fix: overwritten bucket policy

[gcharest]

Summary | Résumé

Fixing the previous PR where the bucket policy was overwritten since it needs to be a single resource

[github-actions[bot]]

Central account

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 0 to add, 1 to change, 1 to destroy

Show summary

| CHANGE | NAME | |--------|-------------------------------------------------------| | delete | `aws_s3_bucket_policy.log-archive-bucket-get-objects` | | update | `aws_s3_bucket_policy.log_archive_bucket` |

Show plan

```terraform Resource actions are indicated with the following symbols: ~ update in-place - destroy Terraform will perform the following actions: # aws_s3_bucket_policy.log-archive-bucket-get-objects will be destroyed # (because aws_s3_bucket_policy.log-archive-bucket-get-objects is not in configuration) - resource "aws_s3_bucket_policy" "log-archive-bucket-get-objects" { - bucket = "cbs-log-archive-871282759583" -> null - id = "cbs-log-archive-871282759583" -> null - policy = jsonencode( { - Statement = [ - { - Action = "s3:GetObject" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::346725238039:role/CBS-ReaderRole-prod-ca-central-1" } - Resource = [ - "arn:aws:s3:::cbs-log-archive-871282759583/*", - "arn:aws:s3:::cbs-log-archive-871282759583", ] }, ] - Version = "2012-10-17" } ) -> null } # aws_s3_bucket_policy.log_archive_bucket will be updated in-place ~ resource "aws_s3_bucket_policy" "log_archive_bucket" { id = "cbs-log-archive-871282759583" ~ policy = jsonencode( ~ { ~ Statement = [ + { + Action = [ + "s3:ReplicateObject", + "s3:ReplicateDelete", + "s3:ObjectOwnerOverrideToBucketOwner", ] + Effect = "Allow" + Principal = { + AWS = [ + "arn:aws:iam::975050085632:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::957818836222:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::866996500832:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::806545929748:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::800095993820:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::796730610681:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::794722365809:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::767397971970:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::767397913019:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::762579868088:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::730335533085:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::729164266357:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::723936812785:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::687401027353:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::637287734259:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::521732289257:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::472286471787:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::414662622316:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::307395567143:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::296255494825:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::283582579564:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::274536870005:role/service-role/s3crr_role_for_aws-controltower-logs-274536870005-ca-central-1", + "arn:aws:iam::239043911459:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::127893201980:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::066023111852:role/CbsSatelliteReplicateToLogArchive", ] } + Resource = "arn:aws:s3:::cbs-log-archive-871282759583/*" }, + { + Action = [ + "s3:PutBucketVersioning", + "s3:List*", + "s3:GetBucketVersioning", ] + Effect = "Allow" + Principal = { + AWS = [ + "arn:aws:iam::975050085632:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::957818836222:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::866996500832:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::806545929748:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::800095993820:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::796730610681:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::794722365809:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::767397971970:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::767397913019:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::762579868088:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::730335533085:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::729164266357:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::723936812785:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::687401027353:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::637287734259:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::521732289257:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::472286471787:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::414662622316:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::307395567143:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::296255494825:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::283582579564:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::274536870005:role/service-role/s3crr_role_for_aws-controltower-logs-274536870005-ca-central-1", + "arn:aws:iam::239043911459:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::127893201980:role/CbsSatelliteReplicateToLogArchive", + "arn:aws:iam::066023111852:role/CbsSatelliteReplicateToLogArchive", ] } + Resource = "arn:aws:s3:::cbs-log-archive-871282759583" }, { Action = "s3:GetObject" Effect = "Allow" Principal = { AWS = "arn:aws:iam::346725238039:role/CBS-ReaderRole-prod-ca-central-1" } Resource = [ "arn:aws:s3:::cbs-log-archive-871282759583/*", "arn:aws:s3:::cbs-log-archive-871282759583", ] }, ] # (1 unchanged element hidden) } ) # (1 unchanged attribute hidden) } Plan: 0 to add, 1 to change, 1 to destroy. Warning: Argument is deprecated with module.log_archive_access_bucket.aws_s3_bucket.this, on .terraform/modules/log_archive_access_bucket/S3_log_bucket/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_server_side_encryption_configuration resource instead (and 7 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.log_archive_read"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.log_archive_read"] WARN - plan.json - main - Missing Common Tags: ["aws_kms_key.log_archive_encrypt"] WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.log_archive"] 23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions ```