Deprecation Notice, Terraform Provider v5 Support (#93)

Author: milldr

.github/renovate.json

@@ -1,13 +1,14 @@
 {
   "extends": [
     "config:base",
-    ":preserveSemverRanges"
+    ":preserveSemverRanges",
+    ":rebaseStalePrs"
   ],
-  "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"],
+  "baseBranches": ["main"],
   "labels": ["auto-update"],
   "dependencyDashboardAutoclose": true,
   "enabledManagers": ["terraform"],
   "terraform": {
-    "ignorePaths": ["**/context.tf", "examples/**"]
+    "ignorePaths": ["**/context.tf"]
   }
 }

.github/workflows/release-branch.yml

@@ -10,6 +10,7 @@ on:
       - 'docs/**'
       - 'examples/**'
       - 'test/**'
+      - 'README.*'
 
 permissions:
   contents: write

.github/workflows/release-published.yml

@@ -11,4 +11,4 @@ permissions:
 
 jobs:
   terraform-module:
-    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main
+    uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main

README.md

@@ -1,6 +1,8 @@
 
 <!-- markdownlint-disable -->
-# terraform-aws-s3-website [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-s3-website.svg)](https://github.com/cloudposse/terraform-aws-s3-website/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
+# ~~terraform-aws-s3-website~~ OBSOLETE
+
+ [![Latest Release](https://img.shields.io/github/release/cloudposse/terraform-aws-s3-website.svg)](https://github.com/cloudposse/terraform-aws-s3-website/releases/latest) [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com)
 <!-- markdownlint-restore -->
 
 [![README Header][readme_header_img]][readme_header_link]
@@ -28,6 +30,16 @@
 
 -->
 
+
+## Deprecated
+
+**As of July, 2023 this module is deprecated.** `terraform-aws-s3-website` offers little value beyond [
+the `terraform-aws-s3-bucket` module](https://github.com/cloudposse/terraform-aws-s3-bucket), 
+so Cloud Posse is phasing out support for this project.  Users are advised to migrate to 
+[terraform-aws-s3-bucket](https://github.com/cloudposse/terraform-aws-s3-bucket) to manage the S3 bucket
+(including logging) and [terraform-aws-route53-alias](https://github.com/cloudposse/terraform-aws-route53-alias) 
+to register the website hostname in Route53. Feature requests should be directed to those modules.
+
 Terraform module to provision S3-backed Websites.
 **IMPORTANT:** This module provisions a globally accessible S3 bucket for unauthenticated users because it is designed for hosting public static websites. Normally, AWS recommends that S3 buckets should not publicly accessible in order to protect S3 data from unauthorized users.
 
@@ -89,10 +101,6 @@ We highly recommend that in your code you pin the version to the exact version y
 using so that your infrastructure remains stable, and update versions in a
 systematic way so that they do not catch you by surprise.
 
-Also, because of a bug in the Terraform registry ([hashicorp/terraform#21417](https://github.com/hashicorp/terraform/issues/21417)),
-the registry shows many of our inputs as required when in fact they are optional.
-The table below correctly indicates which inputs are required.
-
 
 #### Create s3 website bucket
 
@@ -153,31 +161,33 @@ Available targets:
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0, < 4.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0, < 4.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_default_label"></a> [default\_label](#module\_default\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_dns"></a> [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.13.0 |
-| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.20.0 |
+| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 1.4.2 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_ownership_controls.s3_bucket_ownership_controls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.s3_allow_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -440,11 +450,11 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
   [readme_footer_link]: https://cloudposse.com/readme/footer/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-s3-website&utm_content=readme_footer_link
   [readme_commercial_support_img]: https://cloudposse.com/readme/commercial-support/img
   [readme_commercial_support_link]: https://cloudposse.com/readme/commercial-support/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-s3-website&utm_content=readme_commercial_support_link
-  [share_twitter]: https://twitter.com/intent/tweet/?text=terraform-aws-s3-website&url=https://github.com/cloudposse/terraform-aws-s3-website
-  [share_linkedin]: https://www.linkedin.com/shareArticle?mini=true&title=terraform-aws-s3-website&url=https://github.com/cloudposse/terraform-aws-s3-website
+  [share_twitter]: https://twitter.com/intent/tweet/?text=~~terraform-aws-s3-website~~+OBSOLETE&url=https://github.com/cloudposse/terraform-aws-s3-website
+  [share_linkedin]: https://www.linkedin.com/shareArticle?mini=true&title=~~terraform-aws-s3-website~~+OBSOLETE&url=https://github.com/cloudposse/terraform-aws-s3-website
   [share_reddit]: https://reddit.com/submit/?url=https://github.com/cloudposse/terraform-aws-s3-website
   [share_facebook]: https://facebook.com/sharer/sharer.php?u=https://github.com/cloudposse/terraform-aws-s3-website
   [share_googleplus]: https://plus.google.com/share?url=https://github.com/cloudposse/terraform-aws-s3-website
-  [share_email]: mailto:?subject=terraform-aws-s3-website&body=https://github.com/cloudposse/terraform-aws-s3-website
+  [share_email]: mailto:?subject=~~terraform-aws-s3-website~~+OBSOLETE&body=https://github.com/cloudposse/terraform-aws-s3-website
   [beacon]: https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-aws-s3-website?pixel&cs=github&cm=readme&an=terraform-aws-s3-website
 <!-- markdownlint-restore -->

