fix: AWS S3 backend access logging bucket not versioning (#4246)

lev-ok · web-flow · commit 0e73b7f175a8 · 2025-05-05T15:09:34.000+03:00
diff --git a/internal/remotestate/backend/s3/client.go b/internal/remotestate/backend/s3/client.go
@@ -184,7 +184,7 @@ func (client *Client) UpdateS3BucketIfNecessary(ctx context.Context, bucketName
 	if bucketUpdatesRequired.Versioning {
 		if client.SkipBucketVersioning {
 			client.logger.Debugf("Versioning is disabled for the remote state S3 bucket %s using 'skip_bucket_versioning' config.", bucketName)
-		} else if err := client.EnableVersioningForS3Bucket(); err != nil {
+		} else if err := client.EnableVersioningForS3Bucket(bucketName); err != nil {
 			return err
 		}
 	}
@@ -295,6 +295,12 @@ func (client *Client) configureAccessLogBucket(ctx context.Context, opts *option
 		}
 	}
 
+	if client.SkipBucketVersioning {
+		client.logger.Debugf("Versioning is disabled for the remote state S3 bucket %s using 'skip_bucket_versioning' config.", client.AccessLoggingBucketName)
+	} else if err := client.EnableVersioningForS3Bucket(client.AccessLoggingBucketName); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -479,7 +485,7 @@ func (client *Client) CreateS3BucketWithVersioningSSEncryptionAndAccessLogging(c
 
 	if client.SkipBucketVersioning {
 		client.logger.Debugf("Versioning is disabled for the remote state S3 bucket %s using 'skip_bucket_versioning' config.", cfg.Bucket)
-	} else if err := client.EnableVersioningForS3Bucket(); err != nil {
+	} else if err := client.EnableVersioningForS3Bucket(cfg.Bucket); err != nil {
 		return err
 	}
 
@@ -939,21 +945,19 @@ func (client *Client) EnableEnforcedTLSAccesstoS3Bucket(bucket string) error {
 // Helper function to check if the enforced TLS policy is enabled for the bucket
 
 // EnableVersioningForS3Bucket enables versioning for the S3 bucket specified in the given config.
-func (client *Client) EnableVersioningForS3Bucket() error {
-	cfg := &client.RemoteStateConfigS3
-
-	client.logger.Debugf("Enabling versioning on S3 bucket %s", cfg.Bucket)
+func (client *Client) EnableVersioningForS3Bucket(bucketName string) error {
+	client.logger.Debugf("Enabling versioning on S3 bucket %s", bucketName)
 	input := s3.PutBucketVersioningInput{
-		Bucket:                  aws.String(cfg.Bucket),
+		Bucket:                  aws.String(bucketName),
 		VersioningConfiguration: &s3.VersioningConfiguration{Status: aws.String(s3.BucketVersioningStatusEnabled)},
 	}
 
 	_, err := client.PutBucketVersioning(&input)
 	if err != nil {
-		return errors.Errorf("error enabling versioning on S3 bucket %s: %w", cfg.Bucket, err)
+		return errors.Errorf("error enabling versioning on S3 bucket %s: %w", bucketName, err)
 	}
 
-	client.logger.Debugf("Enabled versioning on S3 bucket %s", cfg.Bucket)
+	client.logger.Debugf("Enabled versioning on S3 bucket %s", bucketName)
 
 	return nil
 }
diff --git a/test/fixtures/s3-backend/common.hcl b/test/fixtures/s3-backend/common.hcl
@@ -6,6 +6,10 @@ feature "enable_lock_table_ssencryption" {
   default = false
 }
 
+feature "access_logging_bucket" {
+  default = ""
+}
+
 feature "key_prefix" {
   default = ""
 }
@@ -22,7 +26,8 @@ remote_state {
     region         = "__FILL_IN_REGION__"
     dynamodb_table = "__FILL_IN_LOCK_TABLE_NAME__"
 
-    skip_bucket_versioning = feature.disable_versioning.value
+    skip_bucket_versioning         = feature.disable_versioning.value
     enable_lock_table_ssencryption = feature.enable_lock_table_ssencryption.value
+    accesslogging_bucket_name      = feature.access_logging_bucket.value
   }
 }
diff --git a/test/integration_aws_test.go b/test/integration_aws_test.go
@@ -80,7 +80,7 @@ func TestAwsBootstrapBackend(t *testing.T) {
 
 				require.NoError(t, err)
 
-				validateS3BucketExistsAndIsTagged(t, helpers.TerraformRemoteStateS3Region, s3BucketName, nil)
+				validateS3BucketExistsAndIsTaggedAndVersioning(t, helpers.TerraformRemoteStateS3Region, s3BucketName, true, nil)
 				validateDynamoDBTableExistsAndIsTaggedAndIsSSEncrypted(t, helpers.TerraformRemoteStateS3Region, dynamoDBName, nil, false)
 			},
 		},
@@ -92,7 +92,7 @@ func TestAwsBootstrapBackend(t *testing.T) {
 
 				require.NoError(t, err)
 
-				validateS3BucketExistsAndIsTagged(t, helpers.TerraformRemoteStateS3Region, s3BucketName, nil)
+				validateS3BucketExistsAndIsTaggedAndVersioning(t, helpers.TerraformRemoteStateS3Region, s3BucketName, true, nil)
 				validateDynamoDBTableExistsAndIsTaggedAndIsSSEncrypted(t, helpers.TerraformRemoteStateS3Region, dynamoDBName, nil, true)
 			},
 		},
@@ -104,7 +104,7 @@ func TestAwsBootstrapBackend(t *testing.T) {
 
 				require.NoError(t, err)
 
-				validateS3BucketExistsAndIsTagged(t, helpers.TerraformRemoteStateS3Region, s3BucketName, nil)
+				validateS3BucketExistsAndIsTaggedAndVersioning(t, helpers.TerraformRemoteStateS3Region, s3BucketName, true, nil)
 				validateDynamoDBTableExistsAndIsTaggedAndIsSSEncrypted(t, helpers.TerraformRemoteStateS3Region, dynamoDBName, nil, false)
 			},
 		},
@@ -161,7 +161,7 @@ func TestAwsBootstrapBackendLegacyBehavior(t *testing.T) {
 	_, stderr, err := helpers.RunTerragruntCommandWithOutput(t, "terragrunt run --all --non-interactive --log-level debug --working-dir "+rootPath+" apply")
 	require.NoError(t, err)
 
-	validateS3BucketExistsAndIsTagged(t, helpers.TerraformRemoteStateS3Region, s3BucketName, nil)
+	validateS3BucketExistsAndIsTaggedAndVersioning(t, helpers.TerraformRemoteStateS3Region, s3BucketName, true, nil)
 	validateDynamoDBTableExistsAndIsTaggedAndIsSSEncrypted(t, helpers.TerraformRemoteStateS3Region, dynamoDBName, nil, false)
 
 	assert.Contains(t, stderr, "Use the explicit `--backend-bootstrap` flag to automatically provision backend resources before they're needed.")
@@ -204,7 +204,7 @@ func TestAwsBootstrapBackendWithoutVersioning(t *testing.T) {
 	_, _, err := helpers.RunTerragruntCommandWithOutput(t, "terragrunt run --all --non-interactive --log-level debug --strict-control require-explicit-bootstrap --working-dir "+rootPath+" --feature disable_versioning=true --backend-bootstrap apply")
 	require.NoError(t, err)
 
-	validateS3BucketExistsAndIsTagged(t, helpers.TerraformRemoteStateS3Region, s3BucketName, nil)
+	validateS3BucketExistsAndIsTaggedAndVersioning(t, helpers.TerraformRemoteStateS3Region, s3BucketName, false, nil)
 	validateDynamoDBTableExistsAndIsTaggedAndIsSSEncrypted(t, helpers.TerraformRemoteStateS3Region, dynamoDBName, nil, false)
 
