chore(deps): lock file maintenance

[renovate[bot]]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

Review

• [ ] Updates have been tested and work
• [ ] If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions[bot]]

800095993820: Satellite bucket

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 12 to add, 0 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|-------------------------------------------------------------------------| | add | `aws_iam_policy.s3_replicate` | | | `aws_iam_role_policy_attachment.s3_replicate` | | | `aws_s3_bucket_ownership_controls.satellite_bucket` | | | `aws_s3_bucket_policy.satellite_bucket` | | | `module.satellite_access_bucket.aws_s3_bucket.this` | | | `module.satellite_access_bucket.aws_s3_bucket_acl.this` | | | `module.satellite_access_bucket.aws_s3_bucket_ownership_controls.this` | | | `module.satellite_access_bucket.aws_s3_bucket_policy.this` | | | `module.satellite_access_bucket.aws_s3_bucket_public_access_block.this` | | | `module.satellite_access_bucket.aws_s3_bucket_versioning.this` | | | `module.satellite_bucket.aws_s3_bucket.this` | | | `module.satellite_bucket.aws_s3_bucket_public_access_block.this` |

Show plan

```terraform Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # data.aws_iam_policy_document.cloudtrail_write_logs will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "cloudtrail_write_logs" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "s3:GetBucketAcl", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "CloudTrailGetAcl" + principals { + identifiers = [ + "cloudtrail.amazonaws.com", ] + type = "Service" } } + statement { + actions = [ + "s3:PutObject", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "CloudTrailPutObject" + condition { + test = "StringEquals" + values = [ + "arn:aws:cloudtrail:ca-central-1:800095993820:trail/CbsSatelliteTrail", ] + variable = "aws:SourceArn" } + condition { + test = "StringEquals" + values = [ + "bucket-owner-full-control", ] + variable = "s3:x-amz-acl" } + principals { + identifiers = [ + "cloudtrail.amazonaws.com", ] + type = "Service" } } } # data.aws_iam_policy_document.combined will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "combined" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + source_policy_documents = [ + (known after apply), + (known after apply), + (known after apply), + (known after apply), ] } # data.aws_iam_policy_document.deny_insecure_transport will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "deny_insecure_transport" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "s3:*", ] + effect = "Deny" + resources = [ + (known after apply), + (known after apply), ] + sid = "denyInsecureTransport" + condition { + test = "Bool" + values = [ + "false", ] + variable = "aws:SecureTransport" } + principals { + identifiers = [ + "*", ] + type = "*" } } } # data.aws_iam_policy_document.load_balancer_write_logs will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "load_balancer_write_logs" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "s3:PutObject", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "ELBLogDeliveryPutObject" + principals { + identifiers = [ + "arn:aws:iam::985666609251:root", ] + type = "AWS" } } } # data.aws_iam_policy_document.log_delivery_write_logs will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "log_delivery_write_logs" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "s3:GetBucketAcl", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "LogDeliveryGetAcl" + condition { + test = "ArnLike" + values = [ + "arn:aws:logs:ca-central-1:800095993820:*", ] + variable = "aws:SourceArn" } + condition { + test = "StringEquals" + values = [ + "800095993820", ] + variable = "aws:SourceAccount" } + principals { + identifiers = [ + "delivery.logs.amazonaws.com", ] + type = "Service" } } + statement { + actions = [ + "s3:PutObject", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "LogDeliveryPutObject" + condition { + test = "ArnLike" + values = [ + "arn:aws:logs:ca-central-1:800095993820:*", ] + variable = "aws:SourceArn" } + condition { + test = "StringEquals" + values = [ + "800095993820", ] + variable = "aws:SourceAccount" } + condition { + test = "StringEquals" + values = [ + "bucket-owner-full-control", ] + variable = "s3:x-amz-acl" } + principals { + identifiers = [ + "delivery.logs.amazonaws.com", ] + type = "Service" } } } # data.aws_iam_policy_document.s3_replicate will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "s3_replicate" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "s3:GetReplicationConfiguration", + "s3:ListBucket", ] + effect = "Allow" + resources = [ + (known after apply), ] } + statement { + actions = [ + "s3:GetObjectVersion", + "s3:GetObjectVersionAcl", ] + effect = "Allow" + resources = [ + (known