Terraform module which creates S3 bucket on AWS with all (or almost all) features provided by Terraform AWS provider.
These features of S3 bucket configurations are supported:
- static web-site hosting
- access logging
- versioning
- CORS
- lifecycle rules
- server-side encryption
- object locking
- Cross-Region Replication (CRR)
- ELB log delivery bucket policy
- ALB/NLB log delivery bucket policy
- WAF log delivery bucket policy
- Account-level Public Access Block
- S3 Directory Bucket
- S3 Table Bucket
module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" bucket = "my-s3-bucket" acl = "private" control_object_ownership = true object_ownership = "ObjectWriter" versioning = { enabled = true } }
module "s3_bucket_for_logs" { source = "terraform-aws-modules/s3-bucket/aws" bucket = "my-s3-bucket-for-logs" acl = "log-delivery-write" # Allow deletion of non-empty bucket force_destroy = true control_object_ownership = true object_ownership = "ObjectWriter" attach_elb_log_delivery_policy = true }
module "s3_bucket_for_logs" { source = "terraform-aws-modules/s3-bucket/aws" bucket = "my-s3-bucket-for-logs" # Allow deletion of non-empty bucket force_destroy = true control_object_ownership = true object_ownership = "ObjectWriter" attach_elb_log_delivery_policy = true # Required for ALB logs attach_lb_log_delivery_policy = true # Required for ALB/NLB logs }
module "s3_bucket_for_waf_logs" { source = "terraform-aws-modules/s3-bucket/aws" bucket = "my-s3-bucket-for-waf-logs" # Allow deletion of non-empty bucket force_destroy = true control_object_ownership = true object_ownership = "ObjectWriter" attach_waf_log_delivery_policy = true # Required for WAF logs }
When you need to attach a custom policy to the bucket, you can use the policy argument. To keep bucket policy with correct S3 bucket and AWS account properties, you can use the placeholders _S3_BUCKET_ID_, _S3_BUCKET_ARN_, and _AWS_ACCOUNT_ID_ in the policy document. Those values will be replaced with the actual values during the policy attachment. This is especially useful when using bucket prefixes.
Sometimes you need to have a way to create S3 resources conditionally but Terraform does not allow to use count inside module block, so the solution is to specify argument create_bucket.
# This S3 bucket will not be created module "s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" create_bucket = false # ... omitted }
There is a bug #1211 in Terragrunt related to the way how the variables of type any are passed to Terraform.
This module solves this issue by supporting jsonencode()-string in addition to the expected type (list or map).
In terragrunt.hcl you can write:
inputs = { bucket = "foobar" # `bucket` has type `string`, no need to jsonencode() cors_rule = jsonencode([...]) # `cors_rule` has type `any`, so `jsonencode()` is required }
Users of this Terraform module can create multiple similar resources by using for_each meta-argument within module block which became available in Terraform 0.13.
Users of Terragrunt can achieve similar results by using modules provided in the wrappers directory, if they prefer to reduce amount of configuration files.
- Complete - Complete S3 bucket with most of supported features enabled
- Cross-Region Replication - S3 bucket with Cross-Region Replication (CRR) enabled
- S3 Notifications - S3 bucket notifications to Lambda functions, SQS queues, and SNS topics.
- S3 Object - Manage S3 bucket objects.
- S3 Analytics - S3 bucket Analytics Configurations.
- S3 Inventory - S3 bucket Inventory configuration.
- S3 Account-level Public Access Block - Manage S3 account-level Public Access Block.
- S3 Directory Bucket - S3 Directory Bucket configuration.
