From 2c68a19ea94bd7ce4182160b4833dfcee9f3764f Mon Sep 17 00:00:00 2001 From: MrDevOpsMan Date: Tue, 15 Oct 2024 11:32:05 +0100 Subject: [PATCH 1/4] Update module_s3_bucket_cloudfront_logging.tf need to also disable acl for usual cloudfront distros --- module_s3_bucket_cloudfront_logging.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/module_s3_bucket_cloudfront_logging.tf b/module_s3_bucket_cloudfront_logging.tf index 7ede0f6..f8fd0a5 100644 --- a/module_s3_bucket_cloudfront_logging.tf +++ b/module_s3_bucket_cloudfront_logging.tf @@ -5,7 +5,7 @@ module "bucket_cloudwatch_logs_backup" { bucket = local.logging_bucket_name force_destroy = false tags = var.common_tags - acl = var.whitelabel_domain ? null : "private" + acl = var.whitelabel_domain || var.acl_disabled ? null : "private" object_ownership = "ObjectWriter" control_object_ownership = var.whitelabel_domain ? true : false attach_access_log_delivery_policy = var.whitelabel_domain ? true : false From de22d1f1749fa976478e3928c2b6dd908448f68c Mon Sep 17 00:00:00 2001 From: MrDevOpsMan Date: Tue, 15 Oct 2024 11:39:50 +0100 Subject: [PATCH 2/4] Update module_s3_bucket_cloudfront_logging.tf update control of the owner control is well --- module_s3_bucket_cloudfront_logging.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/module_s3_bucket_cloudfront_logging.tf b/module_s3_bucket_cloudfront_logging.tf index f8fd0a5..6a8b264 100644 --- a/module_s3_bucket_cloudfront_logging.tf +++ b/module_s3_bucket_cloudfront_logging.tf @@ -7,7 +7,7 @@ module "bucket_cloudwatch_logs_backup" { tags = var.common_tags acl = var.whitelabel_domain || var.acl_disabled ? null : "private" object_ownership = "ObjectWriter" - control_object_ownership = var.whitelabel_domain ? true : false + control_object_ownership = var.whitelabel_domain || var.acl_disabled ? true : false attach_access_log_delivery_policy = var.whitelabel_domain ? true : false # Bucket public access From 0f508507b02f2d87490d9084e9b961ce173c3d6c Mon Sep 17 00:00:00 2001 From: MrDevOpsMan Date: Tue, 15 Oct 2024 11:40:53 +0100 Subject: [PATCH 3/4] Update variables.tf --- variables.tf | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index d8cb247..26887df 100644 --- a/variables.tf +++ b/variables.tf @@ -133,6 +133,18 @@ variable "whitelabel_domain" { default = false } +variable "acl_disabled" { + description = "Boolean flag to disable ACL" + type = bool + default = true +} + +variable "owner_enabled" { + description = "Boolean flag to enable owner controlled" + type = bool + default = true +} + variable "common_tags" { type = map(string) description = "Implements the common tags." @@ -141,4 +153,4 @@ variable "common_tags" { locals { logging_bucket_name = "${var.distribution_name}-cf-logs-${data.aws_region.current.name}-${lower(data.aws_iam_account_alias.current.account_alias)}" shared_origin_path = var.shared_origin_access_identity != "" ? var.shared_origin_access_identity : aws_cloudfront_origin_access_identity.current[0].cloudfront_access_identity_path -} \ No newline at end of file +} From bbd2502aa5ec13cf56fd4e9f010bd0a1f0c41ef5 Mon Sep 17 00:00:00 2001 From: MrDevOpsMan Date: Tue, 15 Oct 2024 11:41:15 +0100 Subject: [PATCH 4/4] Update module_s3_bucket_cloudfront_logging.tf --- module_s3_bucket_cloudfront_logging.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/module_s3_bucket_cloudfront_logging.tf b/module_s3_bucket_cloudfront_logging.tf index 6a8b264..a1a5c1e 100644 --- a/module_s3_bucket_cloudfront_logging.tf +++ b/module_s3_bucket_cloudfront_logging.tf @@ -7,7 +7,7 @@ module "bucket_cloudwatch_logs_backup" { tags = var.common_tags acl = var.whitelabel_domain || var.acl_disabled ? null : "private" object_ownership = "ObjectWriter" - control_object_ownership = var.whitelabel_domain || var.acl_disabled ? true : false + control_object_ownership = var.whitelabel_domain || var.owner_enabled ? true : false attach_access_log_delivery_policy = var.whitelabel_domain ? true : false # Bucket public access