Merge pull request #32 from chris-qa-org/fix-bucket-acls

Fix bucket ACLs

Author: Stretch96

.github/workflows/continuous-integration-terraform.yml

@@ -55,7 +55,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Generate Terraform docs
-        uses: terraform-docs/gh-actions@v1.0.0
+        uses: terraform-docs/gh-actions@v1.4.1
         with:
           working-dir: .
           config-file: .terraform-docs.yml

README.md

@@ -97,8 +97,6 @@ module "static_site_hosting" {
 | [aws_s3_bucket.static_site](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.cloudfront_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_acl.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_acl.site_redirect_to_www](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_acl.static_site](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_logging.site_redirect_to_www](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_logging.static_site](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_ownership_controls.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
@@ -127,13 +125,13 @@ module "static_site_hosting" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_cloudfront_static_site_custom_error_responses"></a> [cloudfront\_static\_site\_custom\_error\_responses](#input\_cloudfront\_static\_site\_custom\_error\_responses) | CloudFront Static Site custom error responses | <pre>map(object({<br>    response_code      = string<br>    response_page_path = string<br>  }))</pre> | <pre>{<br>  "404": {<br>    "response_code": "404",<br>    "response_page_path": "/404.html"<br>  }<br>}</pre> | no |
-| <a name="input_cloudfront_static_site_default_cache_behaviour"></a> [cloudfront\_static\_site\_default\_cache\_behaviour](#input\_cloudfront\_static\_site\_default\_cache\_behaviour) | Default cache behaviour block for the Static Site CloudFront Distribution | <pre>object({<br>    allowed_methods = optional(list(string), ["GET", "HEAD"])<br>    cached_methods  = optional(list(string), ["GET", "HEAD"])<br>    cache_policy_id = optional(string, null)<br>    compress        = optional(bool, true)<br>    default_ttl     = optional(number, 0)<br>    lambda_function_associations = optional(map(object({<br>      event_type   = string<br>      lambda_arn   = string<br>      include_body = optional(bool, false)<br>    })), {})<br>    function_associations = optional(map(object({<br>      event_type   = string<br>      function_arn = string<br>    })), {})<br>    max_ttl                    = optional(number, 31536000)<br>    min_ttl                    = optional(number, 1)<br>    origin_request_policy_id   = optional(string, null)<br>    realtime_log_config_arn    = optional(string, null)<br>    response_headers_policy_id = optional(string, null)<br>    smooth_streaming           = optional(bool, false)<br>    trusted_signers            = optional(list(string), null)<br>    viewer_protocol_policy     = optional(string, "redirect-to-https")<br>  })</pre> | `{}` | no |
+| <a name="input_cloudfront_static_site_custom_error_responses"></a> [cloudfront\_static\_site\_custom\_error\_responses](#input\_cloudfront\_static\_site\_custom\_error\_responses) | CloudFront Static Site custom error responses | <pre>map(object({<br/>    response_code      = string<br/>    response_page_path = string<br/>  }))</pre> | <pre>{<br/>  "404": {<br/>    "response_code": "404",<br/>    "response_page_path": "/404.html"<br/>  }<br/>}</pre> | no |
+| <a name="input_cloudfront_static_site_default_cache_behaviour"></a> [cloudfront\_static\_site\_default\_cache\_behaviour](#input\_cloudfront\_static\_site\_default\_cache\_behaviour) | Default cache behaviour block for the Static Site CloudFront Distribution | <pre>object({<br/>    allowed_methods = optional(list(string), ["GET", "HEAD"])<br/>    cached_methods  = optional(list(string), ["GET", "HEAD"])<br/>    cache_policy_id = optional(string, null)<br/>    compress        = optional(bool, true)<br/>    default_ttl     = optional(number, 0)<br/>    lambda_function_associations = optional(map(object({<br/>      event_type   = string<br/>      lambda_arn   = string<br/>      include_body = optional(bool, false)<br/>    })), {})<br/>    function_associations = optional(map(object({<br/>      event_type   = string<br/>      function_arn = string<br/>    })), {})<br/>    max_ttl                    = optional(number, 31536000)<br/>    min_ttl                    = optional(number, 1)<br/>    origin_request_policy_id   = optional(string, null)<br/>    realtime_log_config_arn    = optional(string, null)<br/>    response_headers_policy_id = optional(string, null)<br/>    smooth_streaming           = optional(bool, false)<br/>    trusted_signers            = optional(list(string), null)<br/>    viewer_protocol_policy     = optional(string, "redirect-to-https")<br/>  })</pre> | `{}` | no |
 | <a name="input_cloudfront_static_site_default_root_object"></a> [cloudfront\_static\_site\_default\_root\_object](#input\_cloudfront\_static\_site\_default\_root\_object) | CloudFront Static Site default root object | `string` | `"index.html"` | no |
 | <a name="input_cloudfront_static_site_http_version"></a> [cloudfront\_static\_site\_http\_version](#input\_cloudfront\_static\_site\_http\_version) | CloudFront Static Site http version | `string` | `"http2"` | no |
 | <a name="input_cloudfront_static_site_is_ipv6_enabled"></a> [cloudfront\_static\_site\_is\_ipv6\_enabled](#input\_cloudfront\_static\_site\_is\_ipv6\_enabled) | CloudFront Static Site enable ipv6 | `bool` | `true` | no |
 | <a name="input_cloudfront_static_site_price_class"></a> [cloudfront\_static\_site\_price\_class](#input\_cloudfront\_static\_site\_price\_class) | CloudFront Static Site price class | `string` | `"PriceClass_100"` | no |
-| <a name="input_cloudfront_static_site_restrictions"></a> [cloudfront\_static\_site\_restrictions](#input\_cloudfront\_static\_site\_restrictions) | Cloudfront Static Site restrictions block | <pre>object({<br>    geo_restriction = optional(object({<br>      restriction_type = string<br>      locations        = list(string)<br>    }))<br>  })</pre> | <pre>{<br>  "geo_restriction": {<br>    "locations": [],<br>    "restriction_type": "none"<br>  }<br>}</pre> | no |
+| <a name="input_cloudfront_static_site_restrictions"></a> [cloudfront\_static\_site\_restrictions](#input\_cloudfront\_static\_site\_restrictions) | Cloudfront Static Site restrictions block | <pre>object({<br/>    geo_restriction = optional(object({<br/>      restriction_type = string<br/>      locations        = list(string)<br/>    }))<br/>  })</pre> | <pre>{<br/>  "geo_restriction": {<br/>    "locations": [],<br/>    "restriction_type": "none"<br/>  }<br/>}</pre> | no |
 | <a name="input_cloudfront_static_site_tls_certificate_arn"></a> [cloudfront\_static\_site\_tls\_certificate\_arn](#input\_cloudfront\_static\_site\_tls\_certificate\_arn) | CloudFront static site TLS Certificate ARN. This is not required, as one will be created based on the `site_url`. Use this only if the created certificate is not sufficient. | `string` | `""` | no |
 | <a name="input_cloudfront_static_site_web_acl_id"></a> [cloudfront\_static\_site\_web\_acl\_id](#input\_cloudfront\_static\_site\_web\_acl\_id) | CloudFront static site Web ACL id | `string` | `null` | no |
 | <a name="input_enable_cloudfront"></a> [enable\_cloudfront](#input\_enable\_cloudfront) | Enable creation of CloudFront Distribution | `bool` | `true` | no |

s3-static-site-www-redirect.tf

@@ -30,13 +30,6 @@ resource "aws_s3_bucket_ownership_controls" "site_redirect_to_www" {
   }
 }
 
-resource "aws_s3_bucket_acl" "site_redirect_to_www" {
-  count = local.site_redirect_to_www ? 1 : 0
-
-  bucket = aws_s3_bucket.site_redirect_to_www[0].id
-  acl    = local.static_site_s3_acl
-}
-
 resource "aws_s3_bucket_public_access_block" "site_redirect_to_www" {
   count = local.site_redirect_to_www ? 1 : 0
 

s3-static-site.tf

@@ -26,11 +26,6 @@ resource "aws_s3_bucket_ownership_controls" "static_site" {
   }
 }
 
-resource "aws_s3_bucket_acl" "static_site" {
-  bucket = aws_s3_bucket.static_site.id
-  acl    = local.static_site_s3_acl
-}
-
 resource "aws_s3_bucket_public_access_block" "static_site" {
   bucket                  = aws_s3_bucket.static_site.id
   block_public_acls       = local.static_site_s3_acl == "public" ? false : true