `""` | no | -| cloudwatch\_logs\_prefix | S3 prefix for CloudWatch log exports. | `string` | `"cloudwatch"` | no | -| config\_accounts | List of accounts for Config logs. By default limits to the current account. | `list(string)` | `[]` | no | -| config\_logs\_prefix | S3 prefix for AWS Config logs. | `string` | `"config"` | no | -| control\_object\_ownership | Whether to manage S3 Bucket Ownership Controls on this bucket. | `bool` | `true` | no | -| create\_public\_access\_block | Whether to create a public\_access\_block restricting public access to the bucket. | `bool` | `true` | no | -| default\_allow | Whether all services included in this module should be allowed to write to the bucket by default. Alternatively select individual services. It's recommended to use the default bucket ACL of log-delivery-write. | `bool` | `true` | no | -| elb\_accounts | List of accounts for ELB logs. By default limits to the current account. | `list(string)` | `[]` | no | -| elb\_logs\_prefix | S3 prefix for ELB logs. | `string` | `"elb"` | no | -| enable\_mfa\_delete | A bool that requires MFA to delete the log bucket. | `bool` | `false` | no | -| enable\_s3\_log\_bucket\_lifecycle\_rule | Whether the lifecycle rule for the log bucket is enabled. | `bool` | `true` | no | -| force\_destroy | A bool that indicates all objects (including any locked objects) should be deleted from the bucket so the bucket can be destroyed without error. | `bool` | `false` | no | -| logging\_target\_bucket | S3 Bucket to send S3 logs to. Disables logging if omitted. | `string` | `""` | no | -| logging\_target\_prefix | Prefix for logs going into the log\_s3\_bucket. | `string` | `"s3/"` | no | -| nlb\_account | Account for NLB logs. By default limits to the current account. | `string` | `""` | no | -| nlb\_logs\_prefixes | S3 key prefixes for NLB logs. | `list(string)` | ```[ "nlb" ]``` | no | -| noncurrent\_version\_retention | Number of days to retain non-current versions of objects if versioning is enabled. | `string` | `30` | no | -| object\_ownership | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. | `string` | `"BucketOwnerEnforced"` | no | -| redshift\_logs\_prefix | S3 prefix for RedShift logs. | `string` | `"redshift"` | no | -| s3\_bucket\_acl | Set bucket ACL per [AWS S3 Canned ACL]() list. | `string` | `null` | no | -| s3\_bucket\_name | S3 bucket to store AWS logs in. | `string` | n/a | yes | -| s3\_log\_bucket\_retention | Number of days to keep AWS logs around. | `string` | `90` | no | -| s3\_logs\_prefix | S3 prefix for S3 access logs. | `string` | `"s3"` | no | +| s3_bucket_name | S3 bucket to store AWS logs in. | `string` | n/a | yes | +| alb_account | Account for ALB logs. By default limits to the current account. | `string` | `""` | no | +| alb_logs_prefixes | S3 key prefixes for ALB logs. | `list(string)` | ```[ "alb" ]``` | no | +| allow_alb | Allow ALB service to log to bucket. | `bool` | `false` | no | +| allow_cloudtrail | Allow Cloudtrail service to log to bucket. | `bool` | `false` | no | +| allow_cloudwatch | Allow Cloudwatch service to export logs to bucket. | `bool` | `false` | no | +| allow_config | Allow Config service to log to bucket. | `bool` | `false` | no | +| allow_elb | Allow ELB service to log to bucket. | `bool` | `false` | no | +| allow_nlb | Allow NLB service to log to bucket. | `bool` | `false` | no | +| allow_redshift | Allow Redshift service to log to bucket. | `bool` | `false` | no | +| allow_s3 | Allow S3 service to log to bucket. | `bool` | `false` | no | +| bucket_key_enabled | Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. | `bool` | `false` | no | +| cloudtrail_accounts | List of accounts for CloudTrail logs. By default limits to the current account. | `list(string)` | `[]` | no | +| cloudtrail_logs_prefix | S3 prefix for CloudTrail logs. | `string` | `"cloudtrail"` | no | +| cloudtrail_org_id | AWS Organization ID for CloudTrail. | `string` | `""` | no | +| cloudwatch_logs_prefix | S3 prefix for CloudWatch log exports. | `string` | `"cloudwatch"` | no | +| config_accounts | List of accounts for Config logs. By default limits to the current account. | `list(string)` | `[]` | no | +| config_logs_prefix | S3 prefix for AWS Config logs. | `string` | `"config"` | no | +| control_object_ownership | Whether to manage S3 Bucket Ownership Controls on this bucket. | `bool` | `true` | no | +| create_public_access_block | Whether to create a public_access_block restricting public access to the bucket. | `bool` | `true` | no | +| default_allow | Whether all services included in this module should be allowed to write to the bucket by default. Alternatively select individual services. It's recommended to use the default bucket ACL of log-delivery-write. | `bool` | `true` | no | +| elb_accounts | List of accounts for ELB logs. By default limits to the current account. | `list(string)` | `[]` | no | +| elb_logs_prefix | S3 prefix for ELB logs. | `list(string)` | ```[ "elb" ]``` | no | +| enable_mfa_delete | A bool that requires MFA to delete the log bucket. | `bool` | `false` | no | +| enable_s3_log_bucket_lifecycle_rule | Whether the lifecycle rule for the log bucket is enabled. | `bool` | `true` | no | +| force_destroy | A bool that indicates all objects (including any locked objects) should be deleted from the bucket so the bucket can be destroyed without error. | `bool` | `false` | no | +| kms_master_key_id | The AWS KMS master key ID used for the SSE-KMS encryption. If blank, bucket encryption configuration defaults to AES256. | `string` | `""` | no | +| logging_target_bucket | S3 Bucket to send S3 logs to. Disables logging if omitted. | `string` | `""` | no | +| logging_target_prefix | Prefix for logs going into the log_s3_bucket. | `string` | `"s3/"` | no | +| nlb_account | Account for NLB logs. By default limits to the current account. | `string` | `""` | no | +| nlb_logs_prefixes | S3 key prefixes for NLB logs. | `list(string)` | ```[ "nlb" ]``` | no | +| noncurrent_version_retention | Number of days to retain non-current versions of objects if versioning is enabled. | `string` | `30` | no | +| object_ownership | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. | `string` | `"BucketOwnerEnforced"` | no | +| redshift_logs_prefix | S3 prefix for RedShift logs. | `string` | `"redshift"` | no | +| s3_bucket_acl | Set bucket ACL per [AWS S3 Canned ACL]() list. | `string` | `null` | no | +| s3_log_bucket_retention | Number of days to keep AWS logs around. | `string` | `90` | no | +| s3_logs_prefix | S3 prefix for S3 access logs. | `string` | `"s3"` | no | | tags | A mapping of tags to assign to the logs bucket. Please note that tags with a conflicting key will not override the original tag. | `map(string)` | `{}` | no | -| versioning\_status | A string that indicates the versioning status for the log bucket. | `string` | `"Disabled"` | no | +| versioning_status | A string that indicates the versioning status for the log bucket. | `string` | `"Disabled"` | no | ## Outputs | Name | Description | |------|-------------| -| aws\_logs\_bucket | ID of the S3 bucket containing AWS logs. | -| bucket\_arn | ARN of the S3 logs bucket | -| configs\_logs\_path | S3 path for Config logs. | -| elb\_logs\_path | S3 path for ELB logs. | -| redshift\_logs\_path | S3 path for RedShift logs. | -| s3\_bucket\_policy | S3 bucket policy | +| aws_logs_bucket | ID of the S3 bucket containing AWS logs. | +| bucket_arn | ARN of the S3 logs bucket | +| configs_logs_path | S3 path for Config logs. | +| elb_logs_path | S3 path for ELB logs. | +| redshift_logs_path | S3 path for RedShift logs. | +| s3_bucket_policy | S3 bucket policy | ## Upgrade Paths diff --git a/examples/logging_target_bucket/main.tf b/examples/logging_target_bucket/main.tf index 0bf9122..a61feff 100644 --- a/examples/logging_target_bucket/main.tf +++ b/examples/logging_target_bucket/main.tf @@ -24,7 +24,10 @@ module "aws_logs_logs" { s3_bucket_name = local.log_bucket_name - default_allow = false + default_allow = false + allow_s3 = true + s3_logs_prefix = [var.s3_logs_prefix] + force_destroy = var.force_destroy } diff --git a/main.tf b/main.tf index d6a4532..3d998d4 100644 --- a/main.tf +++ b/main.tf @@ -255,7 +255,7 @@ data "aws_iam_policy_document" "main" { variable = "s3:x-amz-acl" values = ["bucket-owner-full-control"] } - resources = ["${local.bucket_arn}/${local.config_logs_path}/${statement.value}/Config/*"] + resources = local.config_resources } } # @@ -450,8 +450,10 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "aws_logs" { rule { apply_server_side_encryption_by_default { - sse_algorithm = "AES256" + sse_algorithm = length(var.kms_master_key_id) > 0 ? "aws:kms" : "AES256" + kms_master_key_id = length(var.kms_master_key_id) > 0 ? var.kms_master_key_id : null } + bucket_key_enabled = var.bucket_key_enabled } } diff --git a/variables.tf b/variables.tf index e66e35f..106cfbc 100644 --- a/variables.tf +++ b/variables.tf @@ -1,35 +1,6 @@ -variable "s3_bucket_name" { - description = "S3 bucket to store AWS logs in." - type = string -} - -variable "s3_log_bucket_retention" { - description = "Number of days to keep AWS logs around." - default = 90 - type = string -} - -variable "noncurrent_version_retention" { - description = "Number of days to retain non-current versions of objects if versioning is enabled." - type = string - default = 30 -} - -variable "s3_bucket_acl" { - description = "Set bucket ACL per [AWS S3 Canned ACL]() list." - default = null - type = string -} - -variable "s3_logs_prefix" { - description = "S3 prefix for S3 access logs." - default = "s3" - type = string -} - -variable "elb_logs_prefix" { - description = "S3 prefix for ELB logs." - default = "elb" +variable "alb_account" { + description = "Account for ALB logs. By default limits to the current account." + default = "" type = string } @@ -39,34 +10,9 @@ variable "alb_logs_prefixes" { type = list(string) } -variable "cloudwatch_logs_prefix" { - description = "S3 prefix for CloudWatch log exports." - default = "cloudwatch" - type = string -} - -variable "cloudtrail_logs_prefix" { - description = "S3 prefix for CloudTrail logs." - default = "cloudtrail" - type = string -} - -variable "redshift_logs_prefix" { - description = "S3 prefix for RedShift logs." - default = "redshift" - type = string -} - -variable "config_logs_prefix" { - description = "S3 prefix for AWS Config logs." - default = "config" - type = string -} - -# Service Switches -variable "default_allow" { - description = "Whether all services included in this module should be allowed to write to the bucket by default. Alternatively select individual services. It's recommended to use the default bucket ACL of log-delivery-write." - default = true +variable "allow_alb" { + description = "Allow ALB service to log to bucket." + default = false type = bool } @@ -82,18 +28,6 @@ variable "allow_cloudwatch" { type = bool } -variable "allow_alb" { - description = "Allow ALB service to log to bucket." - default = false - type = bool -} - -variable "allow_nlb" { - description = "Allow NLB service to log to bucket." - default = false - type = bool -} - variable "allow_config" { description = "Allow Config service to log to bucket." default = false @@ -106,6 +40,12 @@ variable "allow_elb" { type = bool } +variable "allow_nlb" { + description = "Allow NLB service to log to bucket." + default = false + type = bool +} + variable "allow_redshift" { description = "Allow Redshift service to log to bucket." default = false @@ -118,10 +58,10 @@ variable "allow_s3" { type = bool } -variable "create_public_access_block" { - description = "Whether to create a public_access_block restricting public access to the bucket." - default = true +variable "bucket_key_enabled" { + description = "Whether or not to use Amazon S3 Bucket Keys for SSE-KMS." type = bool + default = false } variable "cloudtrail_accounts" { @@ -130,46 +70,88 @@ variable "cloudtrail_accounts" { type = list(string) } +variable "cloudtrail_logs_prefix" { + description = "S3 prefix for CloudTrail logs." + default = "cloudtrail" + type = string +} + +variable "cloudtrail_org_id" { + description = "AWS Organization ID for CloudTrail." + default = "" + type = string +} + +variable "cloudwatch_logs_prefix" { + description = "S3 prefix for CloudWatch log exports." + default = "cloudwatch" + type = string +} + variable "config_accounts" { description = "List of accounts for Config logs. By default limits to the current account." default = [] type = list(string) } -variable "alb_account" { - description = "Account for ALB logs. By default limits to the current account." - default = "" +variable "config_logs_prefix" { + description = "S3 prefix for AWS Config logs." + default = "config" type = string } +variable "control_object_ownership" { + description = "Whether to manage S3 Bucket Ownership Controls on this bucket." + type = bool + default = true +} + +variable "create_public_access_block" { + description = "Whether to create a public_access_block restricting public access to the bucket." + default = true + type = bool +} + +variable "default_allow" { + description = "Whether all services included in this module should be allowed to write to the bucket by default. Alternatively select individual services. It's recommended to use the default bucket ACL of log-delivery-write." + default = true + type = bool +} + variable "elb_accounts" { description = "List of accounts for ELB logs. By default limits to the current account." default = [] type = list(string) } -variable "nlb_account" { - description = "Account for NLB logs. By default limits to the current account." - default = "" - type = string +variable "elb_logs_prefix" { + description = "S3 prefix for ELB logs." + default = ["elb"] + type = list(string) } -variable "force_destroy" { - description = "A bool that indicates all objects (including any locked objects) should be deleted from the bucket so the bucket can be destroyed without error." +variable "enable_mfa_delete" { + description = "A bool that requires MFA to delete the log bucket." default = false type = bool } -variable "nlb_logs_prefixes" { - description = "S3 key prefixes for NLB logs." - default = ["nlb"] - type = list(string) +variable "enable_s3_log_bucket_lifecycle_rule" { + description = "Whether the lifecycle rule for the log bucket is enabled." + default = true + type = bool } -variable "cloudtrail_org_id" { - description = "AWS Organization ID for CloudTrail." - default = "" +variable "force_destroy" { + description = "A bool that indicates all objects (including any locked objects) should be deleted from the bucket so the bucket can be destroyed without error." + default = false + type = bool +} + +variable "kms_master_key_id" { + description = "The AWS KMS master key ID used for the SSE-KMS encryption. If blank, bucket encryption configuration defaults to AES256." type = string + default = "" } variable "logging_target_bucket" { @@ -184,6 +166,59 @@ variable "logging_target_prefix" { type = string } +variable "nlb_account" { + description = "Account for NLB logs. By default limits to the current account." + default = "" + type = string +} + +variable "nlb_logs_prefixes" { + description = "S3 key prefixes for NLB logs." + default = ["nlb"] + type = list(string) +} + +variable "noncurrent_version_retention" { + description = "Number of days to retain non-current versions of objects if versioning is enabled." + type = string + default = 30 +} + +variable "object_ownership" { + description = "Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter." + type = string + default = "BucketOwnerEnforced" +} + +variable "redshift_logs_prefix" { + description = "S3 prefix for RedShift logs." + default = "redshift" + type = string +} + +variable "s3_bucket_acl" { + description = "Set bucket ACL per [AWS S3 Canned ACL]() list." + default = null + type = string +} + +variable "s3_bucket_name" { + description = "S3 bucket to store AWS logs in." + type = string +} + +variable "s3_log_bucket_retention" { + description = "Number of days to keep AWS logs around." + default = 90 + type = string +} + +variable "s3_logs_prefix" { + description = "S3 prefix for S3 access logs." + default = "s3" + type = string +} + variable "tags" { type = map(string) default = {} @@ -199,27 +234,3 @@ variable "versioning_status" { error_message = "Valid values for versioning_status are Enabled, Disabled, or Suspended." } } - -variable "enable_s3_log_bucket_lifecycle_rule" { - description = "Whether the lifecycle rule for the log bucket is enabled." - default = true - type = bool -} - -variable "enable_mfa_delete" { - description = "A bool that requires MFA to delete the log bucket." - default = false - type = bool -} - -variable "control_object_ownership" { - description = "Whether to manage S3 Bucket Ownership Controls on this bucket." - type = bool - default = true -} - -variable "object_ownership" { - description = "Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter." - type = string - default = "BucketOwnerEnforced" -} From 0421d73603e8d721820d92b3da9ed9dc2dfb64d5 Mon Sep 17 00:00:00 2001 From: Barry Morrison Date: Mon, 13 Jan 2025 13:00:43 -0600 Subject: [PATCH 7/8] chore: renovate migration --- renovate.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index e0d727e..ed994bc 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,6 @@ { "extends": [ - "config:base", + "config:recommended", "helpers:pinGitHubActionDigests" ], "labels": [ From 62cb31e90fb371bbe441f7713fb2ae3013fbfec8 Mon Sep 17 00:00:00 2001 From: Barry Morrison Date: Mon, 13 Jan 2025 13:42:36 -0600 Subject: [PATCH 8/8] chore: renovate migration --- renovate.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/renovate.json b/renovate.json index ed994bc..6dc744f 100644 --- a/renovate.json +++ b/renovate.json @@ -30,7 +30,7 @@ "automerge": true, "description": "Group minor and patch updates into a single PR", "groupName": "dependencies", - "managers": [ + "matchManagers": [ "terraform", "pre-commit", "github-actions" @@ -41,7 +41,6 @@ ] } ], - "prConcurrentLimit": 2, "schedule": [ "every weekend" ],