chore(deps): lock file maintenance

[renovate[bot]]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

Review

• [ ] Updates have been tested and work
• [ ] If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions[bot]]

975050085632: Satellite bucket

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 6 to add, 0 to change, 1 to destroy

Show summary

| CHANGE | NAME | |----------|------------------------------------------------------------------| | recreate | `module.satellite_bucket.aws_s3_bucket.this` | | add | `aws_iam_policy.s3_replicate` | | | `aws_iam_role_policy_attachment.s3_replicate` | | | `aws_s3_bucket_ownership_controls.satellite_bucket` | | | `aws_s3_bucket_policy.satellite_bucket` | | | `module.satellite_bucket.aws_s3_bucket_public_access_block.this` |

Show plan

```terraform Resource actions are indicated with the following symbols: + create -/+ destroy and then create replacement <= read (data resources) Terraform will perform the following actions: # data.aws_iam_policy_document.cloudtrail_write_logs will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "cloudtrail_write_logs" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:GetBucketAcl", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "CloudTrailGetAcl" + principals { + identifiers = [ + "cloudtrail.amazonaws.com", ] + type = "Service" } } + statement { + actions = [ + "s3:PutObject", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "CloudTrailPutObject" + condition { + test = "StringEquals" + values = [ + "arn:aws:cloudtrail:ca-central-1:975050085632:trail/CbsSatelliteTrail", ] + variable = "aws:SourceArn" } + condition { + test = "StringEquals" + values = [ + "bucket-owner-full-control", ] + variable = "s3:x-amz-acl" } + principals { + identifiers = [ + "cloudtrail.amazonaws.com", ] + type = "Service" } } } # data.aws_iam_policy_document.combined will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "combined" { + id = (known after apply) + json = (known after apply) + source_policy_documents = [ + (known after apply), + (known after apply), + (known after apply), + (known after apply), ] } # data.aws_iam_policy_document.deny_insecure_transport will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "deny_insecure_transport" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:*", ] + effect = "Deny" + resources = [ + (known after apply), + (known after apply), ] + sid = "denyInsecureTransport" + condition { + test = "Bool" + values = [ + "false", ] + variable = "aws:SecureTransport" } + principals { + identifiers = [ + "*", ] + type = "*" } } } # data.aws_iam_policy_document.load_balancer_write_logs will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "load_balancer_write_logs" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:PutObject", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "ELBLogDeliveryPutObject" + principals { + identifiers = [ + "arn:aws:iam::985666609251:root", ] + type = "AWS" } } } # data.aws_iam_policy_document.log_delivery_write_logs will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "log_delivery_write_logs" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:GetBucketAcl", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "LogDeliveryGetAcl" + condition { + test = "ArnLike" + values = [ + "arn:aws:logs:ca-central-1:975050085632:*", ] + variable = "aws:SourceArn" } + condition { + test = "StringEquals" + values = [ + "975050085632", ] + variable = "aws:SourceAccount" } + principals { + identifiers = [ + "delivery.logs.amazonaws.com", ] + type = "Service" } } + statement { + actions = [ + "s3:PutObject", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "LogDeliveryPutObject" + condition { + test = "ArnLike" + values = [ + "arn:aws:logs:ca-central-1:975050085632:*", ] + variable = "aws:SourceArn" } + condition { + test = "StringEquals" + values = [ + "975050085632", ] + variable = "aws:SourceAccount" } + condition { + test = "StringEquals" + values = [ + "bucket-owner-full-control", ] + variable = "s3:x-amz-acl" } + principals { + identifiers = [ + "delivery.logs.amazonaws.com", ] + type = "Service" } } } # data.aws_iam_policy_document.s3_replicate will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "s3_replicate" { + id = (known after apply) + json = (known after apply) + statement { + actions = [ + "s3:GetReplicationConfiguration", + "s3:ListBucket", ] + effect = "Allow" + resources = [ + (known after apply), ] } + statement { + actions = [ + "s3:GetObjectVersion", + "s3:GetObjectVersionAcl", ] + effect = "Allow" + resources = [ + (known after apply), ] } + statement { + actions = [ + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:ReplicateDelete", + "s3:ReplicateObject", ] + effect = "Allow" + resources = [ + "arn:aws:s3:::cbs-log-archive-871282759583/*", ] } } # aws_iam_policy.s3_replicate will be created + resource "aws_iam_policy" "s3_replicate" { + arn = (known after apply) + id = (known after apply) + name = "CbsSatelliteReplicateToLogArchive" + name_prefix = (known after apply) + path = "/" + policy = (known after apply) + policy_id = (known after apply) + tags_all = (known after apply) } # aws_iam_role_policy_attachment.s3_replicate will be created + resource "aws_iam_role_policy_attachment" "s3_replicate" { + id = (known after apply) + policy_arn = (known after apply) + role = "CbsSatelliteReplicateToLogArchive" } # aws_s3_bucket_ownership_controls.satellite_bucket will be created + resource "aws_s3_bucket_ownership_controls" "satellite_bucket" { + bucket = (known after apply) + id = (known after apply) + rule { + object_ownership = "ObjectWriter" } } # aws_s3_bucket_policy.satellite_bucket will be created + resource "aws_s3_bucket_policy" "satellite_bucket" { + bucket = (known after apply) + id = (known after apply) + policy = (known after apply) } # module.satellite_bucket.aws_s3_bucket.this is tainted, so must be replaced -/+ resource "aws_s3_bucket" "this" { + acceleration_status = (known after apply) ~ arn = "arn:aws:s3:::cbs-satellite-975050085632" -> (known after apply) ~ bucket_domain_name = "cbs-satellite-975050085632.s3.amazonaws.com" -> (known after apply) + bucket_prefix = (known after apply) ~ bucket_regional_domain_name = "cbs-satellite-975050085632.s3.ca-central-1.amazonaws.com" -> (known after apply) ~ hosted_zone_id = "Z1QDHH18159H29" -> (known after apply) ~ id = "cbs-satellite-975050085632" -> (known after apply) ~ object_lock_enabled = false -> (known after apply) + policy = (known after apply) ~ region = "ca-central-1" -> (known after apply) ~ request_payer = "BucketOwner" -> (known after apply) ~ tags = { + "CostCentre" = "cbs-975050085632" + "Critical" = "false" + "Terraform" = "true" } ~ tags_all = { + "CostCentre" = "cbs-975050085632" + "Critical" = "false" + "Terraform" = "true" } + website_domain = (known after apply) + website_endpoint = (known after apply) # (3 unchanged attributes hidden) + cors_rule { + allowed_headers = (known after apply) + allowed_methods = (known after apply) + allowed_origins = (known after apply) + expose_headers = (known after apply) + max_age_seconds = (known after apply) } - grant { - id = "1a00a64d7832486410132787ffa61c9aa8189359d6a0b21f90c7e82b264daf3d" -> null - permissions = [ - "FULL_CONTROL", ] -> null - type = "CanonicalUser" -> null } + grant { + id = (known after apply) + permissions = (known after apply) + type = (known after apply) + uri = (known after apply) } + lifecycle_rule { + enabled = true + id = "delete-old-objects" + expiration { + days = 14 } } + logging { + target_bucket = "cbs-satellite-975050085632-access" } + object_lock_configuration { + object_lock_enabled = (known after apply) + rule { + default_retention { + days = (known after apply) + mode = (known after apply) + years = (known after apply) } } } + replication_configuration { + role = "arn:aws:iam::975050085632:role/CbsSatelliteReplicateToLogArchive" + rules { + id = "cbs-log-archive" + priority = 100 + status = "Enabled" + destination { + account_id = "871282759583" + bucket = "arn:aws:s3:::cbs-log-archive-871282759583" + replica_kms_key_id = "arn:aws:kms:ca-central-1:871282759583:key/c4591f87-9445-4840-acb6-a5569e703c93" + access_control_translation { + owner = "Destination" } } + filter {} + source_selection_criteria { + sse_kms_encrypted_objects { + enabled = true } } } } ~ server_side_encryption_configuration { ~ rule { # (1 unchanged attribute hidden) ~ apply_server_side_encryption_by_default { # (1 unchanged attribute hidden) } } } + website { + error_document = (known after apply) + index_document = (known after apply) + redirect_all_requests_to = (known after apply) + routing_rules = (known after apply) } # (1 unchanged block hidden) } # module.satellite_bucket.aws_s3_bucket_public_access_block.this will be created + resource "aws_s3_bucket_public_access_block" "this" { + block_public_acls = true + block_public_policy = true + bucket = (known after apply) + id = (known after apply) + ignore_public_acls = true + restrict_public_buckets = true } Plan: 6 to add, 0 to change, 1 to destroy. Warning: Argument is deprecated with module.satellite_access_bucket.aws_s3_bucket.this, on .terraform/modules/satellite_access_bucket/S3_log_bucket/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_server_side_encryption_configuration resource instead (and 9 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.s3_replicate"] 20 tests, 19 passed, 1 warning, 0 failures, 0 exceptions ```