Sync with upstream (#2)

* fix: use new destination.bucket key in policy (cloudposse#256) Signed-off-by: nitrocode <[email protected]> * feat: support eventbridge bucket notification (cloudposse#255) * feat: add eventbridge * feat: add eventbridge to var definition * docs: update event notifications to support eventbridge Signed-off-by: nitrocode <[email protected]> --------- Signed-off-by: nitrocode <[email protected]> * feat: add s3 request payment config (cloudposse#259) * feat: add s3 request payment config var * fix: set optional key and add validation * feat: use s3 request payment config * fix: set default to BucketOwner * fix: validation for contains --------- Co-authored-by: Veronika Gnilitska <[email protected]> * chore: update README.md --------- Signed-off-by: nitrocode <[email protected]> Co-authored-by: RB <[email protected]> Co-authored-by: Veronika Gnilitska <[email protected]> Co-authored-by: readme-action 📖 <[email protected]>
verygood-ops · Nov 18, 2024 · 3963b3f · 3963b3f
1 parent 424de84
commit 3963b3f
Show file tree

Hide file tree

Showing 5 changed files with 77 additions and 49 deletions.
diff --git a/README.md b/README.md
@@ -248,6 +248,7 @@ Available targets:
 | [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_replication_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource |
+| [aws_s3_bucket_request_payment_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_request_payment_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_website_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
@@ -284,7 +285,7 @@ Available targets:
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br/>Map of maps. Keys are names of descriptors. Values are maps of the form<br/>`{<br/>   format = string<br/>   labels = list(string)<br/>}`<br/>(Type is `any` so the map values can later be enhanced to provide additional options.)<br/>`format` is a Terraform format string to be passed to the `format()` function.<br/>`labels` is a list of labels, in order, to pass to `format()` function.<br/>Label values will be normalized before being passed to `format()` so they will be<br/>identical to how they appear in `id`.<br/>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| <a name="input_event_notification_details"></a> [event\_notification\_details](#input\_event\_notification\_details) | (optional) S3 event notification details | <pre>object({<br/>    enabled = bool<br/>    lambda_list = optional(list(object({<br/>      lambda_function_arn = string<br/>      events              = optional(list(string), ["s3:ObjectCreated:*"])<br/>      filter_prefix       = string<br/>      filter_suffix       = string<br/>    })), [])<br/><br/>    queue_list = optional(list(object({<br/>      queue_arn = string<br/>      events    = optional(list(string), ["s3:ObjectCreated:*"])<br/>    })), [])<br/><br/>    topic_list = optional(list(object({<br/>      topic_arn = string<br/>      events    = optional(list(string), ["s3:ObjectCreated:*"])<br/>    })), [])<br/><br/>  })</pre> | <pre>{<br/>  "enabled": false<br/>}</pre> | no |
+| <a name="input_event_notification_details"></a> [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | <pre>object({<br/>    enabled     = bool<br/>    eventbridge = optional(bool, false)<br/>    lambda_list = optional(list(object({<br/>      lambda_function_arn = string<br/>      events              = optional(list(string), ["s3:ObjectCreated:*"])<br/>      filter_prefix       = string<br/>      filter_suffix       = string<br/>    })), [])<br/><br/>    queue_list = optional(list(object({<br/>      queue_arn = string<br/>      events    = optional(list(string), ["s3:ObjectCreated:*"])<br/>    })), [])<br/><br/>    topic_list = optional(list(object({<br/>      topic_arn = string<br/>      events    = optional(list(string), ["s3:ObjectCreated:*"])<br/>    })), [])<br/>  })</pre> | <pre>{<br/>  "enabled": false<br/>}</pre> | no |
 | <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner. <br/>More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.<br/>THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
 | <a name="input_grants"></a> [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.<br/>Conflicts with `acl`. Set `acl` to `null` to use this.<br/>Deprecated by AWS in favor of bucket policies.<br/>Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | <pre>list(object({<br/>    id          = string<br/>    type        = string<br/>    permissions = list(string)<br/>    uri         = string<br/>  }))</pre> | `[]` | no |
@@ -314,6 +315,7 @@ Available targets:
 | <a name="input_s3_replication_permissions_boundary_arn"></a> [s3\_replication\_permissions\_boundary\_arn](#input\_s3\_replication\_permissions\_boundary\_arn) | Permissions boundary ARN for the created IAM replication role. | `string` | `null` | no |
 | <a name="input_s3_replication_rules"></a> [s3\_replication\_rules](#input\_s3\_replication\_rules) | Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | <pre>list(object({<br/>    id       = optional(string)<br/>    priority = optional(number)<br/>    prefix   = optional(string)<br/>    status   = optional(string, "Enabled")<br/>    # delete_marker_replication { status } had been flattened for convenience<br/>    delete_marker_replication_status = optional(string, "Disabled")<br/>    # Add the configuration as it appears in the resource, for consistency<br/>    # this nested version takes precedence if both are provided.<br/>    delete_marker_replication = optional(object({<br/>      status = string<br/>    }))<br/><br/>    # destination_bucket is specified here rather than inside the destination object because before optional<br/>    # attributes, it made it easier to work with the Terraform type system and create a list of consistent type.<br/>    # It is preserved for backward compatibility, but the nested version takes priority if both are provided.<br/>    destination_bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/><br/>    destination = object({<br/>      bucket        = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/>      storage_class = optional(string, "STANDARD")<br/>      # replica_kms_key_id at this level is for backward compatibility, and is overridden by the one in `encryption_configuration`<br/>      replica_kms_key_id = optional(string, "")<br/>      encryption_configuration = optional(object({<br/>        replica_kms_key_id = string<br/>      }))<br/>      access_control_translation = optional(object({<br/>        owner = string<br/>      }))<br/>      # account_id is for backward compatibility, overridden by account<br/>      account_id = optional(string)<br/>      account    = optional(string)<br/>      # For convenience, specifying either metrics or replication_time enables both<br/>      metrics = optional(object({<br/>        event_threshold = optional(object({<br/>          minutes = optional(number, 15) # Currently 15 is the only valid number<br/>        }), { minutes = 15 })<br/>        status = optional(string, "Enabled")<br/>      }), { status = "Disabled" })<br/>      # To preserve backward compatibility, Replication Time Control (RTC) is automatically enabled<br/>      # when metrics are enabled. To enable metrics without RTC, you must explicitly configure<br/>      # replication_time.status = "Disabled".<br/>      replication_time = optional(object({<br/>        time = optional(object({<br/>          minutes = optional(number, 15) # Currently 15 is the only valid number<br/>        }), { minutes = 15 })<br/>        status = optional(string)<br/>      }))<br/>    })<br/><br/>    source_selection_criteria = optional(object({<br/>      replica_modifications = optional(object({<br/>        status = string # Either Enabled or Disabled<br/>      }))<br/>      sse_kms_encrypted_objects = optional(object({<br/>        status = optional(string)<br/>      }))<br/>    }))<br/>    # filter.prefix overrides top level prefix<br/>    filter = optional(object({<br/>      prefix = optional(string)<br/>      tags   = optional(map(string), {})<br/>    }))<br/>  }))</pre> | `null` | no |
 | <a name="input_s3_replication_source_roles"></a> [s3\_replication\_source\_roles](#input\_s3\_replication\_source\_roles) | Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy). | `list(string)` | `[]` | no |
+| <a name="input_s3_request_payment_configuration"></a> [s3\_request\_payment\_configuration](#input\_s3\_request\_payment\_configuration) | S3 request payment configuration | <pre>object({<br/>    enabled               = bool<br/>    expected_bucket_owner = optional(string)<br/>    payer                 = string<br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "payer": "BucketOwner"<br/>}</pre> | no |
 | <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket | `list(string)` | `[]` | no |
 | <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON) that are merged together into the exported document.<br/>Statements defined in source\_policy\_documents must have unique SIDs.<br/>Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no |
 | <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no |