Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support AWS provider version 4.0.0

See original GitHub issue

Describe the issue The latest AWS provider version 4.0.0 introduces multiple breaking changes, especially regarding the aws_s3_bucket resource

Examples The following snippet is based on version 4.0.0 and will make the following checks fail

aws-s3-enable-bucket-encryption
aws-s3-enable-versioning
aws-s3-encryption-customer-key

resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_acl" "example" {
  bucket = aws_s3_bucket.example.id
  acl    = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.example.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.example.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id

  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_kms_key" "example" {
  description         = "example"
  enable_key_rotation = true
  multi_region        = false
}

Version (please complete the following information):

Checkov Version 2.0.823 (probably more versions)

Additional context See the migration guide.

Issue Analytics

State:
Created 2 years ago
Reactions:18
Comments:17 (3 by maintainers)

Top GitHub Comments

2reactions

gruebelcommented, Apr 11, 2022

resource "aws_s3_bucket" "bucket" {
  bucket = var.bucket_name

  tags = merge(
    var.tags,
    {
      "Name" = var.bucket_name
    }
  )
}

resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
  bucket = aws_s3_bucket.bucket.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

@okamosy I tested it with the given resources and the check passes, not sure what else you have there, which is somehow interferes, but from my testing I can say it works

Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
        PASSED for resource: aws_s3_bucket.bucket
        File: /../tf/tf_s3.json:14-22
        Guide: https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest

2reactions

gruebelcommented, Feb 13, 2022

Hi @HorizonNet thanks for creating the issue 💪

We will use it to track our effort to become compliant with the recent changes in the new provider version.