This Terraform module creates an AWS Simple Storage Service (s3) along with additional configuration options.
To use this module, you should have Terraform installed and configured for AWS. This module provides the necessary Terraform configuration for creating AWS resources, and you can customize the inputs as needed. Below is an example of how to use this module:
module "s3_bucket" {
source = "cypik/s3/aws"
version = "1.0.3"
name = "test-secure-bucket"
environment = local.environment
label_order = local.label_order
s3_name = "cdkc"
acl = "private"
versioning = true
}module "s3_bucket" {
source = "cypik/s3/aws"
version = "1.0.3"
name = "arcx-13"
environment = local.environment
label_order = local.label_order
s3_name = "sedfdrg"
acceleration_status = true
request_payer = "BucketOwner"
object_lock_enabled = true
logging = true
target_bucket = module.logging_bucket.id
target_prefix = "logs"
enable_server_side_encryption = true
enable_kms = true
kms_master_key_id = module.kms_key.key_arn
object_lock_configuration = {
mode = "GOVERNANCE"
days = 366
years = null
}
versioning = true
vpc_endpoints = [
{
endpoint_count = 1
vpc_id = module.vpc.vpc_id
service_type = "Interface"
subnet_ids = module.subnets.private_subnet_id
},
{
endpoint_count = 2
vpc_id = module.vpc.vpc_id
service_type = "Gateway"
}
]
intelligent_tiering = {
general = {
status = "Enabled"
filter = {
prefix = "/"
tags = {
Environment = "dev"
}
}
tiering = {
ARCHIVE_ACCESS = {
days = 180
}
}
},
documents = {
status = false
filter = {
prefix = "documents/"
}
tiering = {
ARCHIVE_ACCESS = {
days = 125
}
DEEP_ARCHIVE_ACCESS = {
days = 200
}
}
}
}
metric_configuration = [
{
name = "documents"
filter = {
prefix = "documents/"
tags = {
priority = "high"
}
}
},
{
name = "other"
filter = {
tags = {
production = "true"
}
}
},
{
name = "all"
}
]
cors_rule = [{
allowed_headers = ["*"],
allowed_methods = ["PUT", "POST"],
allowed_origins = ["https://s3-website-test.hashicorp.com"],
expose_headers = ["ETag"],
max_age_seconds = 3000
}]
grants = [
{
id = null
type = "Group"
permissions = ["READ", "WRITE"]
uri = "http://acs.amazonaws.com/groups/s3/LogDelivery"
},
]
owner_id = data.aws_canonical_user_id.current.id
enable_lifecycle_configuration_rules = true
lifecycle_configuration_rules = [
{
id = "log"
prefix = null
enabled = true
tags = { "temp" : "true" }
enable_glacier_transition = false
enable_deeparchive_transition = false
enable_standard_ia_transition = false
enable_current_object_expiration = true
enable_noncurrent_version_expiration = true
abort_incomplete_multipart_upload_days = null
noncurrent_version_glacier_transition_days = 0
noncurrent_version_deeparchive_transition_days = 0
noncurrent_version_expiration_days = 30
standard_transition_days = 0
glacier_transition_days = 0
deeparchive_transition_days = 0
storage_class = "GLACIER"
expiration_days = 365
},
{
id = "log1"
prefix = null
enabled = true
tags = {}
enable_glacier_transition = false
enable_deeparchive_transition = false
enable_standard_ia_transition = false
enable_current_object_expiration = true
enable_noncurrent_version_expiration = true
abort_incomplete_multipart_upload_days = 1
noncurrent_version_glacier_transition_days = 0
noncurrent_version_deeparchive_transition_days = 0
storage_class = "DEEP_ARCHIVE"
noncurrent_version_expiration_days = 30
standard_transition_days = 0
glacier_transition_days = 0
deeparchive_transition_days = 0
expiration_days = 365
}
]
website = {
index_document = "index.html"
error_document = "error.html"
routing_rules = [{
condition = {
key_prefix_equals = "docs/"
},
redirect = {
replace_key_prefix_with = "documents/"
}
}, {
condition = {
http_error_code_returned_equals = 404
key_prefix_equals = "archive/"
},
redirect = {
host_name = "archive.myhost.com"
http_redirect_code = 301
protocol = "https"
replace_key_with = "not_found.html"
}
}]
}
}module "s3_bucket" {
source = "cypik/s3/aws"
version = "1.0.3"
name = "test-secure-bucket"
environment = local.environment
label_order = local.label_order
s3_name = "sdfdfg"
versioning = true
acl = "private"
cors_rule = [{
allowed_headers = ["*"],
allowed_methods = ["PUT", "POST"],
allowed_origins = ["https://s3-website-test.hashicorp.com"],
expose_headers = ["ETag"],
max_age_seconds = 3000
}]
}module "s3_bucket" {
source = "cypik/s3/aws"
version = "1.0.3"
name = "test-encryption-bucket"
s3_name = "dmzx"
environment = local.environment
label_order = local.label_order
acl = "private"
enable_server_side_encryption = true
versioning = true
enable_kms = true
kms_master_key_id = module.kms_key.key_arn
}module "s3_bucket" {
source = "cypik/s3/aws"
version = "1.0.3"
name = "test-logging-bucket"
s3_name = "wewrrt"
environment = local.environment
label_order = local.label_order
versioning = true
acl = "private"
logging = true
target_bucket = module.logging_bucket.id
target_prefix = "logs"
depends_on = [module.logging_bucket]
