Skip to content

opszero/terraform-aws-s3

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Terraform-aws-s3

Terraform AWS Cloud s3 Module

Table of Contents

Introduction

This Terraform module creates an AWS Simple Storage Service (s3) along with additional configuration options.

Usage

To use this module, you should have Terraform installed and configured for AWS. This module provides the necessary Terraform configuration for creating AWS resources, and you can customize the inputs as needed. Below is an example of how to use this module:

Examples

Example: Default

module "s3_bucket" {
  source      = "cypik/s3/aws"
  version     = "1.0.3"
  name        = "test-secure-bucket"
  environment = local.environment
  label_order = local.label_order
  s3_name     = "cdkc"
  acl         = "private"
  versioning  = true
}

Example: s3 complete

module "s3_bucket" {
  source      = "cypik/s3/aws"
  version     = "1.0.3"
  name        = "arcx-13"
  environment = local.environment
  label_order = local.label_order
  s3_name     = "sedfdrg"

  acceleration_status = true
  request_payer       = "BucketOwner"
  object_lock_enabled = true

  logging       = true
  target_bucket = module.logging_bucket.id
  target_prefix = "logs"

  enable_server_side_encryption = true
  enable_kms                    = true
  kms_master_key_id             = module.kms_key.key_arn

  object_lock_configuration = {
    mode  = "GOVERNANCE"
    days  = 366
    years = null
  }

  versioning    = true
  vpc_endpoints = [
    {
      endpoint_count = 1
      vpc_id         = module.vpc.vpc_id
      service_type   = "Interface"
      subnet_ids     = module.subnets.private_subnet_id
    },
    {
      endpoint_count = 2
      vpc_id         = module.vpc.vpc_id
      service_type   = "Gateway"
    }
  ]

  intelligent_tiering = {
    general = {
      status = "Enabled"
      filter = {
        prefix = "/"
        tags = {
          Environment = "dev"
        }
      }
      tiering = {
        ARCHIVE_ACCESS = {
          days = 180
        }
      }
    },
    documents = {
      status = false
      filter = {
        prefix = "documents/"
      }
      tiering = {
        ARCHIVE_ACCESS = {
          days = 125
        }
        DEEP_ARCHIVE_ACCESS = {
          days = 200
        }
      }
    }
  }

  metric_configuration = [
    {
      name = "documents"
      filter = {
        prefix = "documents/"
        tags = {
          priority = "high"
        }
      }
    },
    {
      name = "other"
      filter = {
        tags = {
          production = "true"
        }
      }
    },
    {
      name = "all"
    }
  ]


  cors_rule = [{
    allowed_headers = ["*"],
    allowed_methods = ["PUT", "POST"],
    allowed_origins = ["https://s3-website-test.hashicorp.com"],
    expose_headers  = ["ETag"],
    max_age_seconds = 3000
  }]


  grants = [
    {
      id          = null
      type        = "Group"
      permissions = ["READ", "WRITE"]
      uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
    },
  ]
  owner_id = data.aws_canonical_user_id.current.id


  enable_lifecycle_configuration_rules = true
  lifecycle_configuration_rules = [
    {
      id                                             = "log"
      prefix                                         = null
      enabled                                        = true
      tags                                           = { "temp" : "true" }
      enable_glacier_transition                      = false
      enable_deeparchive_transition                  = false
      enable_standard_ia_transition                  = false
      enable_current_object_expiration               = true
      enable_noncurrent_version_expiration           = true
      abort_incomplete_multipart_upload_days         = null
      noncurrent_version_glacier_transition_days     = 0
      noncurrent_version_deeparchive_transition_days = 0
      noncurrent_version_expiration_days             = 30
      standard_transition_days                       = 0
      glacier_transition_days                        = 0
      deeparchive_transition_days                    = 0
      storage_class                                  = "GLACIER"
      expiration_days                                = 365
    },
    {
      id                                             = "log1"
      prefix                                         = null
      enabled                                        = true
      tags                                           = {}
      enable_glacier_transition                      = false
      enable_deeparchive_transition                  = false
      enable_standard_ia_transition                  = false
      enable_current_object_expiration               = true
      enable_noncurrent_version_expiration           = true
      abort_incomplete_multipart_upload_days         = 1
      noncurrent_version_glacier_transition_days     = 0
      noncurrent_version_deeparchive_transition_days = 0
      storage_class                                  = "DEEP_ARCHIVE"
      noncurrent_version_expiration_days             = 30
      standard_transition_days                       = 0
      glacier_transition_days                        = 0
      deeparchive_transition_days                    = 0
      expiration_days                                = 365
    }
  ]


  website = {
    index_document = "index.html"
    error_document = "error.html"
    routing_rules = [{
      condition = {
        key_prefix_equals = "docs/"
      },
      redirect = {
        replace_key_prefix_with = "documents/"
      }
    }, {
      condition = {
        http_error_code_returned_equals = 404
        key_prefix_equals               = "archive/"
      },
      redirect = {
        host_name          = "archive.myhost.com"
        http_redirect_code = 301
        protocol           = "https"
        replace_key_with   = "not_found.html"
      }
    }]
  }
}

Example: s3-with-core-rule

module "s3_bucket" {
  source      = "cypik/s3/aws"
  version     = "1.0.3"
  name        = "test-secure-bucket"
  environment = local.environment
  label_order = local.label_order
  s3_name     = "sdfdfg"
  versioning  = true

  acl = "private"
  cors_rule = [{
    allowed_headers = ["*"],
    allowed_methods = ["PUT", "POST"],
    allowed_origins = ["https://s3-website-test.hashicorp.com"],
    expose_headers  = ["ETag"],
    max_age_seconds = 3000
  }]
}

Example: s3-with-encryption

module "s3_bucket" {
  source      = "cypik/s3/aws"
  version     = "1.0.3"
  name        = "test-encryption-bucket"
  s3_name     = "dmzx"
  environment = local.environment
  label_order = local.label_order

  acl                           = "private"
  enable_server_side_encryption = true
  versioning                    = true
  enable_kms                    = true
  kms_master_key_id             = module.kms_key.key_arn
}

Example: s3-with-logging

module "s3_bucket" {
  source      = "cypik/s3/aws"
  version     = "1.0.3"
  name        = "test-logging-bucket"
s3_name       = "wewrrt"
environment   = local.environment
label_order   = local.label_order
versioning    = true
acl           = "private"
logging       = true
target_bucket = module.logging_bucket.id
target_prefix = "logs"
depends_on    = [module.logging_bucket]
}

Example: s3-with-logging-encryption

module "s3_bucket" {
  source      = "cypik/s3/aws"
  version     = "1.0.3"
  name        = "test-logging-encryption-bucket"
  s3_name     = "aqua"
  environment = local.environment
  label_order = local.label_order

  versioning                    = true
  acl                           = "private"
  enable_server_side_encryption = true
  enable_kms                    = true
  kms_master_key_id             = module.kms_key.key_arn
  logging                       = true
  target_bucket                 = module.logging_bucket.id
  target_prefix                 = "logs"
  depends_on                    = [module.logging_bucket]
}

Example: s3-with-repliccation

module "s3_bucket" {
  source      = "cypik/s3/aws"
  version     = "1.0.3"
  name        = "test-s3"
  s3_name     = "poxord"
  environment = local.environment
  label_order = local.label_order

  acl = "private"
  replication_configuration = {
    role       = aws_iam_role.replication.arn
    versioning = true

    rules = [
      {
        id                        = "something-with-kms-and-filter"
        status                    = true
        priority                  = 10
        delete_marker_replication = false
        source_selection_criteria = {
          replica_modifications = {
            status = "Enabled"
          }
          sse_kms_encrypted_objects = {
            enabled = true
          }
        }
        filter = {
          prefix = "one"
          tags = {
            ReplicateMe = "Yes"
          }
        }
        destination = {
          bucket             = "arn:aws:s3:::${module.replica_bucket.id}"
          storage_class      = "STANDARD"
          replica_kms_key_id = aws_kms_key.replica.arn
          account_id         = data.aws_caller_identity.current.account_id
          access_control_translation = {
            owner = "Destination"
          }
          replication_time = {
            status  = "Enabled"
            minutes = 15
          }
          metrics = {
            status  = "Enabled"
            minutes = 15
          }
        }
      },
      {
        id                        = "something-with-filter"
        priority                  = 20
        delete_marker_replication = false
        filter = {
          prefix = "two"
          tags = {
            ReplicateMe = "Yes"
          }
        }
        destination = {
          bucket        = "arn:aws:s3:::${module.replica_bucket.id}"
          storage_class = "STANDARD"
        }
      },
      {
        id                        = "everything-with-filter"
        status                    = "Enabled"
        priority                  = 30
        delete_marker_replication = true
        1 = {
          prefix = ""
        }
        destination = {
          bucket        = "arn:aws:s3:::${module.replica_bucket.id}"
          storage_class = "STANDARD"
        }
      },
      {
        id                        = "everything-without-filters"
        status                    = "Enabled"
        delete_marker_replication = true
        destination = {
          bucket        = "arn:aws:s3:::${module.replica_bucket.id}"
          storage_class = "STANDARD"
        }
      },
    ]
  }
}

Examples

For detailed examples on how to use this module, please refer to the Examples directory within this repository.

Author

Your Name Replace MIT and Cypik with the appropriate license and your information. Feel free to expand this README with additional details or usage instructions as needed for your specific use case.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Requirements

Name Version
terraform >= 1.9.5
aws >=5.67.0

Providers

Name Version
aws >=5.67.0

Modules

Name Source Version
labels cypik/labels/aws 1.0.2

Resources

Name Type
aws_s3_bucket.s3_default resource
aws_s3_bucket_accelerate_configuration.example resource
aws_s3_bucket_acl.default resource
aws_s3_bucket_analytics_configuration.default resource
aws_s3_bucket_cors_configuration.example resource
aws_s3_bucket_intelligent_tiering_configuration.this resource
aws_s3_bucket_inventory.this resource
aws_s3_bucket_lifecycle_configuration.default resource
aws_s3_bucket_logging.example resource
aws_s3_bucket_metric.this resource
aws_s3_bucket_object_lock_configuration.example resource
aws_s3_bucket_ownership_controls.this resource
aws_s3_bucket_policy.block-http resource
aws_s3_bucket_policy.s3_default resource
aws_s3_bucket_public_access_block.this resource
aws_s3_bucket_replication_configuration.this resource
aws_s3_bucket_request_payment_configuration.example resource
aws_s3_bucket_server_side_encryption_configuration.example resource
aws_s3_bucket_versioning.example resource
aws_s3_bucket_website_configuration.this resource
aws_vpc_endpoint.endpoints resource
aws_vpc_endpoint_service.s3 data source

Inputs

Name Description Type Default Required
acceleration_status Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended bool false no
acl Canned ACL to apply to the S3 bucket. string null no
acl_grants A list of policy grants for the bucket. Conflicts with acl. Set acl to null to use this.
list(object({
id = string
type = string
permission = string
uri = string
}))
null no
analytics_configuration Map containing bucket analytics configuration. any {} no
attach_public_policy Controls if a user defined public bucket policy will be attached (set to false to allow upstream to apply defaults to the bucket) bool true no
aws_iam_policy_document The text of the policy. Although this is a bucket policy rather than an IAM policy, the aws_iam_policy_document data source may be used, so long as it specifies a principal. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. Note: Bucket policies are limited to 20 KB in size. string "" no
block_public_acls Whether Amazon S3 should block public ACLs for this bucket. bool true no
block_public_policy Whether Amazon S3 should block public bucket policies for this bucket. bool true no
bucket_policy Conditionally create S3 bucket policy. bool false no
bucket_prefix (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. string null no
configuration_status Versioning state of the bucket. Valid values: Enabled, Suspended, or Disabled. Disabled should only be used when creating or importing resources that correspond to unversioned S3 buckets. string "Suspended" no
control_object_ownership Whether to manage S3 Bucket Ownership Controls on this bucket. bool false no
cors_rule CORS Configuration specification for this bucket
list(object({
allowed_headers = list(string)
allowed_methods = list(string)
allowed_origins = list(string)
expose_headers = list(string)
max_age_seconds = number
}))
null no
enable_kms Enable enable_server_side_encryption bool false no
enable_lifecycle_configuration_rules enable or disable lifecycle_configuration_rules bool false no
enable_server_side_encryption Enable enable_server_side_encryption bool false no
enabled Conditionally create S3 bucket. bool true no
environment Environment (e.g. prod, dev, staging). string "" no
expected_bucket_owner (Optional) Account ID of the expected bucket owner. string null no
force_destroy A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. bool false no
grantee_email (Optional) Email address of the grantee. string null no
grantee_id (Optional) Canonical user ID of the grantee. string null no
grantee_type (Optional) Type of the grantee. Valid values: CanonicalUser, AmazonCustomerByEmail, Group. string "CanonicalUser" no
grantee_uri (Optional) URI of the grantee group. string null no
grants ACL Policy grant.conflict with acl.set acl null to use this
list(object({
id = string
type = string
permissions = list(string)
uri = string
}))
null no
ignore_public_acls Whether Amazon S3 should ignore public ACLs for this bucket. bool true no
intelligent_tiering Map containing intelligent tiering configuration. any {} no
inventory_configuration Map containing S3 inventory configuration. any {} no
kms_master_key_id The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms. string "" no
label_order Label order, e.g. name,Environment. list(any)
[
"name",
"environment"
]
no
lifecycle_configuration_rules A list of lifecycle rules
list(object({
id = string
prefix = string
enabled = bool
tags = map(string)