README.yaml

@@ -4,7 +4,7 @@
 #
 
 # Name of this project
-name: terraform-aws-s3-website
+name: ~~terraform-aws-s3-website~~ OBSOLETE
 # Tags of this project
 tags:
   - aws
@@ -50,6 +50,16 @@ related:
     url: "https://github.com/cloudposse/terraform-aws-lb-s3-bucket"
 # Short description of this project
 description: |-
+  
+  ## Deprecated
+  
+  **As of July, 2023 this module is deprecated.** `terraform-aws-s3-website` offers little value beyond [
+  the `terraform-aws-s3-bucket` module](https://github.com/cloudposse/terraform-aws-s3-bucket), 
+  so Cloud Posse is phasing out support for this project.  Users are advised to migrate to 
+  [terraform-aws-s3-bucket](https://github.com/cloudposse/terraform-aws-s3-bucket) to manage the S3 bucket
+  (including logging) and [terraform-aws-route53-alias](https://github.com/cloudposse/terraform-aws-route53-alias) 
+  to register the website hostname in Route53. Feature requests should be directed to those modules.
+
   Terraform module to provision S3-backed Websites.
   **IMPORTANT:** This module provisions a globally accessible S3 bucket for unauthenticated users because it is designed for hosting public static websites. Normally, AWS recommends that S3 buckets should not publicly accessible in order to protect S3 data from unauthorized users.
 # How to use this project

docs/terraform.md

@@ -3,31 +3,33 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0, < 4.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.0, < 4.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_default_label"></a> [default\_label](#module\_default\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_dns"></a> [dns](#module\_dns) | cloudposse/route53-alias/aws | 0.13.0 |
-| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 0.20.0 |
+| <a name="module_logs"></a> [logs](#module\_logs) | cloudposse/s3-log-storage/aws | 1.4.2 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_s3_bucket.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_ownership_controls.s3_bucket_ownership_controls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.s3_allow_public_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.deployment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

examples/complete/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = ">= 1.2"
+    }
+  }
+}

main.tf

@@ -1,6 +1,6 @@
 locals {
   enabled    = module.this.enabled
-  bucket_arn = "arn:${data.aws_partition.current.partition}:s3:::${join("", aws_s3_bucket.default.*.id)}"
+  bucket_arn = "arn:${data.aws_partition.current.partition}:s3:::${join("", aws_s3_bucket.default[*].id)}"
 
   website_config = {
     redirect_all = [
@@ -19,10 +19,12 @@ locals {
 }
 
 module "logs" {
-  source                   = "cloudposse/s3-log-storage/aws"
-  version                  = "0.20.0"
+  source  = "cloudposse/s3-log-storage/aws"
+  version = "1.4.2"
+
+  enabled = local.enabled && var.logs_enabled
+
   attributes               = ["logs"]
-  enabled                  = local.enabled && var.logs_enabled
   standard_transition_days = var.logs_standard_transition_days
   glacier_transition_days  = var.logs_glacier_transition_days
   expiration_days          = var.logs_expiration_days
@@ -38,13 +40,36 @@ module "default_label" {
   context    = module.this.context
 }
 
+resource "aws_s3_bucket_public_access_block" "s3_allow_public_access" {
+  count = local.enabled ? 1 : 0
+
+  # The bucket used for a public static website.
+  #bridgecrew:skip=BC_AWS_S3_19:Skipping `Ensure S3 bucket has block public ACLS enabled`
+  #bridgecrew:skip=BC_AWS_S3_20:Skipping `Ensure S3 Bucket BlockPublicPolicy is set to True`
+  #bridgecrew:skip=BC_AWS_S3_21:Skipping `Ensure S3 bucket IgnorePublicAcls is set to True`
+  #bridgecrew:skip=BC_AWS_S3_22:Skipping `Ensure S3 bucket RestrictPublicBucket is set to True`
+  bucket = aws_s3_bucket.default[0].id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_ownership_controls" "s3_bucket_ownership_controls" {
+  count = local.enabled ? 1 : 0
+
+  bucket = aws_s3_bucket.default[0].id
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+
 resource "aws_s3_bucket" "default" {
   count = local.enabled ? 1 : 0
 