- S3 Table Bucket - S3 Table Bucket configuration.
| Name | Version | 
|---|---|
| terraform | >= 1.5.7 | 
| aws | >= 6.5 | 
| Name | Version | 
|---|---|
| aws | >= 6.5 | 
No modules.
| Name | Description | Type | Default | Required | 
|---|---|---|---|---|
| acceleration_status | (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. | string | null | no | 
| access_log_delivery_policy_source_accounts | (Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket. | list(string) | [] | no | 
| access_log_delivery_policy_source_buckets | (Optional) List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket. | list(string) | [] | no | 
| access_log_delivery_policy_source_organizations | (Optional) List of AWS Organization IDs should be allowed to deliver access logs to this bucket. | list(string) | [] | no | 
| acl | (Optional) The canned ACL to apply. Conflicts with grant | string | null | no | 
| allowed_kms_key_arn | The ARN of KMS key which should be allowed in PutObject | string | null | no | 
| analytics_configuration | Map containing bucket analytics configuration. | any | {} | no | 
| analytics_self_source_destination | Whether or not the analytics source bucket is also the destination bucket. | bool | false | no | 
| analytics_source_account_id | The analytics source account id. | string | null | no | 
| analytics_source_bucket_arn | The analytics source bucket ARN. | string | null | no | 
| attach_access_log_delivery_policy | Controls if S3 bucket should have S3 access log delivery policy attached | bool | false | no | 
| attach_analytics_destination_policy | Controls if S3 bucket should have bucket analytics destination policy attached. | bool | false | no | 
| attach_cloudtrail_log_delivery_policy | Controls if S3 bucket should have CloudTrail log delivery policy attached | bool | false | no | 
| attach_deny_incorrect_encryption_headers | Controls if S3 bucket should deny incorrect encryption headers policy attached. | bool | false | no | 
| attach_deny_incorrect_kms_key_sse | Controls if S3 bucket policy should deny usage of incorrect KMS key SSE. | bool | false | no | 
| attach_deny_insecure_transport_policy | Controls if S3 bucket should have deny non-SSL transport policy attached | bool | false | no | 
| attach_deny_ssec_encrypted_object_uploads | Controls if S3 bucket should deny SSEC encrypted object uploads. | bool | false | no | 
| attach_deny_unencrypted_object_uploads | Controls if S3 bucket should deny unencrypted object uploads policy attached. | bool | false | no | 
| attach_elb_log_delivery_policy | Controls if S3 bucket should have ELB log delivery policy attached | bool | false | no | 
| attach_inventory_destination_policy | Controls if S3 bucket should have bucket inventory destination policy attached. | bool | false | no | 
| attach_lb_log_delivery_policy | Controls if S3 bucket should have ALB/NLB log delivery policy attached | bool | false | no | 
| attach_policy | Controls if S3 bucket should have bucket policy attached (set to trueto use value ofpolicyas bucket policy) | bool | false | no | 
| attach_public_policy | Controls if a user defined public bucket policy will be attached (set to falseto allow upstream to apply defaults to the bucket) | bool | true | no | 
| attach_require_latest_tls_policy | Controls if S3 bucket should require the latest version of TLS | bool | false | no | 
| attach_waf_log_delivery_policy | Controls if S3 bucket should have WAF log delivery policy attached | bool | false | no | 
| availability_zone_id | Availability Zone ID or Local Zone ID | string | null | no | 
| block_public_acls | Whether Amazon S3 should block public ACLs for this bucket. | bool | true | no | 
| block_public_policy | Whether Amazon S3 should block public bucket policies for this bucket. | bool | true | no | 
| bucket | (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. | string | null | no | 
| bucket_prefix | (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. | string | null | no | 
| control_object_ownership | Whether to manage S3 Bucket Ownership Controls on this bucket. | bool | false | no | 
| cors_rule | List of maps containing rules for Cross-Origin Resource Sharing. | any | [] | no | 
| create_bucket | Controls if S3 bucket should be created | bool | true | no | 
| create_metadata_configuration | Whether to create metadata configuration resource | bool | false | no | 
| data_redundancy | Data redundancy. Valid values: SingleAvailabilityZone | string | null | no | 
| expected_bucket_owner | The account ID of the expected bucket owner | string | null | no | 
| force_destroy | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool | false | no | 
| grant | An ACL policy grant. Conflicts with acl | any | [] | no | 
| ignore_public_acls | Whether Amazon S3 should ignore public ACLs for this bucket. | bool | true | no | 
| intelligent_tiering | Map containing intelligent tiering configuration. | any | {} | no | 
| inventory_configuration | Map containing S3 inventory configuration. | any | {} | no | 