enable_glacier_transition = bool
enable_deeparchive_transition = bool
enable_standard_ia_transition = bool
enable_current_object_expiration = bool
enable_noncurrent_version_expiration = bool

abort_incomplete_multipart_upload_days = number
noncurrent_version_glacier_transition_days = number
noncurrent_version_deeparchive_transition_days = number
noncurrent_version_expiration_days = number

standard_transition_days = number
glacier_transition_days = number
deeparchive_transition_days = number
expiration_days = number
}))
null no
logging Logging Object to enable and disable logging bool false no
managedby ManagedBy, eg 'cypik'. string "cypik" no
metric_configuration Map containing bucket metric configuration. any [] no
mfa Optional, Required if versioning_configuration mfa_delete is enabled) Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device. string null no
mfa_delete Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled. string "Disabled" no
name Name (e.g. app or cluster). string "" no
object_lock_configuration With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
object({
mode = string
days = number
years = number
})
null no
object_lock_enabled Whether S3 bucket should have an Object Lock configuration enabled. bool false no
object_ownership Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. string "ObjectWriter" no
object_size_greater_than (Optional) Minimum object size for transitions. number 128000 no
object_size_less_than (Optional) Maximum object size for transitions. number null no
only_https_traffic This veriables use for only https traffic. bool true no
owner Bucket owner's display name and ID. Conflicts with acl map(string) {} no
owner_id The canonical user ID associated with the AWS account. string "" no
replication_configuration Map containing cross-region replication configuration. any {} no
repository Terraform current module repo string "https://github.com/cypik/terraform-aws-s3" no
request_payer (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. string null no
restrict_public_buckets Whether Amazon S3 should restrict public bucket policies for this bucket. bool true no
s3_name name of s3 bucket string null no
sse_algorithm The server-side encryption algorithm to use. Valid values are AES256 and aws:kms. string "AES256" no
target_bucket The bucket where you want Amazon S3 to store server access logs. string "" no
target_grant_permission (Optional) Permissions granted to the grantee for the bucket. Valid values: FULL_CONTROL, READ, WRITE. string "FULL_CONTROL" no
target_prefix A prefix for all log object keys. string "" no
timeouts Define maximum timeout for creating, updating, and deleting VPC endpoint resources map(string) {} no
versioning Enable Versioning of S3. bool true no
versioning_status Required if versioning_configuration mfa_delete is enabled) Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device. string "Enabled" no
vpc_endpoints n/a any [] no
website Map containing static web-site hosting or redirect configuration. any {} no

Outputs

Name Description
arn The ARN of the s3 bucket.
bucket_domain_name The Domain of the s3 bucket.
bucket_regional_domain_name The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.
id The ID of the s3 bucket.
s3_bucket_hosted_zone_id The Route 53 Hosted Zone ID for this bucket's region.
s3_bucket_lifecycle_configuration_rules The lifecycle rules of the bucket, if the bucket is configured with lifecycle rules. If not, this will be an empty string.
s3_bucket_policy The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string.
s3_bucket_website_domain The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.
s3_bucket_website_endpoint The website endpoint, if the bucket is configured with a website. If not, this will be an empty string.
tags A mapping of tags to assign to the resource.
transition_default_minimum_object_size Default minimum object size for lifecycle transitions.

About

Terraform module to create a default S3 bucket with logging and custom encryption settings.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • HCL 100.0%