Terraform module to create an AWS S3 Bucket.
IMPORTANT: We do not pin modules to versions in our examples. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable.
Server access logging provides detailed records for the requests that are made to a bucket and can useful in security and access audits. However logging to the same bucket is not recommended and is disabled using this module. See AWS' explanation here:
Important
Your target bucket should not have server access logging enabled. You can have logs delivered to any bucket that you own that is in the same Region as the source bucket, including the source bucket itself. However, this would cause an infinite loop of logs and is not recommended. For simpler log management, we recommend that you save access logs in a different bucket. Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html
By default, there is no naming schema. The bucket logs are stored in the var.logging.target_bucket using the var.logging.target_prefix as prefix only. If you want to further control the log format, var.logging.target_object_key_format can be used. You have two options to control the format:
Simple prefix, which uses the following format for the log file [Desttarget_prefixinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]:
target_prefix = "log/"
target_object_key_format = {
format_type = "simple"
}Or partitioned prefix, which uses the following format for the log file with partitioned folders. [target_prefix][SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
target_prefix = "log/"
target_object_key_format = {
format_type = "partitioned"
partition_date_source = "EventTime" # DeliveryTime is default
}| Name | Version |
|---|---|
| terraform | >= 1.4.0 |
| aws | >= 5.27.0 |
| Name | Version |
|---|---|
| aws | >= 5.27.0 |
No modules.
| Name | Type |
|---|---|
| aws_s3_bucket.default | resource |
| aws_s3_bucket_acl.default | resource |
| aws_s3_bucket_cors_configuration.default | resource |
| aws_s3_bucket_inventory.default | resource |
| aws_s3_bucket_lifecycle_configuration.default | resource |
| aws_s3_bucket_logging.default | resource |
| aws_s3_bucket_notification.eventbridge | resource |
| aws_s3_bucket_object_lock_configuration.default | resource |
| aws_s3_bucket_ownership_controls.default | resource |
| aws_s3_bucket_policy.default | resource |
| aws_s3_bucket_public_access_block.default | resource |
| aws_s3_bucket_replication_configuration.default | resource |
| aws_s3_bucket_server_side_encryption_configuration.default | resource |
| aws_s3_bucket_versioning.default | resource |
| aws_iam_policy_document.combined | data source |
| aws_iam_policy_document.logging_policy | data source |
| aws_iam_policy_document.ssl_policy | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acl | The canned ACL to apply, defaults to private. |
string |
"private" |
no |
| block_public_acls | Whether Amazon S3 should block public ACLs for this bucket. | bool |
true |
no |
| block_public_policy | Whether Amazon S3 should block public bucket policies for this bucket. | bool |
true |
no |
| cors_rule | The CORS rule for the S3 bucket | object({ |
null |
no |
| eventbridge_enabled | Whether to enable Amazon EventBridge notifications. | bool |
false |
no |
| force_destroy | A boolean that indicates all objects should be deleted when deleting the bucket. | bool |
false |
no |
| ignore_public_acls | Whether Amazon S3 should ignore public ACLs for this bucket. | bool |
true |
no |
| inventory_configuration | Bucket inventory configuration settings | map(object({ |
{} |
no |
| kms_key_arn | The KMS key ARN used for the bucket encryption. | string |
null |
no |
| lifecycle_rule | List of maps containing lifecycle management configuration settings. | any |
[] |
no |
| logging | Logging configuration, logging is disabled by default. | object({ |
null |
no |
| logging_source_bucket_arns | Configures which source buckets are allowed to log to this bucket. | list(string) |
[] |
no |
| name | The Name of the bucket. If omitted, Terraform will assign a random, unique name. Conflicts with name_prefix. |
string |
null |
no |
| name_prefix | Creates a unique bucket name beginning with the specified prefix. Conflicts with name. |
string |
null |
no |
| object_lock_days | The number of days that you want to specify for the default retention period. | number |
null |
no |
| object_lock_mode | The default object Lock retention mode to apply to new objects. | string |
null |
no |
| object_lock_years | The number of years that you want to specify for the default retention period. | number |
null |
no |
| object_ownership_type | The object ownership type for the objects in S3 Bucket, defaults to BucketOwnerEnforced. | string |
"BucketOwnerEnforced" |
no |
| policy | A valid bucket policy JSON document. | string |
null |
no |
| replication_configuration | Bucket replication configuration settings, specify the rules map keys as integers as these are used to determine the priority of the rules in case of conflict. | object({ |
null |
no |
| restrict_public_buckets | Whether Amazon S3 should restrict public bucket policies for this bucket. | bool |
true |
no |
| tags | A mapping of tags to assign to the bucket. | map(string) |
{} |
no |
| versioning | Versioning is a means of keeping multiple variants of an object in the same bucket. | bool |
false |
no |
| Name | Description |
|---|---|
| arn | ARN of the bucket |
| id | Name of the bucket |
| name | Name of the bucket |
100% Open Source and licensed under the Apache License Version 2.0. See LICENSE for full details.