feat: add ability to turn off S3 public access block (#164)

Copy of #162 with renaming of variables.

---------

Co-authored-by: jameslarrea <[email protected]>

Author: tembleking

examples/organizational/README.md

@@ -208,6 +208,7 @@ $ terraform apply
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_organizational_member_default_admin_role"></a> [organizational\_member\_default\_admin\_role](#input\_organizational\_member\_default\_admin\_role) | Default role created by AWS for management-account users to be able to admin member accounts.<br/>https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html | `string` | `"OrganizationAccountAccessRole"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | customization of tags to be assigned to all resources. <br/>always include 'product' default tag for resource-group proper functioning.<br/>can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+| <a name="input_temporary_cloudtrail_s3_bucket_public_block"></a> [temporary\_cloudtrail\_s3\_bucket\_public\_block](#input\_temporary\_cloudtrail\_s3\_bucket\_public\_block) | Create a S3 bucket public access block configuration.<br/>This is a temporary variable that will be removed once https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ is made effective.<br/>After it, the resource will never be created. | `bool` | `true` | no |
 
 ## Outputs
 

examples/organizational/cloudtrail.tf

@@ -16,9 +16,9 @@ module "cloudtrail" {
     sysdig_secure_for_cloud_member_account_id = var.sysdig_secure_for_cloud_member_account_id
     organizational_role_per_account           = var.organizational_member_default_admin_role
   }
-  is_multi_region_trail     = var.cloudtrail_is_multi_region_trail
-  cloudtrail_kms_enable     = var.cloudtrail_kms_enable
-  s3_bucket_expiration_days = var.cloudtrail_s3_bucket_expiration_days
-
-  tags = var.tags
+  is_multi_region_trail            = var.cloudtrail_is_multi_region_trail
+  cloudtrail_kms_enable            = var.cloudtrail_kms_enable
+  s3_bucket_expiration_days        = var.cloudtrail_s3_bucket_expiration_days
+  temporary_s3_bucket_public_block = var.temporary_cloudtrail_s3_bucket_public_block
+  tags                             = var.tags
 }

examples/organizational/variables.tf

@@ -46,6 +46,12 @@ variable "cloudtrail_s3_bucket_expiration_days" {
   description = "Number of days that the logs will persist in the bucket"
 }
 
+variable "temporary_cloudtrail_s3_bucket_public_block" {
+  type        = bool
+  default     = true
+  description = "Create a S3 bucket public access block configuration.<br/>This is a temporary variable that will be removed once https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ is made effective.<br/>After it, the resource will never be created."
+}
+
 variable "existing_cloudtrail_config" {
   type = object({
     cloudtrail_s3_arn         = optional(string)
@@ -170,7 +176,6 @@ variable "ecs_task_memory" {
 }
 
 
-
 #
 # general
 #

examples/single-account-ecs/README.md

@@ -117,6 +117,7 @@ $ terraform apply
 | <a name="input_enable_autoscaling"></a> [enable\_autoscaling](#input\_enable\_autoscaling) | Whether to enable autoscaling or not | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | customization of tags to be assigned to all resources. <br/>always include 'product' default tag for resource-group proper functioning.<br/>can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+| <a name="input_temporary_cloudtrail_s3_bucket_public_block"></a> [temporary\_cloudtrail\_s3\_bucket\_public\_block](#input\_temporary\_cloudtrail\_s3\_bucket\_public\_block) | Create a S3 bucket public access block configuration<br/>This is a temporary variable that will be removed once https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ is made effective.<br/>After it, the resource will never be created. | `bool` | `true` | no |
 
 ## Outputs
 

examples/single-account-ecs/cloudtrail.tf

@@ -4,13 +4,13 @@ locals {
 }
 
 module "cloudtrail" {
-  count                     = local.cloudtrail_deploy ? 1 : 0
-  source                    = "../../modules/infrastructure/cloudtrail"
-  name                      = var.name
-  is_organizational         = false
-  is_multi_region_trail     = var.cloudtrail_is_multi_region_trail
-  cloudtrail_kms_enable     = var.cloudtrail_kms_enable
-  s3_bucket_expiration_days = var.cloudtrail_s3_bucket_expiration_days
-
-  tags = var.tags
+  count                            = local.cloudtrail_deploy ? 1 : 0
+  source                           = "../../modules/infrastructure/cloudtrail"
+  name                             = var.name
+  is_organizational                = false
+  is_multi_region_trail            = var.cloudtrail_is_multi_region_trail
+  cloudtrail_kms_enable            = var.cloudtrail_kms_enable
+  s3_bucket_expiration_days        = var.cloudtrail_s3_bucket_expiration_days
+  temporary_s3_bucket_public_block = var.temporary_cloudtrail_s3_bucket_public_block
+  tags                             = var.tags
 }

examples/single-account-ecs/variables.tf

@@ -29,6 +29,12 @@ variable "cloudtrail_s3_bucket_expiration_days" {
   default     = 5
   description = "Number of days that the logs will persist in the bucket"
 }
+
+variable "temporary_cloudtrail_s3_bucket_public_block" {
+  type        = bool
+  default     = true
+  description = "Create a S3 bucket public access block configuration<br/>This is a temporary variable that will be removed once https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ is made effective.<br/>After it, the resource will never be created."
+}
 #
 # ecs, security group,  vpc
 #

modules/infrastructure/cloudtrail/README.md

@@ -49,6 +49,7 @@ No modules.
 | <a name="input_organizational_config"></a> [organizational\_config](#input\_organizational\_config) | organizational\_config. following attributes must be given<br><ul><li>`sysdig_secure_for_cloud_member_account_id` to enable reading permission</li><br><li>`organizational_role_per_account` to enable SNS topic subscription. by default "OrganizationAccountAccessRole"</li></ul> | <pre>object({<br>    sysdig_secure_for_cloud_member_account_id = string<br>    organizational_role_per_account           = string<br>  })</pre> | <pre>{<br>  "organizational_role_per_account": null,<br>  "sysdig_secure_for_cloud_member_account_id": null<br>}</pre> | no |
 | <a name="input_s3_bucket_expiration_days"></a> [s3\_bucket\_expiration\_days](#input\_s3\_bucket\_expiration\_days) | Number of days that the logs will persist in the bucket | `number` | `5` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | customization of tags to be assigned to all resources. <br/>always include 'product' default tag for resource-group proper functioning.<br/>can also make use of the [provider-level `default-tags`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags) | `map(string)` | <pre>{<br>  "product": "sysdig-secure-for-cloud"<br>}</pre> | no |
+| <a name="input_temporary_s3_bucket_public_block"></a> [temporary\_s3\_bucket\_public\_block](#input\_temporary\_s3\_bucket\_public\_block) | Create a S3 bucket public access block configuration<br/>This is a temporary variable that will be removed once https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ is made effective.<br/>After it, the resource will never be created. | `bool` | `true` | no |
 
 ## Outputs
 

modules/infrastructure/cloudtrail/s3.tf

@@ -45,6 +45,7 @@ resource "aws_s3_bucket_acl" "cloudtrail" {
 # -------------------------
 
 resource "aws_s3_bucket_public_access_block" "cloudtrail" {
+  count                   = var.temporary_s3_bucket_public_block == false ? 0 : 1
   bucket                  = aws_s3_bucket.cloudtrail.id
   block_public_acls       = true
   block_public_policy     = true

modules/infrastructure/cloudtrail/variables.tf

@@ -39,6 +39,12 @@ variable "s3_bucket_expiration_days" {
   description = "Number of days that the logs will persist in the bucket"
 }
 
+variable "temporary_s3_bucket_public_block" {
+  type        = bool
+  default     = true
+  description = "Create a S3 bucket public access block configuration<br/>This is a temporary variable that will be removed once https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ is made effective.<br/>After it, the resource will never be created."
+}
+
 variable "cloudtrail_kms_enable" {
   type        = bool
   default     = true