| inventory_self_source_destination | Whether or not the inventory source bucket is also the destination bucket. | bool | false | no | 
| inventory_source_account_id | The inventory source account id. | string | null | no | 
| inventory_source_bucket_arn | The inventory source bucket ARN. | string | null | no | 
| is_directory_bucket | If the s3 bucket created is a directory bucket | bool | false | no | 
| lb_log_delivery_policy_source_organizations | (Optional) List of AWS Organization IDs should be allowed to deliver ALB/NLB logs to this bucket. | list(string) | [] | no | 
| lifecycle_rule | List of maps containing configuration of object lifecycle management. | any | [] | no | 
| location_type | Location type. Valid values: AvailabilityZoneorLocalZone | string | null | no | 
| logging | Map containing access bucket logging configuration. | any | {} | no | 
| metadata_encryption_configuration | Encryption configuration block | any | null | no | 
| metadata_inventory_table_configuration_state | Configuration state of the inventory table, indicating whether the inventory table is enabled or disabled. Valid values: ENABLED, DISABLED | string | null | no | 
| metadata_journal_table_record_expiration | Whether journal table record expiration is enabled or disabled. Valid values: ENABLED, DISABLED | string | null | no | 
| metadata_journal_table_record_expiration_days | Number of days to retain journal table records | number | null | no | 
| metric_configuration | Map containing bucket metric configuration. | any | [] | no | 
| object_lock_configuration | Map containing S3 object locking configuration. | any | {} | no | 
| object_lock_enabled | Whether S3 bucket should have an Object Lock configuration enabled. | bool | false | no | 
| object_ownership | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. | string | "BucketOwnerEnforced" | no | 
| owner | Bucket owner's display name and ID. Conflicts with acl | map(string) | {} | no | 
| policy | (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. | string | null | no | 
| putin_khuylo | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | bool | true | no | 
| region | Region where the resource(s) will be managed. Defaults to the region set in the provider configuration | string | null | no | 
| replication_configuration | Map containing cross-region replication configuration. | any | {} | no | 
| request_payer | (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. | string | null | no | 
| restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket. | bool | true | no | 
| server_side_encryption_configuration | Map containing server-side encryption configuration. | any | {} | no | 
| skip_destroy_public_access_block | Whether to skip destroying the S3 Bucket Public Access Block configuration when destroying the bucket. Only used if public_access_blockis set to true. | bool | true | no | 
| tags | (Optional) A mapping of tags to assign to the bucket. | map(string) | {} | no | 
| transition_default_minimum_object_size | The default minimum object size behavior applied to the lifecycle configuration. Valid values: all_storage_classes_128K (default), varies_by_storage_class | string | null | no | 
| type | Bucket type. Valid values: Directory | string | "Directory" | no | 
| versioning | Map containing versioning configuration. | map(string) | {} | no | 
| website | Map containing static web-site hosting or redirect configuration. | any | {} | no | 
| Name | Description | 
|---|---|
| aws_s3_bucket_versioning_status | The versioning status of the bucket. Will be 'Enabled', 'Suspended', or 'Disabled'. | 
| s3_bucket_arn | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. | 
| s3_bucket_bucket_domain_name | The bucket domain name. Will be of format bucketname.s3.amazonaws.com. | 
| s3_bucket_bucket_regional_domain_name | The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL. | 
| s3_bucket_hosted_zone_id | The Route 53 Hosted Zone ID for this bucket's region. | 
| s3_bucket_id | The name of the bucket. | 
| s3_bucket_lifecycle_configuration_rules | The lifecycle rules of the bucket, if the bucket is configured with lifecycle rules. If not, this will be an empty string. | 
| s3_bucket_policy | The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string. | 
| s3_bucket_region | The AWS region this bucket resides in. | 
| s3_bucket_tags | Tags of the bucket. | 
| s3_bucket_website_domain | The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records. | 
| s3_bucket_website_endpoint | The website endpoint, if the bucket is configured with a website. If not, this will be an empty string. | 
| s3_directory_bucket_arn | ARN of the directory bucket. | 
| s3_directory_bucket_name | Name of the directory bucket. | 
Module is maintained by Anton Babenko with help from these awesome contributors.
Apache 2 Licensed. See LICENSE for full details.
- Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
- Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
- Putin khuylo!