}module "s3_bucket" {
source = "cypik/s3/aws"
version = "1.0.3"
name = "test-logging-encryption-bucket"
s3_name = "aqua"
environment = local.environment
label_order = local.label_order
versioning = true
acl = "private"
enable_server_side_encryption = true
enable_kms = true
kms_master_key_id = module.kms_key.key_arn
logging = true
target_bucket = module.logging_bucket.id
target_prefix = "logs"
depends_on = [module.logging_bucket]
}module "s3_bucket" {
source = "cypik/s3/aws"
version = "1.0.3"
name = "test-s3"
s3_name = "poxord"
environment = local.environment
label_order = local.label_order
acl = "private"
replication_configuration = {
role = aws_iam_role.replication.arn
versioning = true
rules = [
{
id = "something-with-kms-and-filter"
status = true
priority = 10
delete_marker_replication = false
source_selection_criteria = {
replica_modifications = {
status = "Enabled"
}
sse_kms_encrypted_objects = {
enabled = true
}
}
filter = {
prefix = "one"
tags = {
ReplicateMe = "Yes"
}
}
destination = {
bucket = "arn:aws:s3:::${module.replica_bucket.id}"
storage_class = "STANDARD"
replica_kms_key_id = aws_kms_key.replica.arn
account_id = data.aws_caller_identity.current.account_id
access_control_translation = {
owner = "Destination"
}
replication_time = {
status = "Enabled"
minutes = 15
}
metrics = {
status = "Enabled"
minutes = 15
}
}
},
{
id = "something-with-filter"
priority = 20
delete_marker_replication = false
filter = {
prefix = "two"
tags = {
ReplicateMe = "Yes"
}
}
destination = {
bucket = "arn:aws:s3:::${module.replica_bucket.id}"
storage_class = "STANDARD"
}
},
{
id = "everything-with-filter"
status = "Enabled"
priority = 30
delete_marker_replication = true
1 = {
prefix = ""
}
destination = {
bucket = "arn:aws:s3:::${module.replica_bucket.id}"
storage_class = "STANDARD"
}
},
{
id = "everything-without-filters"
status = "Enabled"
delete_marker_replication = true
destination = {
bucket = "arn:aws:s3:::${module.replica_bucket.id}"
storage_class = "STANDARD"
}
},
]
}
}For detailed examples on how to use this module, please refer to the Examples directory within this repository.
Your Name Replace MIT and Cypik with the appropriate license and your information. Feel free to expand this README with additional details or usage instructions as needed for your specific use case.
This project is licensed under the MIT License - see the LICENSE file for details.
| Name | Version |
|---|---|
| terraform | >= 1.9.5 |
| aws | >=5.67.0 |
| Name | Version |
|---|---|
| aws | >=5.67.0 |
| Name | Source | Version |
|---|---|---|
| labels | cypik/labels/aws | 1.0.2 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acceleration_status | Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended | bool |
false |
no |
| acl | Canned ACL to apply to the S3 bucket. | string |
null |
no |
| acl_grants | A list of policy grants for the bucket. Conflicts with acl. Set acl to null to use this. |
list(object({ |
null |
no |
| analytics_configuration | Map containing bucket analytics configuration. | any |
{} |
no |
| attach_public_policy | Controls if a user defined public bucket policy will be attached (set to false to allow upstream to apply defaults to the bucket) |
bool |
true |
no |
| aws_iam_policy_document | The text of the policy. Although this is a bucket policy rather than an IAM policy, the aws_iam_policy_document data source may be used, so long as it specifies a principal. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. Note: Bucket policies are limited to 20 KB in size. | string |
"" |
no |
| block_public_acls | Whether Amazon S3 should block public ACLs for this bucket. | bool |
true |
no |
| block_public_policy | Whether Amazon S3 should block public bucket policies for this bucket. | bool |
true |
no |
| bucket_policy | Conditionally create S3 bucket policy. | bool |
false |
no |
| bucket_prefix | (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. | string |
null |
no |
| configuration_status | Versioning state of the bucket. Valid values: Enabled, Suspended, or Disabled. Disabled should only be used when creating or importing resources that correspond to unversioned S3 buckets. | string |
"Suspended" |
no |
| control_object_ownership | Whether to manage S3 Bucket Ownership Controls on this bucket. | bool |
false |
no |
| cors_rule | CORS Configuration specification for this bucket | list(object({ |
null |
no |
| enable_kms | Enable enable_server_side_encryption | bool |
false |
no |
| enable_lifecycle_configuration_rules | enable or disable lifecycle_configuration_rules | bool |
false |
no |
| enable_server_side_encryption | Enable enable_server_side_encryption | bool |
false |
no |
| enabled | Conditionally create S3 bucket. | bool |
true |
no |
| environment | Environment (e.g. prod, dev, staging). |
string |
"" |
no |
| expected_bucket_owner | (Optional) Account ID of the expected bucket owner. | string |