after apply), ] } + statement { + actions = [ + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:ReplicateDelete", + "s3:ReplicateObject", ] + effect = "Allow" + resources = [ + "arn:aws:s3:::cbs-log-archive-871282759583/*", ] } } # aws_iam_policy.s3_replicate will be created + resource "aws_iam_policy" "s3_replicate" { + arn = (known after apply) + attachment_count = (known after apply) + id = (known after apply) + name = "CbsSatelliteReplicateToLogArchive" + name_prefix = (known after apply) + path = "/" + policy = (known after apply) + policy_id = (known after apply) + tags_all = (known after apply) } # aws_iam_role_policy_attachment.s3_replicate will be created + resource "aws_iam_role_policy_attachment" "s3_replicate" { + id = (known after apply) + policy_arn = (known after apply) + role = "CbsSatelliteReplicateToLogArchive" } # aws_s3_bucket_ownership_controls.satellite_bucket will be created + resource "aws_s3_bucket_ownership_controls" "satellite_bucket" { + bucket = (known after apply) + id = (known after apply) + rule { + object_ownership = "ObjectWriter" } } # aws_s3_bucket_policy.satellite_bucket will be created + resource "aws_s3_bucket_policy" "satellite_bucket" { + bucket = (known after apply) + id = (known after apply) + policy = (known after apply) } # module.satellite_access_bucket.data.aws_iam_policy_document.combined will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "combined" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + source_policy_documents = (known after apply) } # module.satellite_access_bucket.data.aws_iam_policy_document.deny_insecure_transport will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "deny_insecure_transport" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "s3:*", ] + effect = "Deny" + resources = [ + (known after apply), + (known after apply), ] + sid = "denyInsecureTransport" + condition { + test = "Bool" + values = [ + "false", ] + variable = "aws:SecureTransport" } + principals { + identifiers = [ + "*", ] + type = "*" } } } # module.satellite_access_bucket.aws_s3_bucket.this will be created + resource "aws_s3_bucket" "this" { + acceleration_status = (known after apply) + acl = (known after apply) + arn = (known after apply) + bucket = "cbs-satellite-800095993820-access" + bucket_domain_name = (known after apply) + bucket_prefix = (known after apply) + bucket_regional_domain_name = (known after apply) + force_destroy = true + hosted_zone_id = (known after apply) + id = (known after apply) + object_lock_enabled = (known after apply) + policy = (known after apply) + region = (known after apply) + request_payer = (known after apply) + tags = { + "CostCentre" = "cbs-800095993820" + "Critical" = "true" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "cbs-800095993820" + "Critical" = "true" + "Terraform" = "true" } + website_domain = (known after apply) + website_endpoint = (known after apply) + cors_rule { + allowed_headers = (known after apply) + allowed_methods = (known after apply) + allowed_origins = (known after apply) + expose_headers = (known after apply) + max_age_seconds = (known after apply) } + grant { + id = (known after apply) + permissions = (known after apply) + type = (known after apply) + uri = (known after apply) } + lifecycle_rule { + enabled = true + id = "delete-old-objects" + expiration { + days = 90 } } + logging { + target_bucket = (known after apply) + target_prefix = (known after apply) } + object_lock_configuration { + object_lock_enabled = (known after apply) + rule { + default_retention { + days = (known after apply) + mode = (known after apply) + years = (known after apply) } } } + replication_configuration { + role = (known after apply) + rules { + delete_marker_replication_status = (known after apply) + id = (known after apply) + prefix = (known after apply) + priority = (known after apply) + status = (known after apply) + destination { + account_id = (known after apply) + bucket = (known after apply) + replica_kms_key_id = (known after apply) + storage_class = (known after apply) + access_control_translation { + owner = (known after apply) } + metrics { + minutes = (known after apply) + status = (known after apply) } + replication_time { + minutes = (known after apply) + status = (known after apply) } } + filter { + prefix = (known after apply) + tags = (known after apply) } + source_selection_criteria { + sse_kms_encrypted_objects { + enabled = (known after apply) } } } } + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" } } } + versioning { + enabled = (known after apply) + mfa_delete = (known after apply) } + website { + error_document = (known after apply) + index_document = (known after apply) + redirect_all_requests_to = (known after apply) + routing_rules = (known after apply) } } # module.satellite_access_bucket.aws_s3_bucket_acl.this