 	_, _, err = helpers.RunTerragruntCommandWithOutput(t, "terragrunt --non-interactive --log-level debug --working-dir "+rootPath+" --feature disable_versioning=true backend delete --all")
@@ -214,6 +214,36 @@ func TestAwsBootstrapBackendWithoutVersioning(t *testing.T) {
 	require.NoError(t, err)
 }
 
+func TestAwsBootstrapBackendWithAccessLogging(t *testing.T) {
+	t.Parallel()
+
+	helpers.CleanupTerraformFolder(t, testFixtureS3Backend)
+	tmpEnvPath := helpers.CopyEnvironment(t, testFixtureS3Backend)
+	rootPath := util.JoinPath(tmpEnvPath, testFixtureS3Backend)
+
+	testID := strings.ToLower(helpers.UniqueID())
+
+	s3BucketName := "terragrunt-test-bucket-" + testID
+	s3AccessLogsBucketName := "terragrunt-test-bucket-" + testID + "-access-logs"
+	dynamoDBName := "terragrunt-test-dynamodb-" + testID
+
+	defer func() {
+		deleteS3Bucket(t, s3BucketName, helpers.TerraformRemoteStateS3Region)
+		deleteS3Bucket(t, s3AccessLogsBucketName, helpers.TerraformRemoteStateS3Region)
+		cleanupTableForTest(t, dynamoDBName, helpers.TerraformRemoteStateS3Region)
+	}()
+
+	commonConfigPath := util.JoinPath(rootPath, "common.hcl")
+	helpers.CopyTerragruntConfigAndFillPlaceholders(t, commonConfigPath, commonConfigPath, s3BucketName, dynamoDBName, helpers.TerraformRemoteStateS3Region)
+
+	_, _, err := helpers.RunTerragruntCommandWithOutput(t, "terragrunt run --all --non-interactive --log-level debug --strict-control require-explicit-bootstrap --working-dir "+rootPath+" --feature access_logging_bucket="+s3AccessLogsBucketName+" --backend-bootstrap apply")
+	require.NoError(t, err)
+
+	validateS3BucketExistsAndIsTaggedAndVersioning(t, helpers.TerraformRemoteStateS3Region, s3BucketName, true, nil)
+	validateS3BucketExistsAndIsTaggedAndVersioning(t, helpers.TerraformRemoteStateS3Region, s3AccessLogsBucketName, true, nil)
+	validateDynamoDBTableExistsAndIsTaggedAndIsSSEncrypted(t, helpers.TerraformRemoteStateS3Region, dynamoDBName, nil, false)
+}
+
 func TestAwsMigrateBackendWithoutVersioning(t *testing.T) {
 	t.Parallel()
 
@@ -238,7 +268,7 @@ func TestAwsMigrateBackendWithoutVersioning(t *testing.T) {
 	_, _, err := helpers.RunTerragruntCommandWithOutput(t, "terragrunt run --non-interactive --log-level debug --strict-control require-explicit-bootstrap --working-dir "+unitPath+" --feature disable_versioning=true --backend-bootstrap apply -- -auto-approve")
 	require.NoError(t, err)
 
-	validateS3BucketExistsAndIsTagged(t, helpers.TerraformRemoteStateS3Region, s3BucketName, nil)
+	validateS3BucketExistsAndIsTaggedAndVersioning(t, helpers.TerraformRemoteStateS3Region, s3BucketName, false, nil)
 	validateDynamoDBTableExistsAndIsTaggedAndIsSSEncrypted(t, helpers.TerraformRemoteStateS3Region, dynamoDBName, nil, false)
 
