Conversation
…tions in customer accounts
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| enable_loki_logging = var.enable_loki_logging | ||
| cleanup_noncurrent_days = var.s3_cleanup_noncurrent_days | ||
| retain_backup_days = var.s3_retain_backup_days | ||
| include_pgbackup = var.include_pgbackup |
There was a problem hiding this comment.
Disabling pgbackup now breaks pgBackRest S3 bucket reference
Medium Severity
Passing include_pgbackup to the s3-storage module is new — previously the module always created the pgbackup bucket regardless of this flag. Now when include_pgbackup = false, the bucket won't be created, but application.tf unconditionally configures crunchy-postgres pgBackRestConfig with local.environment_pgbackup_s3_bucket_name (which becomes the string "null" via coalesce). This means PostgreSQL backups will silently target a nonexistent bucket, causing backup failures with no corresponding config guard.
Additional Locations (1)
There was a problem hiding this comment.
This only applies if either intake or insights are enabled
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| enable_loki_logging = var.enable_loki_logging | ||
| cleanup_noncurrent_days = var.s3_cleanup_noncurrent_days | ||
| retain_backup_days = var.s3_retain_backup_days | ||
| include_pgbackup = var.include_pgbackup |
There was a problem hiding this comment.
pgbackup bucket created when intake/insights both disabled
Medium Severity
The include_pgbackup parameter is passed unconditionally as var.include_pgbackup (which defaults to true), but the pgbackup S3 bucket is only consumed by pgBackRest configs for intake and insights Crunchy Postgres instances. When neither ipa_enabled nor insights_enabled is true, this creates an unnecessary bucket. On customer-hosted clusters with IAM restrictions (the purpose of this PR), creating unneeded S3 resources could fail or violate least-privilege policies. The value likely needs to be gated on var.ipa_enabled || var.insights_enabled.
2 participants
This will only apply on customer hosted clusters.
Note
Medium Risk
Updates core Terraform modules for EKS, S3, and FSx with new security/access toggles; misconfiguration could affect cluster access or networking/security group behavior on customer-hosted deployments.
Overview
Updates Terraform to better support customer-hosted IAM/security restrictions by upgrading the
indico-aws-buckets,indico-aws-fsx, andindico-aws-eks-clustermodules.Adds new configuration knobs to reduce required permissions and tighten defaults: S3 can now enable Public Access Block (
s3_enable_public_access_block), FSx can toggle its backup lambda (enable_backup_lambda), and EKS now supports optional additional access entries plus the ability to create vs reuse cluster/node security groups (create_cluster_security_group,create_node_security_group).Written by Cursor Bugbot for commit a0561ca. This will update automatically on new commits. Configure here.