will be created + resource "aws_s3_bucket_acl" "this" { + acl = "log-delivery-write" + bucket = (known after apply) + id = (known after apply) + access_control_policy { + grant { + permission = (known after apply) + grantee { + display_name = (known after apply) + email_address = (known after apply) + id = (known after apply) + type = (known after apply) + uri = (known after apply) } } + owner { + display_name = (known after apply) + id = (known after apply) } } } # module.satellite_access_bucket.aws_s3_bucket_ownership_controls.this will be created + resource "aws_s3_bucket_ownership_controls" "this" { + bucket = (known after apply) + id = (known after apply) + rule { + object_ownership = "BucketOwnerPreferred" } } # module.satellite_access_bucket.aws_s3_bucket_policy.this will be created + resource "aws_s3_bucket_policy" "this" { + bucket = (known after apply) + id = (known after apply) + policy = (known after apply) } # module.satellite_access_bucket.aws_s3_bucket_public_access_block.this will be created + resource "aws_s3_bucket_public_access_block" "this" { + block_public_acls = true + block_public_policy = true + bucket = (known after apply) + id = (known after apply) + ignore_public_acls = true + restrict_public_buckets = true } # module.satellite_access_bucket.aws_s3_bucket_versioning.this will be created + resource "aws_s3_bucket_versioning" "this" { + bucket = (known after apply) + id = (known after apply) + versioning_configuration { + mfa_delete = (known after apply) + status = "Disabled" } } # module.satellite_bucket.aws_s3_bucket.this will be created + resource "aws_s3_bucket" "this" { + acceleration_status = (known after apply) + acl = "private" + arn = (known after apply) + bucket = "cbs-satellite-800095993820" + bucket_domain_name = (known after apply) + bucket_prefix = (known after apply) + bucket_regional_domain_name = (known after apply) + force_destroy = false + hosted_zone_id = (known after apply) + id = (known after apply) + object_lock_enabled = (known after apply) + policy = (known after apply) + region = (known after apply) + request_payer = (known after apply) + tags = { + "CostCentre" = "cbs-800095993820" + "Critical" = "false" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "cbs-800095993820" + "Critical" = "false" + "Terraform" = "true" } + website_domain = (known after apply) + website_endpoint = (known after apply) + cors_rule { + allowed_headers = (known after apply) + allowed_methods = (known after apply) + allowed_origins = (known after apply) + expose_headers = (known after apply) + max_age_seconds = (known after apply) } + grant { + id = (known after apply) + permissions = (known after apply) + type = (known after apply) + uri = (known after apply) } + lifecycle_rule { + enabled = true + id = "delete-old-objects" + expiration { + days = 14 } } + logging { + target_bucket = (known after apply) + target_prefix = "logs/" } + object_lock_configuration { + object_lock_enabled = (known after apply) + rule { + default_retention { + days = (known after apply) + mode = (known after apply) + years = (known after apply) } } } + replication_configuration { + role = "arn:aws:iam::800095993820:role/CbsSatelliteReplicateToLogArchive" + rules { + id = "cbs-log-archive" + priority = 100 + status = "Enabled" + destination { + account_id = "871282759583" + bucket = "arn:aws:s3:::cbs-log-archive-871282759583" + replica_kms_key_id = "arn:aws:kms:ca-central-1:871282759583:key/c4591f87-9445-4840-acb6-a5569e703c93" + access_control_translation { + owner = "Destination" } } + filter {} + source_selection_criteria { + sse_kms_encrypted_objects { + enabled = true } } } } + server_side_encryption_configuration { + rule { + bucket_key_enabled = false + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" } } } + versioning { + enabled = true + mfa_delete = false } + website { + error_document = (known after apply) + index_document = (known after apply) + redirect_all_requests_to = (known after apply) + routing_rules = (known after apply) } } # module.satellite_bucket.aws_s3_bucket_public_access_block.this will be created + resource "aws_s3_bucket_public_access_block" "this" { + block_public_acls = true + block_public_policy = true + bucket = (known after apply) + id = (known after apply) + ignore_public_acls = true + restrict_public_buckets = true } Plan: 12 to add, 0 to change, 0 to destroy. Warning: Argument is deprecated with module.satellite_access_bucket.aws_s3_bucket.this, on .terraform/modules/satellite_access_bucket/S3_log_bucket/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_server_side_encryption_configuration resource instead (and 7 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.s3_replicate"] 20 tests, 19 passed, 1 warning, 0 failures, 0 exceptions ```