 	_, _, err = helpers.RunTerragruntCommandWithOutput(t, "terragrunt --non-interactive --log-level debug --working-dir "+rootPath+" --feature disable_versioning=true backend migrate unit1 unit2")
@@ -471,7 +501,7 @@ func TestAwsWorksWithLocalTerraformVersion(t *testing.T) {
 	var expectedS3Tags = map[string]string{
 		"owner": "terragrunt integration test",
 		"name":  "Terraform state storage"}
-	validateS3BucketExistsAndIsTagged(t, helpers.TerraformRemoteStateS3Region, s3BucketName, expectedS3Tags)
+	validateS3BucketExistsAndIsTaggedAndVersioning(t, helpers.TerraformRemoteStateS3Region, s3BucketName, true, expectedS3Tags)
 
 	var expectedDynamoDBTableTags = map[string]string{
 		"owner": "terragrunt integration test",
@@ -1590,6 +1620,21 @@ func assertS3Tags(t *testing.T, expectedTags map[string]string, bucketName strin
 	assert.Equal(t, expectedTags, actualTags, "Did not find expected tags on s3 bucket.")
 }
 
+func assertS3BucketVersioning(t *testing.T, bucketName string, versioning bool, client *s3.S3) {
+	t.Helper()
+
+	res, err := client.GetBucketVersioning(&s3.GetBucketVersioningInput{Bucket: aws.String(bucketName)})
+	require.NoError(t, err)
+	require.NotNil(t, res)
+
+	if versioning {
+		require.NotNil(t, res.Status)
+		assert.Equal(t, *res.Status, s3.BucketVersioningStatusEnabled, "Versioning is not enabled for the remote state S3 bucket %s", bucketName)
+	} else {
+		require.Nil(t, res.Status)
+	}
+}
+
 // Check that the DynamoDB table of the given name and region exists. Terragrunt should create this table during the test.
 // Also check if table got tagged properly
 func validateDynamoDBTableExistsAndIsTaggedAndIsSSEncrypted(t *testing.T, awsRegion string, tableName string, expectedTags map[string]string, expectedSSEncrypted bool) {
@@ -1651,7 +1696,7 @@ func doesDynamoDBTableItemExist(t *testing.T, awsRegion string, tableName, key s
 
 // Check that the S3 Bucket of the given name and region exists. Terragrunt should create this bucket during the test.
 // Also check if bucket got tagged properly and that public access is disabled completely.
-func validateS3BucketExistsAndIsTagged(t *testing.T, awsRegion string, bucketName string, expectedTags map[string]string) {
+func validateS3BucketExistsAndIsTaggedAndVersioning(t *testing.T, awsRegion string, bucketName string, versioning bool, expectedTags map[string]string) {
 	t.Helper()
 
 	client := helpers.CreateS3ClientForTest(t, awsRegion)
@@ -1663,6 +1708,8 @@ func validateS3BucketExistsAndIsTagged(t *testing.T, awsRegion string, bucketNam
 		assertS3Tags(t, expectedTags, bucketName, client)
 	}
 
