Awesome
AWS S3 bucket Terraform module
Terraform module which creates S3 bucket on AWS with all (or almost all) features provided by Terraform AWS provider.
These features of S3 bucket configurations are supported:
- static web-site hosting
- access logging
- versioning
- CORS
- lifecycle rules
- server-side encryption
- object locking
- Cross-Region Replication (CRR)
- ELB log delivery bucket policy
- ALB/NLB log delivery bucket policy
Usage
Private bucket with versioning enabled
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
bucket = "my-s3-bucket"
acl = "private"
control_object_ownership = true
object_ownership = "ObjectWriter"
versioning = {
enabled = true
}
}
Bucket with ELB access log delivery policy attached
module "s3_bucket_for_logs" {
source = "terraform-aws-modules/s3-bucket/aws"
bucket = "my-s3-bucket-for-logs"
acl = "log-delivery-write"
# Allow deletion of non-empty bucket
force_destroy = true
control_object_ownership = true
object_ownership = "ObjectWriter"
attach_elb_log_delivery_policy = true
}
Bucket with ALB/NLB access log delivery policy attached
module "s3_bucket_for_logs" {
source = "terraform-aws-modules/s3-bucket/aws"
bucket = "my-s3-bucket-for-logs"
acl = "log-delivery-write"
# Allow deletion of non-empty bucket
force_destroy = true
control_object_ownership = true
object_ownership = "ObjectWriter"
attach_elb_log_delivery_policy = true # Required for ALB logs
attach_lb_log_delivery_policy = true # Required for ALB/NLB logs
}
Conditional creation
Sometimes you need to have a way to create S3 resources conditionally but Terraform does not allow to use count
inside module
block, so the solution is to specify argument create_bucket
.
# This S3 bucket will not be created
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
create_bucket = false
# ... omitted
}
Terragrunt and variable "..." { type = any }
There is a bug #1211 in Terragrunt related to the way how the variables of type any
are passed to Terraform.
This module solves this issue by supporting jsonencode()
-string in addition to the expected type (list
or map
).
In terragrunt.hcl
you can write:
inputs = {
bucket = "foobar" # `bucket` has type `string`, no need to jsonencode()
cors_rule = jsonencode([...]) # `cors_rule` has type `any`, so `jsonencode()` is required
}
Module wrappers
Users of this Terraform module can create multiple similar resources by using for_each
meta-argument within module
block which became available in Terraform 0.13.
Users of Terragrunt can achieve similar results by using modules provided in the wrappers directory, if they prefer to reduce amount of configuration files.
Examples:
- Complete - Complete S3 bucket with most of supported features enabled
- Cross-Region Replication - S3 bucket with Cross-Region Replication (CRR) enabled
- S3 Bucket Notifications - S3 bucket notifications to Lambda functions, SQS queues, and SNS topics.
- S3 Bucket Object - Manage S3 bucket objects.
Requirements
Name | Version |
---|---|
<a name="requirement_terraform"></a> terraform | >= 1.0 |
<a name="requirement_aws"></a> aws | >= 5.70 |
Providers
Name | Version |
---|---|
<a name="provider_aws"></a> aws | >= 5.70 |
Modules
No modules.
Resources
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
<a name="input_acceleration_status"></a> acceleration_status | (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. | string | null | no |
<a name="input_access_log_delivery_policy_source_accounts"></a> access_log_delivery_policy_source_accounts | (Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket. | list(string) | [] | no |
<a name="input_access_log_delivery_policy_source_buckets"></a> access_log_delivery_policy_source_buckets | (Optional) List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket. | list(string) | [] | no |
<a name="input_acl"></a> acl | (Optional) The canned ACL to apply. Conflicts with grant | string | null | no |
<a name="input_allowed_kms_key_arn"></a> allowed_kms_key_arn | The ARN of KMS key which should be allowed in PutObject | string | null | no |
<a name="input_analytics_configuration"></a> analytics_configuration | Map containing bucket analytics configuration. | any | {} | no |
<a name="input_analytics_self_source_destination"></a> analytics_self_source_destination | Whether or not the analytics source bucket is also the destination bucket. | bool | false | no |
<a name="input_analytics_source_account_id"></a> analytics_source_account_id | The analytics source account id. | string | null | no |
<a name="input_analytics_source_bucket_arn"></a> analytics_source_bucket_arn | The analytics source bucket ARN. | string | null | no |
<a name="input_attach_access_log_delivery_policy"></a> attach_access_log_delivery_policy | Controls if S3 bucket should have S3 access log delivery policy attached | bool | false | no |
<a name="input_attach_analytics_destination_policy"></a> attach_analytics_destination_policy | Controls if S3 bucket should have bucket analytics destination policy attached. | bool | false | no |
<a name="input_attach_deny_incorrect_encryption_headers"></a> attach_deny_incorrect_encryption_headers | Controls if S3 bucket should deny incorrect encryption headers policy attached. | bool | false | no |
<a name="input_attach_deny_incorrect_kms_key_sse"></a> attach_deny_incorrect_kms_key_sse | Controls if S3 bucket policy should deny usage of incorrect KMS key SSE. | bool | false | no |
<a name="input_attach_deny_insecure_transport_policy"></a> attach_deny_insecure_transport_policy | Controls if S3 bucket should have deny non-SSL transport policy attached | bool | false | no |
<a name="input_attach_deny_unencrypted_object_uploads"></a> attach_deny_unencrypted_object_uploads | Controls if S3 bucket should deny unencrypted object uploads policy attached. | bool | false | no |
<a name="input_attach_elb_log_delivery_policy"></a> attach_elb_log_delivery_policy | Controls if S3 bucket should have ELB log delivery policy attached | bool | false | no |
<a name="input_attach_inventory_destination_policy"></a> attach_inventory_destination_policy | Controls if S3 bucket should have bucket inventory destination policy attached. | bool | false | no |
<a name="input_attach_lb_log_delivery_policy"></a> attach_lb_log_delivery_policy | Controls if S3 bucket should have ALB/NLB log delivery policy attached | bool | false | no |
<a name="input_attach_policy"></a> attach_policy | Controls if S3 bucket should have bucket policy attached (set to true to use value of policy as bucket policy) | bool | false | no |
<a name="input_attach_public_policy"></a> attach_public_policy | Controls if a user defined public bucket policy will be attached (set to false to allow upstream to apply defaults to the bucket) | bool | true | no |
<a name="input_attach_require_latest_tls_policy"></a> attach_require_latest_tls_policy | Controls if S3 bucket should require the latest version of TLS | bool | false | no |
<a name="input_block_public_acls"></a> block_public_acls | Whether Amazon S3 should block public ACLs for this bucket. | bool | true | no |
<a name="input_block_public_policy"></a> block_public_policy | Whether Amazon S3 should block public bucket policies for this bucket. | bool | true | no |
<a name="input_bucket"></a> bucket | (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. | string | null | no |
<a name="input_bucket_prefix"></a> bucket_prefix | (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. | string | null | no |
<a name="input_control_object_ownership"></a> control_object_ownership | Whether to manage S3 Bucket Ownership Controls on this bucket. | bool | false | no |
<a name="input_cors_rule"></a> cors_rule | List of maps containing rules for Cross-Origin Resource Sharing. | any | [] | no |
<a name="input_create_bucket"></a> create_bucket | Controls if S3 bucket should be created | bool | true | no |
<a name="input_expected_bucket_owner"></a> expected_bucket_owner | The account ID of the expected bucket owner | string | null | no |
<a name="input_force_destroy"></a> force_destroy | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool | false | no |
<a name="input_grant"></a> grant | An ACL policy grant. Conflicts with acl | any | [] | no |
<a name="input_ignore_public_acls"></a> ignore_public_acls | Whether Amazon S3 should ignore public ACLs for this bucket. | bool | true | no |
<a name="input_intelligent_tiering"></a> intelligent_tiering | Map containing intelligent tiering configuration. | any | {} | no |
<a name="input_inventory_configuration"></a> inventory_configuration | Map containing S3 inventory configuration. | any | {} | no |
<a name="input_inventory_self_source_destination"></a> inventory_self_source_destination | Whether or not the inventory source bucket is also the destination bucket. | bool | false | no |
<a name="input_inventory_source_account_id"></a> inventory_source_account_id | The inventory source account id. | string | null | no |
<a name="input_inventory_source_bucket_arn"></a> inventory_source_bucket_arn | The inventory source bucket ARN. | string | null | no |
<a name="input_lifecycle_rule"></a> lifecycle_rule | List of maps containing configuration of object lifecycle management. | any | [] | no |
<a name="input_logging"></a> logging | Map containing access bucket logging configuration. | any | {} | no |
<a name="input_metric_configuration"></a> metric_configuration | Map containing bucket metric configuration. | any | [] | no |
<a name="input_object_lock_configuration"></a> object_lock_configuration | Map containing S3 object locking configuration. | any | {} | no |
<a name="input_object_lock_enabled"></a> object_lock_enabled | Whether S3 bucket should have an Object Lock configuration enabled. | bool | false | no |
<a name="input_object_ownership"></a> object_ownership | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. | string | "BucketOwnerEnforced" | no |
<a name="input_owner"></a> owner | Bucket owner's display name and ID. Conflicts with acl | map(string) | {} | no |
<a name="input_policy"></a> policy | (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. | string | null | no |
<a name="input_putin_khuylo"></a> putin_khuylo | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | bool | true | no |
<a name="input_replication_configuration"></a> replication_configuration | Map containing cross-region replication configuration. | any | {} | no |
<a name="input_request_payer"></a> request_payer | (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. | string | null | no |
<a name="input_restrict_public_buckets"></a> restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket. | bool | true | no |
<a name="input_server_side_encryption_configuration"></a> server_side_encryption_configuration | Map containing server-side encryption configuration. | any | {} | no |
<a name="input_tags"></a> tags | (Optional) A mapping of tags to assign to the bucket. | map(string) | {} | no |
<a name="input_transition_default_minimum_object_size"></a> transition_default_minimum_object_size | The default minimum object size behavior applied to the lifecycle configuration. Valid values: all_storage_classes_128K (default), varies_by_storage_class | string | null | no |
<a name="input_versioning"></a> versioning | Map containing versioning configuration. | map(string) | {} | no |
<a name="input_website"></a> website | Map containing static web-site hosting or redirect configuration. | any | {} | no |
Outputs
Name | Description |
---|---|
<a name="output_s3_bucket_arn"></a> s3_bucket_arn | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. |
<a name="output_s3_bucket_bucket_domain_name"></a> s3_bucket_bucket_domain_name | The bucket domain name. Will be of format bucketname.s3.amazonaws.com. |
<a name="output_s3_bucket_bucket_regional_domain_name"></a> s3_bucket_bucket_regional_domain_name | The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL. |
<a name="output_s3_bucket_hosted_zone_id"></a> s3_bucket_hosted_zone_id | The Route 53 Hosted Zone ID for this bucket's region. |
<a name="output_s3_bucket_id"></a> s3_bucket_id | The name of the bucket. |
<a name="output_s3_bucket_lifecycle_configuration_rules"></a> s3_bucket_lifecycle_configuration_rules | The lifecycle rules of the bucket, if the bucket is configured with lifecycle rules. If not, this will be an empty string. |
<a name="output_s3_bucket_policy"></a> s3_bucket_policy | The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string. |
<a name="output_s3_bucket_region"></a> s3_bucket_region | The AWS region this bucket resides in. |
<a name="output_s3_bucket_website_domain"></a> s3_bucket_website_domain | The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records. |
<a name="output_s3_bucket_website_endpoint"></a> s3_bucket_website_endpoint | The website endpoint, if the bucket is configured with a website. If not, this will be an empty string. |
Authors
Module is maintained by Anton Babenko with help from these awesome contributors.
License
Apache 2 Licensed. See LICENSE for full details.
Additional information for users from Russia and Belarus
- Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
- Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
- Putin khuylo!