feat!: enable support for aws provider 4.0+ (#49)

BREAKING CHANGE: This release drops support for AWS provider <4.0

When updating to this version, the diff will show each of the new resources as needing to be created. However, each of the new aws_s3_bucket_* resources relies on S3 API calls that utilize a PUT action in order to modify the target S3 bucket. Because these API calls adhere to standard HTTP methods for REST APIs, they should handle situations where the target configuration already exists (as noted in the HTTP RFC). Given that this is the case, it's not strictly necessary to import any new aws_s3_bucket_* resources that are a one-to-one translation from previous versions of the AWS provider -- on the next terraform apply, they'll attempt the PUT, and update the state with the results as necessary.

README.md

@@ -72,6 +72,7 @@ Cloudwatch log sync are namspaced by module.
 
 ## Module Versions
 
+**Version 3.x.x** and greater require terraform version > 0.13.x and AWS provider > 4.0.0.
 **Version 2.x.x** and greater require terraform version > 0.13.x and AWS provider < 4.0.0.  
 **Version 1.x.x** is the latest version that support terraform version 0.12.x and AWS provider < 4.0.0.  
 When using this module, please be sure to [pin to a compatible version](https://www.terraform.io/docs/configuration/modules.html#module-versions).

logs_monitoring_elb.tf

@@ -25,48 +25,46 @@ locals {
   elb_logs_s3_bucket = "${var.elb_logs_bucket_prefix}-${var.namespace}-${var.env}-elb-logs"
 }
 
+data aws_iam_policy_document "elb_logs" {
+  statement {
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "arn:aws:s3:::${local.elb_logs_s3_bucket}/*",
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = [data.aws_elb_service_account.main.arn]
+    }
+    effect = "Allow"
+  }
+}
+
 resource "aws_s3_bucket" "elb_logs" {
   count  = var.create_elb_logs_bucket ? 1 : 0
   bucket = local.elb_logs_s3_bucket
-  acl    = "private"
-  policy = <<POLICY
-{
-  "Id": "Policy",
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "s3:PutObject"
-      ],
-      "Effect": "Allow",
-      "Resource": "arn:aws:s3:::${local.elb_logs_s3_bucket}/*",
-      "Principal": {
-        "AWS": [
-          "${data.aws_elb_service_account.main.arn}"
-        ]
-      }
-    }
-  ]
 }
-POLICY
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
-    }
-  }
+resource "aws_s3_bucket_policy" "elb_logs" {
+  count  = var.create_elb_logs_bucket ? 1 : 0
+  bucket = aws_s3_bucket.elb_logs[0].id
+  policy = data.aws_iam_policy_document.elb_logs.json
+}
 
-  lifecycle_rule {
-    id      = "log"
-    enabled = true
+resource "aws_s3_bucket_acl" "elb_logs" {
+  count  = var.create_elb_logs_bucket ? 1 : 0
+  bucket = aws_s3_bucket.elb_logs[0].id
+  acl    = "private"
+}
 
-    tags = {
-      "rule"      = "log"
-      "autoclean" = "true"
-    }
+resource "aws_s3_bucket_lifecycle_configuration" "elb_logs" {
+  count  = var.create_elb_logs_bucket ? 1 : 0
+  bucket = aws_s3_bucket.elb_logs[0].id
 
+  # Remove old versions of images after 15 days
+  rule {
+    id = "log"
     transition {
       days          = 30
       storage_class = "STANDARD_IA" # or "ONEZONE_IA"
@@ -80,5 +78,17 @@ POLICY
     expiration {
       days = 365 # store logs for one year
     }
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "elb_logs" {
+  count  = var.create_elb_logs_bucket ? 1 : 0
+  bucket = aws_s3_bucket.elb_logs[0].id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
   }
 }

versions.tf

@@ -8,8 +8,8 @@ terraform {
     }
 
     aws = {
-      source = "hashicorp/aws"
-      version = ">= 3.0, < 4"
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
     }
   }
 }