+	assertS3BucketVersioning(t, bucketName, versioning, client)
+
 	assertS3PublicAccessBlocks(t, client, bucketName)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -184,7 +184,7 @@ func (client *Client) UpdateS3BucketIfNecessary(ctx context.Context, bucketName`
`184`	`184`	`if bucketUpdatesRequired.Versioning {`
`185`	`185`	`if client.SkipBucketVersioning {`
`186`	`186`	`client.logger.Debugf("Versioning is disabled for the remote state S3 bucket %s using 'skip_bucket_versioning' config.", bucketName)`
`187`		`- } else if err := client.EnableVersioningForS3Bucket(); err != nil {`
	`187`	`+ } else if err := client.EnableVersioningForS3Bucket(bucketName); err != nil {`
`188`	`188`	`return err`
`189`	`189`	`}`
`190`	`190`	`}`
`@@ -295,6 +295,12 @@ func (client Client) configureAccessLogBucket(ctx context.Context, opts option`
`295`	`295`	`}`
`296`	`296`	`}`
`297`	`297`
	`298`	`+ if client.SkipBucketVersioning {`
	`299`	`+ client.logger.Debugf("Versioning is disabled for the remote state S3 bucket %s using 'skip_bucket_versioning' config.", client.AccessLoggingBucketName)`
	`300`	`+ } else if err := client.EnableVersioningForS3Bucket(client.AccessLoggingBucketName); err != nil {`
	`301`	`+ return err`
	`302`	`+ }`
	`303`	`+`
`298`	`304`	`return nil`
`299`	`305`	`}`
`300`	`306`
`@@ -479,7 +485,7 @@ func (client *Client) CreateS3BucketWithVersioningSSEncryptionAndAccessLogging(c`
`479`	`485`
`480`	`486`	`if client.SkipBucketVersioning {`
`481`	`487`	`client.logger.Debugf("Versioning is disabled for the remote state S3 bucket %s using 'skip_bucket_versioning' config.", cfg.Bucket)`
`482`		`- } else if err := client.EnableVersioningForS3Bucket(); err != nil {`
	`488`	`+ } else if err := client.EnableVersioningForS3Bucket(cfg.Bucket); err != nil {`
`483`	`489`	`return err`
`484`	`490`	`}`
`485`	`491`
`@@ -939,21 +945,19 @@ func (client *Client) EnableEnforcedTLSAccesstoS3Bucket(bucket string) error {`
`939`	`945`	`// Helper function to check if the enforced TLS policy is enabled for the bucket`
`940`	`946`
`941`	`947`	`// EnableVersioningForS3Bucket enables versioning for the S3 bucket specified in the given config.`
`942`		`-func (client *Client) EnableVersioningForS3Bucket() error {`
`943`		`- cfg := &client.RemoteStateConfigS3`
`944`		`-`
`945`		`- client.logger.Debugf("Enabling versioning on S3 bucket %s", cfg.Bucket)`
	`948`	`+func (client *Client) EnableVersioningForS3Bucket(bucketName string) error {`
	`949`	`+ client.logger.Debugf("Enabling versioning on S3 bucket %s", bucketName)`
`946`	`950`	`input := s3.PutBucketVersioningInput{`
`947`		`- Bucket: aws.String(cfg.Bucket),`
	`951`	`+ Bucket: aws.String(bucketName),`
`948`	`952`	`VersioningConfiguration: &s3.VersioningConfiguration{Status: aws.String(s3.BucketVersioningStatusEnabled)},`
`949`	`953`	`}`
`950`	`954`
`951`	`955`	`_, err := client.PutBucketVersioning(&input)`
`952`	`956`	`if err != nil {`
`953`		`- return errors.Errorf("error enabling versioning on S3 bucket %s: %w", cfg.Bucket, err)`
	`957`	`+ return errors.Errorf("error enabling versioning on S3 bucket %s: %w", bucketName, err)`
`954`	`958`	`}`
`955`	`959`
`956`		`- client.logger.Debugf("Enabled versioning on S3 bucket %s", cfg.Bucket)`
	`960`	`+ client.logger.Debugf("Enabled versioning on S3 bucket %s", bucketName)`
`957`	`961`
`958`	`962`	`return nil`
`959`	`963`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,10 @@ feature "enable_lock_table_ssencryption" {`
`6`	`6`	`default = false`
`7`	`7`	`}`
`8`	`8`
	`9`	`+feature "access_logging_bucket" {`
	`10`	`+ default = ""`
	`11`	`+}`
	`12`	`+`
`9`	`13`	`feature "key_prefix" {`
`10`	`14`	`default = ""`
`11`	`15`	`}`
`@@ -22,7 +26,8 @@ remote_state {`
`22`	`26`	`region = "__FILL_IN_REGION__"`
`23`	`27`	`dynamodb_table = "__FILL_IN_LOCK_TABLE_NAME__"`
`24`	`28`
`25`		`- skip_bucket_versioning = feature.disable_versioning.value`
	`29`	`+ skip_bucket_versioning = feature.disable_versioning.value`
`26`	`30`	`enable_lock_table_ssencryption = feature.enable_lock_table_ssencryption.value`
	`31`	`+ accesslogging_bucket_name = feature.access_logging_bucket.value`
`27`	`32`	`}`
`28`	`33`	`}`