#refarch (2023-05)

Cloud Posse Reference Architecture

2023-05-05

Michael Dizon avatar
Michael Dizon

is there an eta on when this PR is going to be merged? https://github.com/cloudposse/terraform-aws-s3-bucket/pull/176

#176 Add: ACL depends on ownership_controls

what

• aws_s3_bucket_ownership_controls is set first, followed by bucket ACL.

why

• Starting April 2023, AWS has changed default ObjectOwnership = Bucket Owner Preferred.
So to add ACL aws_s3_bucket_ownership_controls must be set to ObjectWriter (or) BucketOwnerPreferred first.
In this PR, aws_s3_bucket_acl depends_on aws_s3_bucket_ownership_controls resource block.
aws_s3_bucket_ownership_controls default set to BucketOwnerEnforced

references

• Ref: https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We are planning to address the s3 issues next week. It may be a new PR, but we must address multiple modules

#176 Add: ACL depends on ownership_controls

what

• aws_s3_bucket_ownership_controls is set first, followed by bucket ACL.

why

• Starting April 2023, AWS has changed default ObjectOwnership = Bucket Owner Preferred.
So to add ACL aws_s3_bucket_ownership_controls must be set to ObjectWriter (or) BucketOwnerPreferred first.
In this PR, aws_s3_bucket_acl depends_on aws_s3_bucket_ownership_controls resource block.
aws_s3_bucket_ownership_controls default set to BucketOwnerEnforced

references

• Ref: https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We had an internal review today to discuss the options

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
#178 Make compatible with new S3 defaults. Add user permissions boundary.

what

• Make compatible with new S3 defaults by setting S3 Object Ownership before setting ACL and disabling ACL if Ownership is “BucketOwnerEnforced” • Add optional permissions boundary input for IAM user created by this module • Create aws_s3_bucket_accelerate_configuration and aws_s3_bucket_versioning resources even when the feature is disabled, to enable drift detection

why

• S3 buckets with ACLs were failing to be provisioned because the ACL was set before the bucket ownership was changed • Requested feature • See #171

references

• Closes #174 • Supersedes and closes #175 • Supersedes and closes #176

1
2

2023-05-23

Lele avatar

hello, is there any place I can find hints on how to setup AWS infra from scratch? I’m talking about from the VERY basic empty setup.. like creating the remote state, IAM, etc.. thanks

Lele avatar

I guess I’m probably thinking of

:::info Part of cold start so it has to initially be run with SuperAdmin Follow the guide here to get started. :::

taken from https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tfstate-backend

but here sends to https://github.com/cloudposse/terraform-aws-components/blob/main/reference-archite[…]w-to-guides/implementation/enterprise/implement-aws-cold-start/

which is a broken link

Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)

Hi @Lele, the documentation for these components is intended to be viewed from our docs.cloudposse.com website, but either way, we should fix these links to work from either source.

for example here: https://docs.cloudposse.com/components/library/aws/tfstate-backend/

tfstate-backend | The Cloud Posse Developer Hub

This component is responsible for provisioning an S3 Bucket and DynamoDB table that follow security best practices for usage as a Terraform backend. It also creates IAM roles for access to the Terraform backend.

1
1
Dan Miller (Cloud Posse) avatar
Dan Miller (Cloud Posse)

However, the Cold Start implementation is within our “Reference Architecture” at the time being. We have discussed creating a free-to-view, base implementation of this architecture, but that doesnt exist at the moment

Lele avatar

makes sense, I guess it’s just confusing that some links points to a (seemingly) broken link, when in fact it’s just a paid feature. Which totally makes sense, it just needs to be clearer from the context that that’s the case, IMO.

2023-05-26

2023-05-29

    keyboard_arrow_up