diff --git a/main.tf b/main.tf index cf257e783..1d9895f9d 100644 --- a/main.tf +++ b/main.tf @@ -392,6 +392,8 @@ module "cache" { kms_key_id = local.kms_key name_iam_objects = local.name_iam_objects + + create_aws_s3_bucket_public_access_block = var.runner_worker_cache.create_aws_s3_bucket_public_access_block } ################################################################################ diff --git a/modules/cache/main.tf b/modules/cache/main.tf index 4cd62e8b8..3bd685ae2 100644 --- a/modules/cache/main.tf +++ b/modules/cache/main.tf @@ -95,6 +95,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "build_cache_encry # block public access to S3 cache bucket resource "aws_s3_bucket_public_access_block" "build_cache_policy" { + count = var.create_aws_s3_bucket_public_access_block ? 1 : 0 + bucket = aws_s3_bucket.build_cache.id block_public_acls = true diff --git a/modules/cache/state_migration.tf b/modules/cache/state_migration.tf new file mode 100644 index 000000000..dfb664004 --- /dev/null +++ b/modules/cache/state_migration.tf @@ -0,0 +1,4 @@ +moved { + from = aws_s3_bucket_public_access_block.build_cache_policy + to = aws_s3_bucket_public_access_block.build_cache_policy[0] +} diff --git a/modules/cache/variables.tf b/modules/cache/variables.tf index abd7a16ff..609d037c5 100644 --- a/modules/cache/variables.tf +++ b/modules/cache/variables.tf @@ -91,3 +91,9 @@ variable "kms_key_id" { type = string default = "" } + +variable "create_aws_s3_bucket_public_access_block" { + description = "Enable the creation of the public access block for the cache bucket." + type = bool + default = true +} diff --git a/variables.tf b/variables.tf index 8dd4c4afc..68811217f 100644 --- a/variables.tf +++ b/variables.tf @@ -413,6 +413,7 @@ variable "runner_worker_cache" { bucket = Name of the cache bucket. Requires `create = false`. bucket_prefix = Prefix for s3 cache bucket name. Requires `create = true`. create = Boolean used to enable or disable the creation of the cache bucket. + create_aws_s3_bucket_public_access_block = Boolean used to enable or disable the creation of the public access block for the cache bucket. Useful when organizations do not allow the creation of public access blocks on individual buckets (e.g. public access is blocked on all buckets at the organization level). expiration_days = Number of days before cache objects expire. Requires `create = true`. include_account_id = Boolean used to include the account id in the cache bucket name. Requires `create = true`. policy = Policy to use for the cache bucket. Requires `create = false`. @@ -421,18 +422,19 @@ variable "runner_worker_cache" { versioning = Boolean used to enable versioning on the cache bucket. Requires `create = true`. EOT type = object({ - access_log_bucket_id = optional(string, null) - access_log_bucket_prefix = optional(string, null) - authentication_type = optional(string, "iam") - bucket = optional(string, "") - bucket_prefix = optional(string, "") - create = optional(bool, true) - expiration_days = optional(number, 1) - include_account_id = optional(bool, true) - policy = optional(string, "") - random_suffix = optional(bool, false) - shared = optional(bool, false) - versioning = optional(bool, false) + access_log_bucket_id = optional(string, null) + access_log_bucket_prefix = optional(string, null) + authentication_type = optional(string, "iam") + bucket = optional(string, "") + bucket_prefix = optional(string, "") + create = optional(bool, true) + create_aws_s3_bucket_public_access_block = optional(bool, true) + expiration_days = optional(number, 1) + include_account_id = optional(bool, true) + policy = optional(string, "") + random_suffix = optional(bool, false) + shared = optional(bool, false) + versioning = optional(bool, false) }) default = {} }