Skip to content

binbashar/terraform-aws-s3-bucket

 
 

AWS S3 bucket Terraform module

Terraform module which creates S3 bucket on AWS with all (or almost all) features provided by Terraform AWS provider.

SWUbanner

These features of S3 bucket configurations are supported:

  • static web-site hosting
  • access logging
  • versioning
  • CORS
  • lifecycle rules
  • server-side encryption
  • object locking
  • Cross-Region Replication (CRR)
  • ELB log delivery bucket policy
  • ALB/NLB log delivery bucket policy

Usage

Private bucket with versioning enabled

module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket"
  acl    = "private"

  control_object_ownership = true
  object_ownership         = "ObjectWriter"

  versioning = {
    enabled = true
  }
}

Bucket with ELB access log delivery policy attached

module "s3_bucket_for_logs" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket-for-logs"
  acl    = "log-delivery-write"

  # Allow deletion of non-empty bucket
  force_destroy = true

  control_object_ownership = true
  object_ownership         = "ObjectWriter"

  attach_elb_log_delivery_policy = true
}

Bucket with ALB/NLB access log delivery policy attached

module "s3_bucket_for_logs" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket-for-logs"
  acl    = "log-delivery-write"

  # Allow deletion of non-empty bucket
  force_destroy = true

  control_object_ownership = true
  object_ownership         = "ObjectWriter"

  attach_elb_log_delivery_policy = true  # Required for ALB logs
  attach_lb_log_delivery_policy  = true  # Required for ALB/NLB logs
}

Conditional creation

Sometimes you need to have a way to create S3 resources conditionally but Terraform does not allow to use count inside module block, so the solution is to specify argument create_bucket.

# This S3 bucket will not be created
module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  create_bucket = false
  # ... omitted
}

Terragrunt and variable "..." { type = any }

There is a bug #1211 in Terragrunt related to the way how the variables of type any are passed to Terraform.

This module solves this issue by supporting jsonencode()-string in addition to the expected type (list or map).

In terragrunt.hcl you can write:

inputs = {
  bucket    = "foobar"            # `bucket` has type `string`, no need to jsonencode()
  cors_rule = jsonencode([...])   # `cors_rule` has type `any`, so `jsonencode()` is required
}

Module wrappers

Users of this Terraform module can create multiple similar resources by using for_each meta-argument within module block which became available in Terraform 0.13.

Users of Terragrunt can achieve similar results by using modules provided in the wrappers directory, if they prefer to reduce amount of configuration files.

Examples:

Requirements

Name Version
terraform >= 1.0
aws >= 5.70

Providers

Name Version
aws >= 5.70

Modules

No modules.

Resources

Name Type
aws_s3_bucket.this resource
aws_s3_bucket_accelerate_configuration.this resource
aws_s3_bucket_acl.this resource
aws_s3_bucket_analytics_configuration.this resource
aws_s3_bucket_cors_configuration.this resource
aws_s3_bucket_intelligent_tiering_configuration.this resource
aws_s3_bucket_inventory.this resource
aws_s3_bucket_lifecycle_configuration.this resource
aws_s3_bucket_logging.this resource
aws_s3_bucket_metric.this resource
aws_s3_bucket_object_lock_configuration.this resource
aws_s3_bucket_ownership_controls.this resource
aws_s3_bucket_policy.this resource
aws_s3_bucket_public_access_block.this resource
aws_s3_bucket_replication_configuration.this resource
aws_s3_bucket_request_payment_configuration.this resource
aws_s3_bucket_server_side_encryption_configuration.this resource
aws_s3_bucket_versioning.this resource
aws_s3_bucket_website_configuration.this resource
aws_caller_identity.current data source
aws_canonical_user_id.this data source
aws_iam_policy_document.access_log_delivery data source
aws_iam_policy_document.combined data source
aws_iam_policy_document.deny_incorrect_encryption_headers data source
aws_iam_policy_document.deny_incorrect_kms_key_sse data source
aws_iam_policy_document.deny_insecure_transport data source
aws_iam_policy_document.deny_unencrypted_object_uploads data source
aws_iam_policy_document.elb_log_delivery data source
aws_iam_policy_document.inventory_and_analytics_destination_policy data source
aws_iam_policy_document.lb_log_delivery data source
aws_iam_policy_document.require_latest_tls data source
aws_partition.current data source
aws_region.current data source

Inputs

Name Description Type Default Required
acceleration_status (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. string null no
access_log_delivery_policy_source_accounts (Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket. list(string) [] no
access_log_delivery_policy_source_buckets (Optional) List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket. list(string) [] no
acl (Optional) The canned ACL to apply. Conflicts with grant string null no
allowed_kms_key_arn The ARN of KMS key which should be allowed in PutObject string null no
analytics_configuration Map containing bucket analytics configuration. any {} no
analytics_self_source_destination Whether or not the analytics source bucket is also the destination bucket. bool false no
analytics_source_account_id The analytics source account id. string null no
analytics_source_bucket_arn The analytics source bucket ARN. string null no
attach_access_log_delivery_policy Controls if S3 bucket should have S3 access log delivery policy attached bool false no
attach_analytics_destination_policy Controls if S3 bucket should have bucket analytics destination policy attached. bool false no
attach_deny_incorrect_encryption_headers Controls if S3 bucket should deny incorrect encryption headers policy attached. bool false no
attach_deny_incorrect_kms_key_sse Controls if S3 bucket policy should deny usage of incorrect KMS key SSE. bool false no
attach_deny_insecure_transport_policy Controls if S3 bucket should have deny non-SSL transport policy attached bool false no
attach_deny_unencrypted_object_uploads Controls if S3 bucket should deny unencrypted object uploads policy attached. bool false no
attach_elb_log_delivery_policy Controls if S3 bucket should have ELB log delivery policy attached bool false no
attach_inventory_destination_policy Controls if S3 bucket should have bucket inventory destination policy attached. bool false no
attach_lb_log_delivery_policy Controls if S3 bucket should have ALB/NLB log delivery policy attached bool false no
attach_policy Controls if S3 bucket should have bucket policy attached (set to true to use value of policy as bucket policy) bool false no
attach_public_policy Controls if a user defined public bucket policy will be attached (set to false to allow upstream to apply defaults to the bucket) bool true no
attach_require_latest_tls_policy Controls if S3 bucket should require the latest version of TLS bool false no
block_public_acls Whether Amazon S3 should block public ACLs for this bucket. bool true no
block_public_policy Whether Amazon S3 should block public bucket policies for this bucket. bool true no
bucket (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. string null no
bucket_prefix (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. string null no
control_object_ownership Whether to manage S3 Bucket Ownership Controls on this bucket. bool false no
cors_rule List of maps containing rules for Cross-Origin Resource Sharing. any [] no
create_bucket Controls if S3 bucket should be created bool true no
expected_bucket_owner The account ID of the expected bucket owner string null no
force_destroy (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. bool false no
grant An ACL policy grant. Conflicts with acl any [] no
ignore_public_acls Whether Amazon S3 should ignore public ACLs for this bucket. bool true no
intelligent_tiering Map containing intelligent tiering configuration. any {} no
inventory_configuration Map containing S3 inventory configuration. any {} no
inventory_self_source_destination Whether or not the inventory source bucket is also the destination bucket. bool false no
inventory_source_account_id The inventory source account id. string null no
inventory_source_bucket_arn The inventory source bucket ARN. string null no
lifecycle_rule List of maps containing configuration of object lifecycle management. any [] no
logging Map containing access bucket logging configuration. any {} no
metric_configuration Map containing bucket metric configuration. any [] no
object_lock_configuration Map containing S3 object locking configuration. any {} no
object_lock_enabled Whether S3 bucket should have an Object Lock configuration enabled. bool false no
object_ownership Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. string "BucketOwnerEnforced" no
owner Bucket owner's display name and ID. Conflicts with acl map(string) {} no
policy (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. string null no
putin_khuylo Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! bool true no
replication_configuration Map containing cross-region replication configuration. any {} no
request_payer (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. string null no
restrict_public_buckets Whether Amazon S3 should restrict public bucket policies for this bucket. bool true no
server_side_encryption_configuration Map containing server-side encryption configuration. any {} no
tags (Optional) A mapping of tags to assign to the bucket. map(string) {} no
transition_default_minimum_object_size The default minimum object size behavior applied to the lifecycle configuration. Valid values: all_storage_classes_128K (default), varies_by_storage_class string null no
versioning Map containing versioning configuration. map(string) {} no
website Map containing static web-site hosting or redirect configuration. any {} no

Outputs

Name Description
s3_bucket_arn The ARN of the bucket. Will be of format arn:aws:s3:::bucketname.
s3_bucket_bucket_domain_name The bucket domain name. Will be of format bucketname.s3.amazonaws.com.
s3_bucket_bucket_regional_domain_name The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.
s3_bucket_hosted_zone_id The Route 53 Hosted Zone ID for this bucket's region.
s3_bucket_id The name of the bucket.
s3_bucket_lifecycle_configuration_rules The lifecycle rules of the bucket, if the bucket is configured with lifecycle rules. If not, this will be an empty string.
s3_bucket_policy The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string.
s3_bucket_region The AWS region this bucket resides in.
s3_bucket_website_domain The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.
s3_bucket_website_endpoint The website endpoint, if the bucket is configured with a website. If not, this will be an empty string.

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus