feat: add field create_aws_s3_bucket_public_access_block to variable runner_worker_cache (#1105)

## Description

Some organizations may disallow configuring block public access settings
on individual S3 buckets. For example, the organization may use account
level configuration to block public access on all buckets.

To support this, we add the field
`create_aws_s3_bucket_public_access_block` to the `runner_worker_cache`
variable.

We add `count` to the `aws_s3_bucket_public_access_block` resource to
control its creation and use the `moved` keyword to ensure that existing
instances of this resource are not recreated due to this change.

## Migrations required

No. Migrations are automatically handled by `moved` keyword.

## Verification

Applied this module with the `create_aws_s3_bucket_public_access_block`
field set to `false`. The `aws_s3_bucket_public_access_block` resource
was not created. All other resources were created as expected.

---------

Co-authored-by: Kevin Snyder <[email protected]>
Co-authored-by: Matthias Kay <[email protected]>

Author: 3 people

main.tf

@@ -392,6 +392,8 @@ module "cache" {
   kms_key_id = local.kms_key
 
   name_iam_objects = local.name_iam_objects
+
+  create_aws_s3_bucket_public_access_block = var.runner_worker_cache.create_aws_s3_bucket_public_access_block
 }
 
 ################################################################################

modules/cache/main.tf

@@ -95,6 +95,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "build_cache_encry
 
 # block public access to S3 cache bucket
 resource "aws_s3_bucket_public_access_block" "build_cache_policy" {
+  count = var.create_aws_s3_bucket_public_access_block ? 1 : 0
+
   bucket = aws_s3_bucket.build_cache.id
 
   block_public_acls       = true

modules/cache/state_migration.tf

@@ -0,0 +1,4 @@
+moved {
+  from = aws_s3_bucket_public_access_block.build_cache_policy
+  to   = aws_s3_bucket_public_access_block.build_cache_policy[0]
+}

modules/cache/variables.tf

@@ -91,3 +91,9 @@ variable "kms_key_id" {
   type        = string
   default     = ""
 }
+
+variable "create_aws_s3_bucket_public_access_block" {
+  description = "Enable the creation of the public access block for the cache bucket."
+  type        = bool
+  default     = true
+}

variables.tf

@@ -413,6 +413,7 @@ variable "runner_worker_cache" {
     bucket = Name of the cache bucket. Requires `create = false`.
     bucket_prefix = Prefix for s3 cache bucket name. Requires `create = true`.
     create = Boolean used to enable or disable the creation of the cache bucket.
+    create_aws_s3_bucket_public_access_block = Boolean used to enable or disable the creation of the public access block for the cache bucket. Useful when organizations do not allow the creation of public access blocks on individual buckets (e.g. public access is blocked on all buckets at the organization level).
     expiration_days = Number of days before cache objects expire. Requires `create = true`.
     include_account_id = Boolean used to include the account id in the cache bucket name. Requires `create = true`.
     policy = Policy to use for the cache bucket. Requires `create = false`.
@@ -421,18 +422,19 @@ variable "runner_worker_cache" {
     versioning = Boolean used to enable versioning on the cache bucket. Requires `create = true`.
   EOT
   type = object({
-    access_log_bucket_id     = optional(string, null)
-    access_log_bucket_prefix = optional(string, null)
-    authentication_type      = optional(string, "iam")
-    bucket                   = optional(string, "")
-    bucket_prefix            = optional(string, "")
-    create                   = optional(bool, true)
-    expiration_days          = optional(number, 1)
-    include_account_id       = optional(bool, true)
-    policy                   = optional(string, "")
-    random_suffix            = optional(bool, false)
-    shared                   = optional(bool, false)
-    versioning               = optional(bool, false)
+    access_log_bucket_id                     = optional(string, null)
+    access_log_bucket_prefix                 = optional(string, null)
+    authentication_type                      = optional(string, "iam")
+    bucket                                   = optional(string, "")
+    bucket_prefix                            = optional(string, "")
+    create                                   = optional(bool, true)
+    create_aws_s3_bucket_public_access_block = optional(bool, true)
+    expiration_days                          = optional(number, 1)
+    include_account_id                       = optional(bool, true)
+    policy                                   = optional(string, "")
+    random_suffix                            = optional(bool, false)
+    shared                                   = optional(bool, false)
+    versioning                               = optional(bool, false)
   })
   default = {}
 }