AWS v4.4.0 S3 Bucket Refactor Changes - Part 2

 Significant changes to the S3 Bucket Refactor -  "To help distribute the management of S3 bucket settings via independent resources, various arguments and attributes in the aws_s3_bucket resource have become read-only."

Significant changes to Resources and arguments: include:
1. acl > aws_s3_bucket_acl
2. versioning > aws_s3_bucket_versioning
3. lifecycle_rule > aws_s3_bucket_lifecycle_configuration
4. logging > aws_s3_bucket_logging
5. server_side_encryption_configuration > aws_s3_bucket_server_side_encryption_configuration

Resources:
1. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade
2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade#s3-bucket-refactor

base/CA_Infrastructure/root_CA/crl.tf

@@ -1,7 +1,7 @@
 resource "aws_s3_bucket" "crl" {
   bucket = "xdr-root-crl"
 
-  tags = merge(var.standard_tags, var.tags)
+  tags   = merge(var.standard_tags, var.tags)
 
 }
 
@@ -9,7 +9,7 @@ resource "aws_s3_bucket" "crl" {
 
 resource "aws_s3_bucket_versioning" "s3_version_crl" {
   bucket   = aws_s3_bucket.crl.id
-  
+
   versioning_configuration {
     status = "Enabled"
   }

base/CA_Infrastructure/subordinate_CAs/crl.tf

@@ -1,8 +1,8 @@
 resource "aws_s3_bucket" "crl" {
   provider = aws.common # COMMON SERVICES
-  bucket = "xdr-subordinate-crl"
+  bucket   = "xdr-subordinate-crl"
 
-  tags = merge(var.standard_tags, var.tags)
+  tags     = merge(var.standard_tags, var.tags)
 
 }
 
@@ -75,8 +75,8 @@ data "aws_iam_policy_document" "acmpca_bucket_access" {
 
 resource "aws_s3_bucket_policy" "crl" {
   provider = aws.common # COMMON SERVICES
-  bucket = aws_s3_bucket.crl.id
-  policy = data.aws_iam_policy_document.acmpca_bucket_access.json
+  bucket   = aws_s3_bucket.crl.id
+  policy   = data.aws_iam_policy_document.acmpca_bucket_access.json
 }
 
 # Publicly available CRL so clients can validate

base/account_standards_c2/elb_bucket.tf

@@ -5,41 +5,53 @@ module "elb_logging_logging_bucket" {
   source = "../../thirdparty/terraform-aws-s3logging-bucket"
 
   bucket_name = "xdr-elb-${var.environment}-access-logs"
-  lifecycle_rules = [
-    {
-      id                            = "expire-old-logs"
-      enabled                       = true
-      prefix                        = ""
-      expiration                    = 30
-      noncurrent_version_expiration = 30
-      abort_incomplete_multipart_upload_days = 7
-    }
-  ]
+  #Discussed w/ FRED ON THIS MODULE / needs to be replaced with aws_s3_bucket_lifecycle_configuration
+  #lifecycle_rules = [
+  #  {
+  #    id                            = "expire-old-logs"
+  #    enabled                       = true
+  #    prefix                        = ""
+  #    expiration                    = 30
+  #    noncurrent_version_expiration = 30
+  #    abort_incomplete_multipart_upload_days = 7
+  #  }
+  #]
   tags = merge(var.standard_tags, var.tags, { "Note" = "ELB Logging Does Not Support SSE-KMS. Only SSE-S3 is supported." } )
   versioning_enabled = true
 }
 
 resource "aws_s3_bucket" "elb_logging_bucket" {
   bucket = "xdr-elb-${var.environment}"
-  acl    = "private"
+  
   tags   = merge(var.standard_tags, var.tags)
+}
 
-  versioning {
-    enabled = true
-  }
+resource "aws_s3_bucket_acl" "s3_acl_elb_logging_bucket" {
+  bucket = aws_s3_bucket.elb_logging_bucket.id
+  acl    = "private"
+}
 
-  logging {
-    target_bucket = module.elb_logging_logging_bucket.s3_bucket_name
-    target_prefix = "${var.aws_account_id}-${var.aws_region}-elblogs/"
+resource "aws_s3_bucket_versioning" "s3_version_elb_logging_bucket" {
+  bucket   = aws_s3_bucket.elb_logging_bucket.id
+  versioning_configuration {
+    status = "Enabled"
   }
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256" # ELB logging only supports SSE-S3
+resource "aws_s3_bucket_logging" "log_bucket_elb_logging_bucket" {
+  bucket        = aws_s3_bucket.log_bucket_elb_logging_bucket.id
+  target_bucket = module.elb_logging_logging_bucket.s3_bucket_name
+  target_prefix = "${var.aws_account_id}-${var.aws_region}-elblogs/"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_elb_logging_bucket" {
+  bucket   = aws_s3_bucket.elb_logging_bucket.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256" # ELB logging only supports SSE-S3
       }
     }
-  }
 }
 
 resource "aws_s3_bucket_public_access_block" "aws_elb_bucket_block_public_access" {
@@ -245,3 +257,28 @@ resource "aws_sns_topic_subscription" "elblog_bucket_change_notification_to_queu
   protocol  = "sqs"
   endpoint  = aws_sqs_queue.new_elblog.arn
 }
+
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "elb_logging_bucket" {
+  bucket = "xdr-elb-${var.environment}"
+  acl    = "private"
+  tags   = merge(var.standard_tags, var.tags)
+
+  versioning {
+    enabled = true
+  }
+
+  logging {
+    target_bucket = module.elb_logging_logging_bucket.s3_bucket_name
+    target_prefix = "${var.aws_account_id}-${var.aws_region}-elblogs/"
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256" # ELB logging only supports SSE-S3
+      }
+    }
+  }
+}
+*/

base/codebuild_ecr_base/s3.tf

@@ -2,16 +2,22 @@
 resource "aws_s3_bucket" "artifacts" {
   bucket        = "xdr-codebuild-artifacts"
   force_destroy = true
-  acl           = "private"
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
-        sse_algorithm     = "aws:kms"
+resource "aws_s3_bucket_acl" "s3_acl_artifacts" {
+  bucket = aws_s3_bucket.artifacts.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_artifacts" {
+  bucket = aws_s3_bucket.artifacts.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
+      sse_algorithm     = "aws:kms"
       }
     }
-  }
 }
 
 resource "aws_s3_bucket_policy" "artifacts" {
@@ -21,14 +27,30 @@ resource "aws_s3_bucket_policy" "artifacts" {
 
 data "aws_iam_policy_document" "artifacts" {
   statement {
-    sid = "AllowS3Access"
-    actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
-    effect = "Allow"
+    sid       = "AllowS3Access"
+    actions   = [ "s3:GetObject", "s3:GetObjectVersion" ]
+    effect    = "Allow"
     resources = [ "${aws_s3_bucket.artifacts.arn}/*" ]
     principals {
-      type = "AWS"
+      type        = "AWS"
       identifiers = sort([ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ])
     }
   }
 }
 
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "artifacts" {
+  bucket        = "xdr-codebuild-artifacts"
+  force_destroy = true
+  acl           = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.s3_codebuild_artifacts.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+*/

base/codebuild_portal_lambda/s3.tf

@@ -6,23 +6,35 @@ locals {
 
 #S3 bucket for codebuild output
 resource "aws_s3_bucket" "bucket" {
+  #provider = aws.common # COMMON SERVICES
   bucket        = local.bucket_name
   force_destroy = true
-  acl           = "private"
   tags = merge(var.standard_tags, var.tags)
+}
 
-  versioning {
-    enabled = false
+resource "aws_s3_bucket_acl" "s3_acl_bucket" {
+  #provider = aws.common # COMMON SERVICES
+  bucket = aws_s3_bucket.bucket.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_versioning" "s3_version_bucket" {
+  #provider = aws.common # COMMON SERVICES
+  bucket   = aws_s3_bucket.bucket.id
+  versioning_configuration {
+    status = "Suspended"
   }
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.s3_codebuild.arn
-        sse_algorithm     = "aws:kms"
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
+  #provider = aws.common # COMMON SERVICES
+  bucket = aws_s3_bucket.bucket.id
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.s3_codebuild.arn
+      sse_algorithm     = "aws:kms"
       }
     }
-  }
 }
 
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
@@ -55,3 +67,24 @@ data "aws_iam_policy_document" "artifacts" {
   }
 }
 
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "bucket" {
+  bucket        = local.bucket_name
+  force_destroy = true
+  acl           = "private"
+  tags = merge(var.standard_tags, var.tags)
+
+  versioning {
+    enabled = false
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.s3_codebuild.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+*/

base/customer_portal_lambda/s3.tf

@@ -1,16 +1,22 @@
 resource "aws_s3_bucket" "bucket" {
   bucket        = "xdr-portal-lambda-${var.environment}"
   force_destroy = true
-  acl           = "private"
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.key.arn
-        sse_algorithm     = "aws:kms"
+resource "aws_s3_bucket_acl" "s3_acl_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.key.arn
+      sse_algorithm     = "aws:kms"
       }
     }
-  }
 }
 
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
@@ -27,15 +33,15 @@ resource "aws_s3_bucket_public_access_block" "public_access_block" {
 
 data "aws_iam_policy_document" "s3_policy_document" {
   statement {
-    sid = "AllowS3Access"
+    sid     = "AllowS3Access"
     actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
-    effect = "Allow"
+    effect  = "Allow"
     resources = [
         "${aws_s3_bucket.bucket.arn}",
         "${aws_s3_bucket.bucket.arn}/*"
       ]
     principals {
-      type = "AWS"
+      type        = "AWS"
       identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" ]
     }
   }
@@ -56,7 +62,7 @@ resource "aws_kms_key" "key" {
 
 data "aws_iam_policy_document" "kms_policy_document" {
   statement {
-    sid = "AllowServices"
+    sid    = "AllowServices"
     effect = "Allow"
     principals {
       type = "AWS"
@@ -70,13 +76,13 @@ data "aws_iam_policy_document" "kms_policy_document" {
   }
   # allow account to modify/manage key
   statement {
-    sid = "AllowThisAccount"
+    sid    = "AllowThisAccount"
     effect = "Allow"
     principals {
       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
-      type = "AWS"
+      type        = "AWS"
     }
-    actions = [
+    actions   = [
       "kms:*"
     ]
     resources = ["*"]
@@ -87,3 +93,20 @@ resource "aws_kms_alias" "key_alias" {
   name          = "alias/portal-s3-key"
   target_key_id = aws_kms_key.key.key_id
 }
+
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "bucket" {
+  bucket        = "xdr-portal-lambda-${var.environment}"
+  force_destroy = true
+  acl           = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.key.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+*/

base/github_actions_s3_bucket/main.tf

@@ -6,35 +6,49 @@ locals {
 
 resource "aws_s3_bucket" "bucket" {
   bucket = local.bucket_name
-  acl    = "private"
-
-  versioning {
-    enabled = true
-  }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags   = merge(var.standard_tags, var.tags)
+}
 
-  lifecycle_rule {
-    id      = "STANDARD_IA"
-    enabled = true
+resource "aws_s3_bucket_acl" "s3_acl_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  acl    = "private"
+}
 
-    abort_incomplete_multipart_upload_days = 2
+resource "aws_s3_bucket_versioning" "s3_version_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
 
+resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  
+  rule {
+    id     = "STANDARD_IA"
+    status = "Enabled"
+    
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 2
+    }
+    
     transition {
       days          = 30
       storage_class = "STANDARD_IA"
     }
-
   }
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.bucketkey.arn
-        sse_algorithm     = "aws:kms"
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.bucketkey.arn
+      sse_algorithm     = "aws:kms"
       }
     }
-  }
 }
 
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
@@ -76,3 +90,38 @@ resource "aws_s3_bucket_policy" "policy" {
 }
 POLICY
 }
+
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "bucket" {
+  bucket = local.bucket_name
+  acl    = "private"
+
+  versioning {
+    enabled = true
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+
+  lifecycle_rule {
+    id      = "STANDARD_IA"
+    enabled = true
+
+    abort_incomplete_multipart_upload_days = 2
+
+    transition {
+      days          = 30
+      storage_class = "STANDARD_IA"
+    }
+
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.bucketkey.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+*/

base/splunk_servers/app_s3_bucket/main.tf

@@ -6,43 +6,54 @@ locals {
 
 resource "aws_s3_bucket" "bucket" {
   bucket = local.bucket_name
-  acl    = "private"
-
-  versioning {
-    enabled = false
-  }
 
-  tags = merge(var.standard_tags, var.tags)
-
-  #logging {
-  #  target_bucket = "dps-s3-logs"
-  #  target_prefix = "aws_terraform_s3_state_access_logs/"
-  #}
+  tags   = merge(var.standard_tags, var.tags)
+}
 
-  lifecycle_rule {
-    id      = "APPS_POLICY"
-    enabled = true
+resource "aws_s3_bucket_acl" "s3_acl_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  acl    = "private"
+}
 
-    abort_incomplete_multipart_upload_days = 2
+resource "aws_s3_bucket_versioning" "s3_version_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  versioning_configuration {
+    status = "Suspended"
+  }
+}
 
+resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  
+  rule {
+    id     = "APPS_POLICY"
+    status = "Enabled"
+    
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 2
+    }
+    
     transition {
       days          = 30
       storage_class = "INTELLIGENT_TIERING"
     }
 
-    #    expiration {
-    #      days = 365
-    #    }
+    # Clean up old versions after a year
+    noncurrent_version_expiration {
+      noncurrent_days       = 365
+    }
   }
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.bucketkey.arn
-        sse_algorithm     = "aws:kms"
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.bucketkey.arn
+      sse_algorithm     = "aws:kms"
       }
     }
-  }
 }
 
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
@@ -83,3 +94,46 @@ resource "aws_s3_bucket_policy" "policy" {
 
   policy = data.aws_iam_policy_document.policy.json
 }
+
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "bucket" {
+  bucket = local.bucket_name
+  acl    = "private"
+
+  versioning {
+    enabled = false
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+
+  #logging {
+  #  target_bucket = "dps-s3-logs"
+  #  target_prefix = "aws_terraform_s3_state_access_logs/"
+  #}
+
+  lifecycle_rule {
+    id      = "APPS_POLICY"
+    enabled = true
+
+    abort_incomplete_multipart_upload_days = 2
+
+    transition {
+      days          = 30
+      storage_class = "INTELLIGENT_TIERING"
+    }
+
+    #    expiration {
+    #      days = 365
+    #    }
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.bucketkey.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+*/

base/splunk_servers/frozen_s3_bucket/main.tf

@@ -6,25 +6,38 @@ locals {
 
 resource "aws_s3_bucket" "bucket" {
   bucket = local.bucket_name
+
+  tags   = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_s3_bucket_acl" "s3_acl_bucket" {
+  bucket = aws_s3_bucket.bucket.id
   acl    = "private"
+}
 
-  versioning {
-    enabled = false
+resource "aws_s3_bucket_versioning" "s3_version_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  versioning_configuration {
+    status = "Suspended"
   }
-
-  tags = merge(var.standard_tags, var.tags)
+}
 
   #logging {
   #  target_bucket = "dps-s3-logs"
   #  target_prefix = "aws_terraform_s3_state_access_logs/"
   #}
 
-  lifecycle_rule {
-    id      = "GLACIER"
-    enabled = true
-
-    abort_incomplete_multipart_upload_days = 2
-
+resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  
+  rule {
+    id     = "GLACIER"
+    status = "Enabled"
+    
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 2
+    }
+    
     transition {
       days          = 30
       storage_class = "GLACIER"
@@ -38,15 +51,17 @@ resource "aws_s3_bucket" "bucket" {
       days = 550
     }
   }
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.bucketkey.arn
-        sse_algorithm     = "aws:kms"
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.bucketkey.arn
+      sse_algorithm     = "aws:kms"
       }
     }
-  }
 }
 
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
@@ -88,3 +103,50 @@ resource "aws_s3_bucket_policy" "policy" {
 }
 POLICY
 }
+
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "bucket" {
+  bucket = local.bucket_name
+  acl    = "private"
+
+  versioning {
+    enabled = false
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+
+  #logging {
+  #  target_bucket = "dps-s3-logs"
+  #  target_prefix = "aws_terraform_s3_state_access_logs/"
+  #}
+
+  lifecycle_rule {
+    id      = "GLACIER"
+    enabled = true
+
+    abort_incomplete_multipart_upload_days = 2
+
+    transition {
+      days          = 30
+      storage_class = "GLACIER"
+      ### Cheaper storage
+      #storage_class= "DEEP_ARCHIVE"
+    }
+
+    expiration {
+      # Discard after 18 months per OMB memo
+      # 18 months in days is 547, rounding up to 550
+      days = 550
+    }
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.bucketkey.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+*/

base/splunk_servers/smartstore_s3_bucket/main.tf

@@ -6,38 +6,54 @@ locals {
 
 resource "aws_s3_bucket" "bucket" {
   bucket = local.bucket_name
-  acl    = "private"
-
-  versioning {
-    enabled = true
-  }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags   = merge(var.standard_tags, var.tags)
+}
 
