Skip to content


Switch branches/tags

Latest commit

## [3.3.0](v3.2.4...v3.3.0) (2022-06-17)

### Features

* Add the intelligent tiering configuration ([#167](#167)) ([73c48d6](73c48d6))

Git stats


Failed to load latest commit information.

AWS S3 bucket Terraform module

Terraform module which creates S3 bucket on AWS with all (or almost all) features provided by Terraform AWS provider.


These features of S3 bucket configurations are supported:

  • static web-site hosting
  • access logging
  • versioning
  • CORS
  • lifecycle rules
  • server-side encryption
  • object locking
  • Cross-Region Replication (CRR)
  • ELB log delivery bucket policy
  • ALB/NLB log delivery bucket policy


Private bucket with versioning enabled

module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket"
  acl    = "private"

  versioning = {
    enabled = true


Bucket with ELB access log delivery policy attached

module "s3_bucket_for_logs" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket-for-logs"
  acl    = "log-delivery-write"

  # Allow deletion of non-empty bucket
  force_destroy = true

  attach_elb_log_delivery_policy = true

Bucket with ALB/NLB access log delivery policy attached

module "s3_bucket_for_logs" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket-for-logs"
  acl    = "log-delivery-write"

  # Allow deletion of non-empty bucket
  force_destroy = true

  attach_elb_log_delivery_policy = true  # Required for ALB logs
  attach_lb_log_delivery_policy  = true  # Required for ALB/NLB logs

Conditional creation

Sometimes you need to have a way to create S3 resources conditionally but Terraform does not allow to use count inside module block, so the solution is to specify argument create_bucket.

# This S3 bucket will not be created
module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  create_bucket = false
  # ... omitted

Terragrunt and variable "..." { type = any }

There is a bug #1211 in Terragrunt related to the way how the variables of type any are passed to Terraform.

This module solves this issue by supporting jsonencode()-string in addition to the expected type (list or map).

In terragrunt.hcl you can write:

inputs = {
  bucket    = "foobar"            # `bucket` has type `string`, no need to jsonencode()
  cors_rule = jsonencode([...])   # `cors_rule` has type `any`, so `jsonencode()` is required

Module wrappers

Users of this Terraform module can create multiple similar resources by using for_each meta-argument within module block which became available in Terraform 0.13.

Users of Terragrunt can achieve similar results by using modules provided in the wrappers directory, if they prefer to reduce amount of configuration files.



Name Version
terraform >= 0.13.1
aws >= 4.5


Name Version
aws >= 4.5


No modules.


Name Type
aws_s3_bucket.this resource
aws_s3_bucket_accelerate_configuration.this resource
aws_s3_bucket_acl.this resource
aws_s3_bucket_cors_configuration.this resource
aws_s3_bucket_intelligent_tiering_configuration.this resource
aws_s3_bucket_lifecycle_configuration.this resource
aws_s3_bucket_logging.this resource
aws_s3_bucket_object_lock_configuration.this resource
aws_s3_bucket_ownership_controls.this resource
aws_s3_bucket_policy.this resource
aws_s3_bucket_public_access_block.this resource
aws_s3_bucket_replication_configuration.this resource
aws_s3_bucket_request_payment_configuration.this resource
aws_s3_bucket_server_side_encryption_configuration.this resource
aws_s3_bucket_versioning.this resource
aws_s3_bucket_website_configuration.this resource
aws_canonical_user_id.this data source
aws_elb_service_account.this data source
aws_iam_policy_document.combined data source
aws_iam_policy_document.deny_insecure_transport data source
aws_iam_policy_document.elb_log_delivery data source
aws_iam_policy_document.lb_log_delivery data source
aws_iam_policy_document.require_latest_tls data source


Name Description Type Default Required
acceleration_status (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. string null no
acl (Optional) The canned ACL to apply. Conflicts with grant string null no
attach_deny_insecure_transport_policy Controls if S3 bucket should have deny non-SSL transport policy attached bool false no
attach_elb_log_delivery_policy Controls if S3 bucket should have ELB log delivery policy attached bool false no
attach_lb_log_delivery_policy Controls if S3 bucket should have ALB/NLB log delivery policy attached bool false no
attach_policy Controls if S3 bucket should have bucket policy attached (set to true to use value of policy as bucket policy) bool false no
attach_public_policy Controls if a user defined public bucket policy will be attached (set to false to allow upstream to apply defaults to the bucket) bool true no
attach_require_latest_tls_policy Controls if S3 bucket should require the latest version of TLS bool false no
block_public_acls Whether Amazon S3 should block public ACLs for this bucket. bool false no
block_public_policy Whether Amazon S3 should block public bucket policies for this bucket. bool false no
bucket (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. string null no
bucket_prefix (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. string null no
control_object_ownership Whether to manage S3 Bucket Ownership Controls on this bucket. bool false no
cors_rule List of maps containing rules for Cross-Origin Resource Sharing. any [] no
create_bucket Controls if S3 bucket should be created bool true no
expected_bucket_owner The account ID of the expected bucket owner string null no
force_destroy (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. bool false no
grant An ACL policy grant. Conflicts with acl any [] no
ignore_public_acls Whether Amazon S3 should ignore public ACLs for this bucket. bool false no
intelligent_tiering Map containing intelligent tiering configuration. any {} no
lifecycle_rule List of maps containing configuration of object lifecycle management. any [] no
logging Map containing access bucket logging configuration. map(string) {} no
object_lock_configuration Map containing S3 object locking configuration. any {} no
object_lock_enabled Whether S3 bucket should have an Object Lock configuration enabled. bool false no
object_ownership Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. string "ObjectWriter" no
owner Bucket owner's display name and ID. Conflicts with acl map(string) {} no
policy (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. string null no
putin_khuylo Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info:! bool true no
replication_configuration Map containing cross-region replication configuration. any {} no
request_payer (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. string null no
restrict_public_buckets Whether Amazon S3 should restrict public bucket policies for this bucket. bool false no
server_side_encryption_configuration Map containing server-side encryption configuration. any {} no
tags (Optional) A mapping of tags to assign to the bucket. map(string) {} no
versioning Map containing versioning configuration. map(string) {} no
website Map containing static web-site hosting or redirect configuration. any {} no


Name Description
s3_bucket_arn The ARN of the bucket. Will be of format arn:aws:s3:::bucketname.
s3_bucket_bucket_domain_name The bucket domain name. Will be of format
s3_bucket_bucket_regional_domain_name The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.
s3_bucket_hosted_zone_id The Route 53 Hosted Zone ID for this bucket's region.
s3_bucket_id The name of the bucket.
s3_bucket_region The AWS region this bucket resides in.
s3_bucket_website_domain The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.
s3_bucket_website_endpoint The website endpoint, if the bucket is configured with a website. If not, this will be an empty string.


Module is maintained by Anton Babenko with help from these awesome contributors.


Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus