-
Notifications
You must be signed in to change notification settings - Fork 0
/
variable.tf
47 lines (40 loc) · 2.47 KB
/
variable.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
variable "bucket" {
description = <<EOT
S3 Bucket configuration object.
KMS key: If no KMS key is specified for the encryption of resources, one will be provisioned. If using a pre-existing key, the key output from the KMS module should be passed in under the `key` object.
Policy: Policy should be a JSON string. By default, a policy is generated that allows all users in the caller AWS account READ/WRITE access, with the exception of ACL operations, i.e. all ACL operations are explicitly denied. Any additional permissions passed in through the `policy` will be merged into the default policy through a `aws_iam_policy_document` data block.
Replicas: Number of replicas to create. The original bucket will receive `var.bucket.name` as its name, and each replica will receive the name `var.bucket.name-replica-0<var.bucket.replicas>`.
EOT
type = object({
name = string
acl = optional(string, "private")
key = optional(object({
id = string
arn = string
alias_arn = string
}), null)
notification_events = optional(list(string), [
"s3:ObjectCreated:*",
"s3:ObjectRemoved:*"
])
policy = optional(string, null)
replicas = optional(number, 1)
})
}
variable "replication_role" {
description = "ARN of the replication role. This role will have a policy attached to it that will enabled s3 replication. The service principal in the trust relationship must be `s3.amazonaws.com`. The `s3_replicator` key of the IAM module `service_roles` output can be passed directly into this argument."
type = object({
arn = string
id = string
name = string
})
default = {
arn = "arn:aws:iam::<account-id>:role/s3-replicator"
id = "s3-replicator"
name = "s3-replicator"
}
validation {
condition = !strcontains(var.replication_role.arn, "<account-id>")
error_message = "The replication role ARN must include a valid account id."
}
}