s3-bucket

s3-bucket

This module creates following resources.

• aws_s3_bucket
• aws_s3_bucket_accelerate_configuration
• aws_s3_bucket_acl (optional)
• aws_s3_bucket_cors_configuration (optional)
• aws_s3_bucket_lifecycle_configuration (optional)
• aws_s3_bucket_logging (optional)
• aws_s3_bucket_metric (optional)
• aws_s3_bucket_object_lock_configuration (optional)
• aws_s3_bucket_ownership_controls
• aws_s3_bucket_policy
• aws_s3_bucket_public_access_block
• aws_s3_bucket_request_payment_configuration
• aws_s3_bucket_server_side_encryption_configuration
• aws_s3_bucket_versioning

Requirements

Name	Version
terraform	>= 1.5
aws	>= 4.49

Providers

Name	Version
aws	5.19.0

Modules

Name	Source	Version
resource_group	tedilabs/misc/aws//modules/resource-group	~> 0.10.0

Resources

Name	Type
aws_s3_bucket.this	resource
aws_s3_bucket_accelerate_configuration.this	resource
aws_s3_bucket_acl.this	resource
aws_s3_bucket_cors_configuration.this	resource
aws_s3_bucket_lifecycle_configuration.this	resource
aws_s3_bucket_logging.this	resource
aws_s3_bucket_metric.this	resource
aws_s3_bucket_object_lock_configuration.this	resource
aws_s3_bucket_ownership_controls.this	resource
aws_s3_bucket_policy.this	resource
aws_s3_bucket_public_access_block.this	resource
aws_s3_bucket_request_payment_configuration.this	resource
aws_s3_bucket_server_side_encryption_configuration.this	resource
aws_s3_bucket_versioning.this	resource
aws_caller_identity.this	data source
aws_canonical_user_id.this	data source
aws_iam_policy_document.access_logging	data source
aws_iam_policy_document.this	data source
aws_iam_policy_document.tls_required	data source

Inputs

Name	Description	Type	Default	Required
name	(Required) Desired name for the S3 bucket.	string	n/a	yes
block_public_access	(Optional) A configurations of Block Public Access for the S3 bucket. (Optional) enabled - Whether to block all public access to S3 bucket. Defaults to true. (Optional) block_public_acls_enabled - Block new public ACLs and uploading public objects if true. Always enabled if block_public_access.enabled is true. (Optional) ignore_public_acls_enabled - Retroactively remove public access granted through public ACLs. Always enabled if block_public_access.enabled is true. (Optional) block_public_policy_enabled - Block new public bucket policies. Always enabled if block_public_access.enabled is true. (Optional) restrict_public_buckets_enabled - Retroactivley block public and cross-account access if bucket has public policies. Always enabled if block_public_access.enabled is true.	object({ enabled = optional(bool, true) block_public_acls_enabled = optional(bool, false) ignore_public_acls_enabled = optional(bool, false) block_public_policy_enabled = optional(bool, false) restrict_public_buckets_enabled = optional(bool, false) })	{}	no
cors_rules	(Optional) A list of CORS (Cross-Origin Resource Sharing) rules for the bucket. You can configure up to 100 rules. Each value of cors_rules as defined below. (Optional) id - Unique identifier for the rule. The value cannot be longer than 255 characters. (Optional) allowed_headers - Set of Headers that are specified in the Access-Control-Request-Headers header. (Required) allowed_methods - Set of HTTP methods that you allow the origin to execute. Valid values are GET, PUT, HEAD, POST, and DELETE. (Required) allowed_origins - Set of origins you want customers to be able to access the bucket from. (Optional) expose_headers - Set of headers in the response that you want customers to be able to access from their applications. (Optional) max_age - The time in seconds that your browser is to cache the preflight response for the specified resource.	list(object({ id = optional(string) allowed_headers = optional(set(string), []) allowed_methods = set(string) allowed_origins = set(string) expose_headers = optional(set(string), []) max_age = optional(number) }))	[]	no
encryption	(Optional) A configurations of Server-Side Encryption for the S3 bucket. (Optional) type - The server-side encryption algorithm to use. Valid values are AES256 and AWS_KMS. Defaults to AES256. (Optional) kms_key - The AWS KMS key ID used for the SSE-KMS encryption. This can only be used when you set the value of encryption.type as AWS_KMS. The default aws/s3 AWS KMS key is used if this element is absent while the encryption.type is AWS_KMS. (Optional) bucket_key_enabled - Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. Defaults to true.	object({ type = optional(string, "AES256") kms_key = optional(string) bucket_key_enabled = optional(bool, true) })	{}	no
force_destroy	(Optional) A bool that indicates all objects (including any locked objects) should be deleted from the bucket so the bucket can be destroyed without error.	bool	false	no
grants	(Optional) A list of the ACL policy grant. Each value of grants as defined below. (Required) type - Valid values are CanonicalUser and Group. AmazonCustomerByEmail is not supported. (Required) permission - Valid values for grant.permission are READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL.	list(object({ type = string grantee = string permission = string }))	[]	no
lifecycle_rules	(Optional) A configurations of Lifecycle Rules for the S3 bucket. Use lifecycle rules to define actions you want Amazon S3 to take during an object's lifetime such as transitioning objects to another storage class, archiving them, or deleting them after a specified period of time. Each value of lifecycle_rules as defined below. (Required) id - Unique identifier for the rule. The value cannot be longer than 255 characters. (Optional) enabled - Whether the rule is activated. (Optional) prefix - The prefix identifying one or more objects to which the rule applies. Defaults to an empty string ("") if not specified. (Optional) tags - A map of tag keys and values to filter. (Optional) min_object_size - Minimum object size (in bytes) to which the rule applies. (Optional) max_object_size - Maximum object size (in bytes) to which the rule applies. (Optional) transitions - A set of configurations to specify when object transitions to a specified storage class. (Optional) noncurrent_version_transitions - A set of configurations to specify when transitions of noncurrent object versions to a specified storage class. (Optional) expiration - Configurations to specify the expiration for the lifecycle of the object. (Optional) noncurrent_version_expiration - Configurations to specify when noncurrent object versions expire. (Optional) abort_incomplete_multipart_upload - Configurations to specify when S3 will permanently remove all incomplete multipart upload.	list(object({ id = string enabled = optional(bool, true) prefix = optional(string) tags = optional(map(string)) min_object_size = optional(number) max_object_size = optional(number) transitions = optional(set(object({ date = optional(string) days = optional(number) storage_class = string })), []) noncurrent_version_transitions = optional(set(object({ count = optional(number) days = number storage_class = string })), []) expiration = optional(object({ date = optional(string) days = optional(number) expired_object_delete_marker = optional(bool, false) })) noncurrent_version_expiration = optional(object({ count = optional(number) days = number })) abort_incomplete_multipart_upload = optional(object({ days = number })) }))	[]	no
logging	(Optional) A configurations of Server Access Logging for the S3 bucket. (Optional) enabled - Whether to enable S3 bucket logging for the access log. Defaults to false. (Optional) s3_bucket - The name of the bucket to deliver logs to. (Optional) s3_key_prefix - The key prefix to append to log objects. (Optional) is_target_bucket - Whether this bucket is the target bucket for Server Access Logging. (Optional) allowed_source_buckets - A list of names of S3 buckets allowed to write logs to this target bucket. Each source bucket should be owned by same AWS account ID with target bucket. Only used if is_target_bucket is true.	object({ enabled = optional(bool, false) s3_bucket = optional(string) s3_key_prefix = optional(string) is_target_bucket = optional(bool, false) allowed_source_buckets = optional(list(string), []) })	{}	no
module_tags_enabled	(Optional) Whether to create AWS Resource Tags for the module informations.	bool	true	no
object_lock	(Optional) A configurations of Object Lock for the S3 bucket. (Optional) enabled - Whether to use an accelerated endpoint for faster data transfers. Defaults to false. (Optional) token - A token to allow Object Lock to be enabled for an existing bucket. You must contact AWS support for the bucket's 'Object Lock token'. The token is generated in the back-end when versioning is enabled on a bucket. (Optional) default_retention - Specify the default Object Lock retention settings for new objects placed in the bucket. default_retention block as defined below. (Required) mode - The default Object Lock retention mode you want to apply to new objects placed in the specified bucket. Valid values are COMPLIANCE, GOVERNANCE. Defaults to GOVERNANCE. (Optional) unit - The default Object Lock retention unit. Valid values are DAYS, YEARS. Defaults to DAYS. (Optional) value - The default Object Lock retention value.	object({ enabled = optional(bool, false) token = optional(string, "") default_retention = optional(object({ mode = optional(string, "GOVERNANCE") unit = optional(string, "DAYS") value = optional(number) })) })	{}	no
object_ownership	(Optional) Control ownership of objects written to this bucket from other AWS accounts and granted using access control lists (ACLs). Object ownership determines who can specify access to objects. Valid values: BucketOwnerPreferred, BucketOwnerEnforced or ObjectWriter. - BucketOwnerPreferred: Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. - ObjectWriter: The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. - BucketOwnerEnforced: The bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket.	string	"BucketOwnerEnforced"	no
policy	(Optional) A valid policy JSON document. Although this is a bucket policy, not an IAM policy, the aws_iam_policy_document data source may be used, so long as it specifies a principal. Bucket policies are limited to 20 KB in size.	string	null	no
request_metrics	(Optional) A list of CORS (Cross-Origin Resource Sharing) rules for the bucket. You can configure up to 100 rules. Each value of cors_rules as defined below. (Required) name - Unique identifier of the metrics configuration for the bucket. Must be less than or equal to 64 characters in length. (Optional) filter - Object filtering that accepts a prefix, tags, or a logical AND of prefix and tags. filter block as defined below. (Optional) prefix - Limit this filter to a single prefix. (Optional) tags - Limit this filter to the key/value pairs. Up to 10 key/value pairs.	list(object({ name = string filter = optional(object({ prefix = optional(string) tags = optional(map(string), {}) })) }))	[]	no
requester_payment_enabled	(Optional) Whether the requester pays for requests and data transfer costs, and anonymous access to this bucket is disabled. Defaults to false.	bool	false	no
resource_group_description	(Optional) The description of Resource Group.	string	"Managed by Terraform."	no
resource_group_enabled	(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module.	bool	true	no
resource_group_name	(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws.	string	""	no
tags	(Optional) A map of tags to add to all resources.	map(string)	{}	no
tls_required	(Optional) Deny any access to the S3 bucket that is not encrypted in-transit if true.	bool	true	no
transfer_acceleration_enabled	(Optional) Whether to use an accelerated endpoint for faster data transfers.	bool	false	no
versioning	(Optional) A configurations of Versioning for the S3 bucket. (Optional) status - A desired status of the bucket versioning. Valid values are ENABLED, SUSPENDED, or DISABLED. Disabled should only be used when creating or importing resources that correspond to unversioned S3 buckets. Defaults to DISABLED. (Optional) mfa_deletion - A configuration for MFA (Multi-factors Authentication) of the bucket versioning on deletion. MFA(multi-factor authentication) configuration on Lifecycle configuration-enabled bucket is not supported. versioning_mfa_deletion block as defined below. (Optional) enabled - Whether MFA delete is enabled in the bucket versioning configuration. Default is false. (Optional) device - The concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device.	object({ status = optional(string, "DISABLED") mfa_deletion = optional(object({ enabled = optional(bool, false) device = optional(string, "") }), {}) })	{}	no

Outputs

Name	Description
access_control	The configuration for the S3 bucket access control.
arn	The ARN of the bucket.
domain_name	The bucket domain name. Will be of format bucketname.s3.amazonaws.com.
encryption	The configuration for the S3 bucket Server-Side Encryption.
hosted_zone_id	The Route 53 Hosted Zone ID for this bucket's region.
id	The ID of the bucket.
lifecycle_rules	The lifecycle configuration for the bucket.
logging	The logging configuration for the bucket.
monitoring	The monitoring configuration for the bucket.
name	The name of the bucket.
object_lock	The configuration for the S3 Object Lock of the bucket.
region	The AWS region this bucket resides in.
regional_domain_name	The bucket region-specific domain name. The bucket domain name including the region name.
requester_payment	The configuration for the S3 bucket request payment.
transfer_acceleration	The configuration for the S3 Transfer Acceleration of the bucket.
versioning	The versioning configuration for the bucket.