This terraform module creates an S3 Bucket with the options of adding other s3 bucket configurations.
- This module offers simplicity through detailed examples, making it user-friendly.
- It follows AWS security best practices by utilizing checkov to ensure compliance.
- It simplifies the process of setting up s3 bucket with the desired configurations
- The module provides support for lifecycle configuration.
- In response to a recent AWS S3 update, this module now includes ownership control, allowing users to specify ownership types. The default is
ObjectWriter - Encryption is enabled by default, allowing users to utilize existing AWS Customer Master Keys (CMKs) or create new ones using the module. Additionally, it supports Server-Side Encryption (SSE).
- It includes support for S3 bucket notifications, enabling users to set up event-driven workflows.
- Supports versioning which is in this module disabled by default, providing automatic version control.
Examples available here
NOTE:
- If you have been using version 2.2.0 or any earlier iteration of this module, it is important to upgrade to the most recent release. This action is prompted by an AWS update pertaining to S3, which introduced an issue when employing bucket ACLs.
- These examples use the latest version of this module
- This module has encryption enabled by default, therefore when replicating buckets to other buckets the associated replication role must have
encryptionanddecryptionpermissions enabled for both the source bucket kms key and the destination bucket kms key - All public access in blocked by default in this module
- When replicating to encrypted buckets in another account, the kms policy in the destination account must enable required kms permissions for the principle(s)/role in the source/origin account. The destination bucket policy should also allow S3 Replication permissions from the source bucket.
- When deploying an AWS S3 bucket with replication configuration using this terraform module, the
terraform plancommand may report drift detection even when there are no changes to the replication configuration, especially when filters are utilized within the replication configuration block. There is a currently active GitHub issue here regarding this matter, and it might be resolved in a future release of Terraform. - Despite the drift detection issue, the filter option within the replication configuration is functioning as expected.
locals {
name = "minimum-example-bucket"
}
module "minimum" {
source = "boldlink/s3/aws"
version = "<latest_module_version>"
bucket = local.name
tags = local.tags
}Terraform provider documentation
| Name | Version |
|---|---|
| terraform | >= 0.14.11 |
| aws | >= 4.15.1 |
| Name | Version |
|---|---|
| aws | 5.53.0 |
No modules.
| Name | Type |
|---|---|
| aws_s3_bucket.main | resource |
| aws_s3_bucket_acl.main | resource |
| aws_s3_bucket_cors_configuration.main | resource |
| aws_s3_bucket_lifecycle_configuration.main | resource |
| aws_s3_bucket_logging.main | resource |
| aws_s3_bucket_notification.main | resource |
| aws_s3_bucket_ownership_controls.main | resource |
| aws_s3_bucket_policy.main | resource |
| aws_s3_bucket_public_access_block.main | resource |
| aws_s3_bucket_replication_configuration.main | resource |
| aws_s3_bucket_server_side_encryption_configuration.main | resource |
| aws_s3_bucket_versioning.main | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.combined | data source |
| aws_iam_policy_document.default | data source |
| aws_iam_policy_document.non_org_trail_policy | data source |
| aws_iam_policy_document.org_s3 | data source |
| aws_organizations_organization.current | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| attach_non_org_trail_policy | Specify whether to attach policy for non organization cloudtrail | bool |
false |
no |
| attach_org_cloudtrail_policy | Specify whether to attach policy for organization cloudtrail | bool |
false |
no |
| block_public_acls | (Optional) Whether Amazon S3 should block public ACLs for this bucket. | bool |
true |
no |
| block_public_policy | (Optional) Whether Amazon S3 should block public bucket policies for this bucket. | bool |
true |
no |
| bucket | (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. Must be lowercase and less than or equal to 63 characters in length. | string |
null |
no |
| bucket_acl | The canned ACL to apply. | any |
{} |
no |
| bucket_policy | Attaches a policy to an S3 bucket resource. | string |
"" |
no |
| bucket_prefix | Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. Must be lowercase and less than or equal to 37 characters in length. | string |
null |
no |
| cors_rule | A rule of Cross-Origin Resource Sharing. | any |
[] |
no |
| enable_block_public_access | Whether to enable public access block altogether, default is true | bool |
true |
no |
| eventbridge | Whether to enable Amazon EventBridge notifications | bool |
false |
no |
| expected_bucket_owner | (Optional, Forces new resource) The account ID of the expected bucket owner. | string |
null |
no |
| force_destroy | (Optional, Default:false) A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
| ignore_public_acls | (Optional) Whether Amazon S3 should ignore public ACLs for this bucket. | bool |
true |
no |
| lambda_function | Configuration for S3 notification lambda function | any |
[] |
no |
| lifecycle_configuration | A map of s3 lifecycle configuration | any |
[] |
no |
| object_ownership | Object ownership. Valid values: BucketOwnerPreferred, ObjectWriter or BucketOwnerEnforced |
string |
"ObjectWriter" |
no |
| queue | Configuration for S3 notification SQS queue | any |
[] |
no |
| replication_configuration | Provides an independent configuration resource for S3 bucket replication configuration. | any |
{} |
no |
| restrict_public_buckets | (Optional) Whether Amazon S3 should restrict public bucket policies for this bucket. | bool |
true |
no |
| s3_logging | A map of configurations where to store logs | map(any) |
{} |
no |
| sse_bucket_key_enabled | (Optional) Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. | bool |
null |
no |
| sse_kms_master_key_arn | (Optional) The AWS KMS master key ARN used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms. |
string |
null |
no |
| sse_sse_algorithm | (Required) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms |
string |
"aws:kms" |
no |
| tags | (Optional) A map of tags to assign to the bucket. | map(string) |
{} |
no |
| topic | Configuration for S3 notification SNS topic | any |
[] |
no |
| versioning_mfa | The concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device. | string |
null |
no |
| versioning_mfa_delete | (Optional) Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled. |
string |
null |
no |
| versioning_status | (Required) The versioning state of the bucket. Valid values: Enabled, Suspended, or Disabled. Disabled should only be used when creating or importing resources that correspond to unversioned S3 buckets. |
string |
"Disabled" |
no |
| Name | Description |
|---|---|
| arn | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname |
| bucket | The name of the bucket. |
| bucket_domain_name | The bucket domain name. Will be of format bucketname.s3.amazonaws.com. |
| bucket_regional_domain_name | The bucket region-specific domain name. The bucket domain name including the region name |
| hosted_zone_id | The Route 53 Hosted Zone ID for this bucket's region. |
| id | The name of the bucket. |
| region | The AWS region this bucket resides in. |
| tags_all | A map of tags assigned to the resource, including those inherited from the provider default_tags |
This repository uses third party software:
- pre-commit - Used to help ensure code and documentation consistency
- Install with
brew install pre-commit - Manually use with
pre-commit run
- Install with
- terraform 0.14.11 For backwards compatibility we are using version 0.14.11 for testing making this the min version tested and without issues with terraform-docs.
- terraform-docs - Used to generate the Inputs and Outputs sections
- Install with
brew install terraform-docs - Manually use via pre-commit
- Install with
- tflint - Used to lint the Terraform code
- Install with
brew install tflint - Manually use via pre-commit
- Install with
The makefile contained in this repo is optimized for linux paths and the main purpose is to execute testing for now.
- Create all tests stacks including any supporting resources:
make tests- Clean all tests except existing supporting resources:
make clean- Clean supporting resources - this is done separately so you can test your module build/modify/destroy independently.
make cleansupporting- !!!DANGER!!! Clean the state files from examples and test/supportingResources - use with CAUTION!!!
make cleanstatefiles