Update for v4 provider

.github/workflows/compare.yml

@@ -14,6 +14,7 @@ jobs:
         with:
           ref: master
           token: ${{ github.token }}
+          fetch-depth: '0'
       - name: tfsec
         run: |
           pip3 install lastversion
@@ -35,6 +36,7 @@ jobs:
         with:
           ref: master
           token: ${{ github.token }}
+          fetch-depth: '0'
       - name: install checkov
         run: |
           pip3 install checkov
@@ -55,6 +57,7 @@ jobs:
         with:
           ref: master
           token: ${{ github.token }}
+          fetch-depth: '0'
       - uses: actions/setup-python@v2
         with:
           python-version: 3.8
@@ -83,6 +86,7 @@ jobs:
         with:
           ref: master
           token: ${{ github.token }}
+          fetch-depth: '0'
       - name: install kics
         run: |
           pip3 install lastversion

.github/workflows/master.yml

@@ -17,6 +17,7 @@ jobs:
         with:
           ref: master
           token: ${{ github.token }}
+          fetch-depth: '0'
       - name: Config Terraform plugin cache
         run: |
           echo 'plugin_cache_dir="$HOME/.terraform.d/plugin-cache"' >~/.terraformrc
@@ -58,6 +59,7 @@ jobs:
         with:
           ref: master
           token: ${{ github.token }}
+          fetch-depth: '0'
       - uses: actions/setup-python@v2
         with:
           python-version: 3.8
@@ -73,11 +75,13 @@ jobs:
     name: versioning
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: '0'
       - name: Bump version and push tag
-        uses: anothrNick/github-tag-action@master
+        uses: anothrNick/github-tag-action@1.38.0
         env:
           GITHUB_TOKEN: ${{ github.token }}
           DEFAULT_BUMP: patch
-          WITH_V: "true"
+          WITH_V: true
     needs: [terraform, security]

.github/workflows/pull_request.yml

@@ -13,6 +13,7 @@ jobs:
         uses: actions/checkout@v2
         with:
           token: ${{ github.token }}
+          fetch-depth: '0'
       - name: Terraform Init
         uses: hashicorp/terraform-github-actions@master
         with:
@@ -32,6 +33,7 @@ jobs:
         uses: actions/checkout@v2
         with:
           token: ${{ github.token }}
+          fetch-depth: '0'
       - uses: actions/setup-python@v2
         with:
           python-version: 3.8

.pre-commit-config.yaml

@@ -20,7 +20,7 @@ repos:
           - --allow-missing-credentials
       - id: detect-private-key
   - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.1.10
+    rev: v1.1.13
     hooks:
       - id: forbid-tabs
         exclude_types: [python, javascript, dtd, markdown, makefile, xml]
@@ -31,7 +31,7 @@ repos:
       - id: shell-lint
         exclude: template|\.template$
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.30.0
+    rev: v0.31.1
     hooks:
       - id: markdownlint
   - repo: https://github.com/adrienverge/yamllint
@@ -51,7 +51,7 @@ repos:
       - id: tf2docs
         language_version: python3.8
   - repo: https://github.com/bridgecrewio/checkov
-    rev: 2.0.772
+    rev: 2.0.975
     hooks:
       - id: checkov
         verbose: true

README.md

@@ -81,7 +81,10 @@ No modules.
 | [aws_iam_role_policy.codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.attachtotriggerrole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_s3_bucket.artifacts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_public_access_block.artifacts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_ssm_parameter.buildnumber](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_ssm_parameter.latest](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -104,14 +107,14 @@ No modules.
 | <a name="input_environment"></a> [environment](#input\_environment) | A map to describe the build environment and populate the environment block | `map(any)` | <pre>{<br>  "compute_type": "BUILD_GENERAL1_SMALL",<br>  "image": "aws/codebuild/nodejs:6.3.1",<br>  "privileged_mode": "false",<br>  "type": "LINUX_CONTAINER"<br>}</pre> | no |
 | <a name="input_force_artifact_destroy"></a> [force\_artifact\_destroy](#input\_force\_artifact\_destroy) | Force the removal of the artifact S3 bucket on destroy (default: false). | `string` | `false` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | Your Custom KMS key | `string` | `""` | no |
-| <a name="input_mfa_delete"></a> [mfa\_delete](#input\_mfa\_delete) | Require MFA to delete | `bool` | `false` | no |
+| <a name="input_mfa_delete"></a> [mfa\_delete](#input\_mfa\_delete) | Require MFA to delete | `string` | `"Disabled"` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the Build | `string` | n/a | yes |
 | <a name="input_projectroot"></a> [projectroot](#input\_projectroot) | The name of the parent project for SSM | `string` | `"core"` | no |
 | <a name="input_reponame"></a> [reponame](#input\_reponame) | The name of the repository | `string` | `""` | no |
 | <a name="input_role"></a> [role](#input\_role) | Override for providing a role | `string` | `""` | no |
 | <a name="input_sourcecode"></a> [sourcecode](#input\_sourcecode) | A map to describe where your sourcecode comes from, to fill the sourcecode block in a Codebuild project | `map(any)` | <pre>{<br>  "buildspec": "",<br>  "location": "",<br>  "type": "CODECOMMIT"<br>}</pre> | no |
 | <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The type of encryption algorithm to use | `string` | `"aws:kms"` | no |
-| <a name="input_versioning"></a> [versioning](#input\_versioning) | Set bucket to version | `bool` | `false` | no |
+| <a name="input_versioning"></a> [versioning](#input\_versioning) | Set bucket to version | `string` | `"Enabled"` | no |
 
 ## Outputs
 

aws_s3_bucket.artifacts.tf

@@ -1,26 +1,42 @@
 
 resource "aws_s3_bucket" "artifacts" {
-  # tfsec:ignore:AWS077
-  # tfsec:ignore:AWS002
-  # checkov:skip=CKV_AWS_144: ADD REASON
-  # checkov:skip=CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
-  # checkov:skip=CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
-  # checkov:skip=CKV_AWS_52: "Ensure S3 bucket has MFA delete enabled"
+  # checkov:skip=CKV2_AWS_6: ADD REASON
+  # checkov:skip=CKV2_AWS_41: ADD REASON
+  # checkov:skip=CKV_AWS_18:LEGACY
+  # checkov:skip=CKV_AWS_144:LEGACY
+  # checkov:skip=CKV_AWS_19:LEGACY
+  # checkov:skip=CKV_AWS_145:LEGACY
+  # checkov:skip=CKV_AWS_21:LEGACY
   count         = var.bucketname == "" ? 1 : 0
   bucket        = local.bucketname
-  acl           = "private"
   force_destroy = var.force_artifact_destroy
+}
 
-  versioning {
-    enabled    = var.versioning
-    mfa_delete = var.mfa_delete
-  }
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = var.sse_algorithm
-      }
+resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
+  count  = var.bucketname == "" ? 1 : 0
+  bucket = aws_s3_bucket.artifacts[0].bucket
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = var.sse_algorithm
+      kms_master_key_id = var.kms_key_id
     }
   }
 }
+
+resource "aws_s3_bucket_versioning" "example" {
+  count  = var.bucketname == "" ? 1 : 0
+  bucket = aws_s3_bucket.artifacts[0].id
+  versioning_configuration {
+    status     = var.versioning
+    mfa_delete = var.mfa_delete
+  }
+}
+
+
+
+resource "aws_s3_bucket_acl" "example" {
+  count  = var.bucketname == "" ? 1 : 0
+  bucket = aws_s3_bucket.artifacts[0].id
+  acl    = "private"
+}

example/example-more-iam-permissions/terraform.tf

@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     aws = {
-      version = "3.69.0"
+      version = "4.6.0"
       source  = "hashicorp/aws"
     }
     local = {

example/example-supplyrole/terraform.tf

@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     aws = {
-      version = "3.69.0"
+      version = "4.6.0"
       source  = "hashicorp/aws"
     }
     local = {

example/examplea/terraform.tf

@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     aws = {
-      version = "3.69.0"
+      version = "4.6.0"
       source  = "hashicorp/aws"
     }
     local = {

variables.tf

@@ -107,15 +107,15 @@ variable "artifact_type" {
 }
 
 variable "versioning" {
-  type        = bool
+  type        = string
   description = "Set bucket to version"
-  default     = false
+  default     = "Enabled"
 }
 
 variable "mfa_delete" {
-  type        = bool
+  type        = string
   description = "Require MFA to delete"
-  default     = false
+  default     = "Disabled"
 }
 
 variable "kms_key_id" {