-  lifecycle_rule {
-    id      = "INTELLIGENT_TIERING"
-    enabled = true
+resource "aws_s3_bucket_acl" "s3_acl_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  acl    = "private"
+}
 
-    abort_incomplete_multipart_upload_days = 2
+resource "aws_s3_bucket_versioning" "s3_version_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
 
+resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_bucket" {
+  bucket   = aws_s3_bucket.bucket.id
+  
+  rule {
+    id     = "INTELLIGENT_TIERING"
+    status = "Enabled"
+    
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 2
+    }
+    
     transition {
       days          = 90
       storage_class = "INTELLIGENT_TIERING"
     }
 
-    #    expiration {
-    #      days = 365
-    #    }
+    # Clean up old versions after a year
+    noncurrent_version_expiration {
+      noncurrent_days = 365
+    }
   }
+}
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.bucketkey.arn
-        sse_algorithm     = "aws:kms"
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_bucket" {
+  bucket = aws_s3_bucket.bucket.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+      kms_master_key_id = aws_kms_key.bucketkey.arn
+      sse_algorithm     = "aws:kms"
       }
     }
-  }
 }
 
 resource "aws_s3_bucket_public_access_block" "public_access_block" {
@@ -79,3 +95,41 @@ resource "aws_s3_bucket_policy" "policy" {
 }
 POLICY
 }
+
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "bucket" {
+  bucket = local.bucket_name
+  acl    = "private"
+
+  versioning {
+    enabled = true
+  }
+
+  tags = merge(var.standard_tags, var.tags)
+
+  lifecycle_rule {
+    id      = "INTELLIGENT_TIERING"
+    enabled = true
+
+    abort_incomplete_multipart_upload_days = 2
+
+    transition {
+      days          = 90
+      storage_class = "INTELLIGENT_TIERING"
+    }
+
+    #    expiration {
+    #      days = 365
+    #    }
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.bucketkey.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+*/

base/teleport-single-instance/.terraform.lock.hcl

@@ -0,0 +1,37 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version = "4.4.0"
+  hashes = [
+    "h1:e9Lg+N7g//WXWDGPPbisC1w34HFIDZrCNkJFbP+z5Rk=",
+    "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
+    "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
+    "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
+    "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
+    "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
+    "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
+    "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
+    "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
+    "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
+    "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
+    "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}

base/tfstate/tfstate-s3/s3.tf

@@ -1,5 +1,68 @@
 resource "aws_s3_bucket" "tfstate" {
   bucket = var.bucket_name
+  
+  depends_on = [ var.module_depends_on ]
+}
+
+resource "aws_s3_bucket_acl" "s3_acl_tfstate" {
+  bucket = aws_s3_bucket.tfstate.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_versioning" "s3_version_tfstate" {
+  bucket = aws_s3_bucket.tfstate.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+# FIXME: Does this keep a cross-account dependency?
+  #logging {
+  #target_bucket = "dps-s3-logs"
+  #target_prefix = "aws_terraform_s3_state_access_logs/"
+  #}
+  
+resource "aws_s3_bucket_lifecycle_configuration" "s3_lifecyle_tfstate" {
+  bucket = aws_s3_bucket.tfstate.id
+  
+  rule {
+    status = "Enabled"
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 7
+    }
+    
+    noncurrent_version_transition {
+      noncurrent_days = 30
+      storage_class   = "STANDARD_IA"
+    }
+    
+    noncurrent_version_expiration {
+      noncurrent_days = 730
+    }
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "s3_sse_tfstate" {
+  bucket = aws_s3_bucket.tfstate.id
+  
+  rule {
+    apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.tfstate.arn
+        sse_algorithm     = "aws:kms"
+     }
+   }
+}
+
+resource "aws_s3_bucket_public_access_block" "tfstate" {
+  bucket                  = aws_s3_bucket.tfstate.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+//AWS Provider outdated arguments <4.4.0
+/*resource "aws_s3_bucket" "tfstate" {
+  bucket = var.bucket_name
   acl    = "private"
 
   depends_on = [ var.module_depends_on ]
@@ -38,11 +101,4 @@ resource "aws_s3_bucket" "tfstate" {
     }
   }
 }
-
-resource "aws_s3_bucket_public_access_block" "tfstate" {
-  bucket                  = aws_s3_bucket.tfstate.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
+*/