-  #bridgecrew:skip=BC_AWS_S3_1:The bucket used for a public static website. (https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone)
   #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
   #bridgecrew:skip=CKV_AWS_52:Skipping `Ensure S3 bucket has MFA delete enabled` due to issue using `mfa_delete` by terraform (https://github.com/hashicorp/terraform-provider-aws/issues/629).
-  acl           = "public-read"
   bucket        = var.hostname
   tags          = module.default_label.tags
   force_destroy = var.force_destroy
@@ -115,6 +140,8 @@ resource "aws_s3_bucket_policy" "default" {
 
   bucket = aws_s3_bucket.default[0].id
   policy = data.aws_iam_policy_document.default[0].json
+
+  depends_on = [aws_s3_bucket_public_access_block.s3_allow_public_access[0]]
 }
 
 data "aws_iam_policy_document" "default" {
@@ -155,7 +182,7 @@ data "aws_iam_policy_document" "default" {
 
   # Support replication ARNs
   dynamic "statement" {
-    for_each = flatten(data.aws_iam_policy_document.replication.*.statement)
+    for_each = flatten(data.aws_iam_policy_document.replication[*].statement)
     content {
       actions       = lookup(statement.value, "actions", null)
       effect        = lookup(statement.value, "effect", null)
@@ -193,7 +220,7 @@ data "aws_iam_policy_document" "default" {
 
   # Support deployment ARNs
   dynamic "statement" {
-    for_each = flatten(data.aws_iam_policy_document.deployment.*.statement)
+    for_each = flatten(data.aws_iam_policy_document.deployment[*].statement)
     content {
       actions       = lookup(statement.value, "actions", null)
       effect        = lookup(statement.value, "effect", null)
@@ -287,8 +314,8 @@ module "dns" {
   aliases          = compact([signum(length(var.parent_zone_id)) == 1 || signum(length(var.parent_zone_name)) == 1 ? var.hostname : ""])
   parent_zone_id   = var.parent_zone_id
   parent_zone_name = var.parent_zone_name
-  target_dns_name  = join("", aws_s3_bucket.default.*.website_domain)
-  target_zone_id   = join("", aws_s3_bucket.default.*.hosted_zone_id)
+  target_dns_name  = join("", aws_s3_bucket.default[*].website_domain)
+  target_zone_id   = join("", aws_s3_bucket.default[*].hosted_zone_id)
 
   context = module.this.context
 }

outputs.tf

@@ -4,31 +4,31 @@ output "hostname" {
 }
 
 output "s3_bucket_name" {
-  value       = join("", aws_s3_bucket.default.*.id)
+  value       = join("", aws_s3_bucket.default[*].id)
   description = "DNS record of the website bucket"
 }
 
 output "s3_bucket_domain_name" {
-  value       = join("", aws_s3_bucket.default.*.bucket_domain_name)
+  value       = join("", aws_s3_bucket.default[*].bucket_domain_name)
   description = "Name of the website bucket"
 }
 
 output "s3_bucket_arn" {
-  value       = join("", aws_s3_bucket.default.*.arn)
+  value       = join("", aws_s3_bucket.default[*].arn)
   description = "ARN identifier of the website bucket"
 }
 
 output "s3_bucket_website_endpoint" {
-  value       = join("", aws_s3_bucket.default.*.website_endpoint)
+  value       = join("", aws_s3_bucket.default[*].website_endpoint)
   description = "The website endpoint URL"
 }
 
 output "s3_bucket_website_domain" {
-  value       = join("", aws_s3_bucket.default.*.website_domain)
+  value       = join("", aws_s3_bucket.default[*].website_domain)
   description = "The domain of the website endpoint"
 }
 
 output "s3_bucket_hosted_zone_id" {
-  value       = join("", aws_s3_bucket.default.*.hosted_zone_id)
+  value       = join("", aws_s3_bucket.default[*].hosted_zone_id)
   description = "The Route 53 Hosted Zone ID for this bucket's region"
 }

test/src/go.mod

@@ -1,14 +1,28 @@
 module github.com/cloudposse/terraform-aws-s3-website
 
-go 1.13
+go 1.20
 
 require (
-	github.com/aws/aws-sdk-go v1.34.6 // indirect
+	github.com/gruntwork-io/terratest v0.34.7
+	github.com/stretchr/testify v1.6.1
+)
+
+require (
+	github.com/agext/levenshtein v1.2.1 // indirect
+	github.com/apparentlymart/go-textseg v1.0.0 // indirect
+	github.com/apparentlymart/go-textseg/v12 v12.0.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/google/uuid v1.1.1 // indirect
-	github.com/gruntwork-io/terratest v0.16.0
-	github.com/pquerna/otp v1.2.0 // indirect
-	github.com/stretchr/testify v1.5.1
-	golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f // indirect
-	golang.org/x/sys v0.0.0-20190527104216-9cd6430ef91e // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.8.2 // indirect
+	github.com/hashicorp/terraform-json v0.9.0 // indirect
+	github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect
+	github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/zclconf/go-cty v1.2.1 // indirect
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 // indirect
+	golang.org/x/net v0.0.0-20201021035429-f5854403a974 // indirect
+	golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f // indirect
+	golang.org/x/text v0.3.3 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
 )