feat: make glacier transition rules optional (#293)

BREAKING CHANGE: this change disables glacier transition rules by default since
transitioning small objects is officially not recommended. it
can be enabled by setting `var.audit_log_lifecycle_glacier_transition_days` to
a positive number.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-transition-general-considerations.html

Author: nozaq

README.md

@@ -145,7 +145,7 @@ This module is composed of several submodules and each of which can be used inde
 | <a name="input_audit_log_bucket_custom_policy_json"></a> [audit\_log\_bucket\_custom\_policy\_json](#input\_audit\_log\_bucket\_custom\_policy\_json) | Override policy for the audit log bucket. Allows addition of extra policies. | `string` | no |
 | <a name="input_audit_log_bucket_force_destroy"></a> [audit\_log\_bucket\_force\_destroy](#input\_audit\_log\_bucket\_force\_destroy) | A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no |
 | <a name="input_audit_log_bucket_key_enabled"></a> [audit\_log\_bucket\_key\_enabled](#input\_audit\_log\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for encrypting the audit log bucket. | `bool` | no |
-| <a name="input_audit_log_lifecycle_glacier_transition_days"></a> [audit\_log\_lifecycle\_glacier\_transition\_days](#input\_audit\_log\_lifecycle\_glacier\_transition\_days) | The number of days after log creation when the log file is archived into Glacier. | `number` | no |
+| <a name="input_audit_log_lifecycle_glacier_transition_days"></a> [audit\_log\_lifecycle\_glacier\_transition\_days](#input\_audit\_log\_lifecycle\_glacier\_transition\_days) | The number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition. | `number` | no |
 | <a name="input_aws_config_changes_enabled"></a> [aws\_config\_changes\_enabled](#input\_aws\_config\_changes\_enabled) | The boolean flag whether the aws\_config\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
 | <a name="input_cloudtrail_baseline_enabled"></a> [cloudtrail\_baseline\_enabled](#input\_cloudtrail\_baseline\_enabled) | Boolean whether cloudtrail-baseline is enabled. | `bool` | no |
 | <a name="input_cloudtrail_cfg_changes_enabled"></a> [cloudtrail\_cfg\_changes\_enabled](#input\_cloudtrail\_cfg\_changes\_enabled) | The boolean flag whether the cloudtrail\_cfg\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |

modules/secure-bucket/README.md

@@ -24,7 +24,7 @@ Creates a S3 bucket with access logging enabled.
 | <a name="input_log_bucket_name"></a> [log\_bucket\_name](#input\_log\_bucket\_name) | The name of the S3 bucket to store access logs to the main bucket. | `string` | yes |
 | <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for this bucket. | `bool` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no |
-| <a name="input_lifecycle_glacier_transition_days"></a> [lifecycle\_glacier\_transition\_days](#input\_lifecycle\_glacier\_transition\_days) | The number of days after object creation when the object is archived into Glacier. | `number` | no |
+| <a name="input_lifecycle_glacier_transition_days"></a> [lifecycle\_glacier\_transition\_days](#input\_lifecycle\_glacier\_transition\_days) | The number of days after object creation when the object is archived into Glacier.  Setting to zero disables the transition. | `number` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
 
 ## Outputs

modules/secure-bucket/main.tf

@@ -41,6 +41,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "access_log" {
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "access_log" {
+  count = var.lifecycle_glacier_transition_days > 0 ? 1 : 0
+
   bucket = aws_s3_bucket.access_log.id
 
   rule {
@@ -108,6 +110,8 @@ resource "aws_s3_bucket_logging" "content" {
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "content" {
+  count = var.lifecycle_glacier_transition_days > 0 ? 1 : 0
+
   bucket = aws_s3_bucket.content.id
 
   rule {

modules/secure-bucket/variables.tf

@@ -9,9 +9,9 @@ variable "log_bucket_name" {
 }
 
 variable "lifecycle_glacier_transition_days" {
-  description = "The number of days after object creation when the object is archived into Glacier."
+  description = "The number of days after object creation when the object is archived into Glacier.  Setting to zero disables the transition."
   type        = number
-  default     = 90
+  default     = 0
 }
 
 variable "force_destroy" {

variables.tf

@@ -86,9 +86,9 @@ variable "audit_log_bucket_key_enabled" {
 }
 
 variable "audit_log_lifecycle_glacier_transition_days" {
-  description = "The number of days after log creation when the log file is archived into Glacier."
+  description = "The number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition."
   type        = number
-  default     = 90
+  default     = 0
 }
 
 variable "audit_log_bucket_force_destroy" {