null |
no |
| force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
| grantee_email | (Optional) Email address of the grantee. | string |
null |
no |
| grantee_id | (Optional) Canonical user ID of the grantee. | string |
null |
no |
| grantee_type | (Optional) Type of the grantee. Valid values: CanonicalUser, AmazonCustomerByEmail, Group. | string |
"CanonicalUser" |
no |
| grantee_uri | (Optional) URI of the grantee group. | string |
null |
no |
| grants | ACL Policy grant.conflict with acl.set acl null to use this | list(object({ |
null |
no |
| ignore_public_acls | Whether Amazon S3 should ignore public ACLs for this bucket. | bool |
true |
no |
| intelligent_tiering | Map containing intelligent tiering configuration. | any |
{} |
no |
| inventory_configuration | Map containing S3 inventory configuration. | any |
{} |
no |
| kms_master_key_id | The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms. | string |
"" |
no |
| label_order | Label order, e.g. name,Environment. |
list(any) |
[ |
no |
| lifecycle_configuration_rules | A list of lifecycle rules | list(object({ |
null |
no |
| logging | Logging Object to enable and disable logging | bool |
false |
no |
| managedby | ManagedBy, eg 'cypik'. | string |
"cypik" |
no |
| metric_configuration | Map containing bucket metric configuration. | any |
[] |
no |
| mfa | Optional, Required if versioning_configuration mfa_delete is enabled) Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device. | string |
null |
no |
| mfa_delete | Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled. | string |
"Disabled" |
no |
| name | Name (e.g. app or cluster). |
string |
"" |
no |
| object_lock_configuration | With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | object({ |
null |
no |
| object_lock_enabled | Whether S3 bucket should have an Object Lock configuration enabled. | bool |
false |
no |
| object_ownership | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. | string |
"ObjectWriter" |
no |
| object_size_greater_than | (Optional) Minimum object size for transitions. | number |
128000 |
no |
| object_size_less_than | (Optional) Maximum object size for transitions. | number |
null |
no |
| only_https_traffic | This veriables use for only https traffic. | bool |
true |
no |
| owner | Bucket owner's display name and ID. Conflicts with acl |
map(string) |
{} |
no |
| owner_id | The canonical user ID associated with the AWS account. | string |
"" |
no |
| replication_configuration | Map containing cross-region replication configuration. | any |
{} |
no |
| repository | Terraform current module repo | string |
"https://github.com/cypik/terraform-aws-s3" |
no |
| request_payer | (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. | string |
null |
no |
| restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket. | bool |
true |
no |
| s3_name | name of s3 bucket | string |
null |
no |
| sse_algorithm | The server-side encryption algorithm to use. Valid values are AES256 and aws:kms. | string |
"AES256" |
no |
| target_bucket | The bucket where you want Amazon S3 to store server access logs. | string |
"" |
no |
| target_grant_permission | (Optional) Permissions granted to the grantee for the bucket. Valid values: FULL_CONTROL, READ, WRITE. | string |
"FULL_CONTROL" |
no |
| target_prefix | A prefix for all log object keys. | string |
"" |
no |
| timeouts | Define maximum timeout for creating, updating, and deleting VPC endpoint resources | map(string) |
{} |
no |
| versioning | Enable Versioning of S3. | bool |
true |
no |
| versioning_status | Required if versioning_configuration mfa_delete is enabled) Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device. | string |
"Enabled" |
no |
| vpc_endpoints | n/a | any |
[] |
no |
| website | Map containing static web-site hosting or redirect configuration. | any |
{} |
no |
| Name | Description |
|---|---|
| arn | The ARN of the s3 bucket. |
| bucket_domain_name | The Domain of the s3 bucket. |
| bucket_regional_domain_name | The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL. |
| id | The ID of the s3 bucket. |
| s3_bucket_hosted_zone_id | The Route 53 Hosted Zone ID for this bucket's region. |
| s3_bucket_lifecycle_configuration_rules | The lifecycle rules of the bucket, if the bucket is configured with lifecycle rules. If not, this will be an empty string. |
| s3_bucket_policy | The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string. |
| s3_bucket_website_domain | The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records. |
| s3_bucket_website_endpoint | The website endpoint, if the bucket is configured with a website. If not, this will be an empty string. |
| tags | A mapping of tags to assign to the resource. |
| transition_default_minimum_object_size | Default minimum object size for lifecycle transitions. |