terraform-aws-mcaf-s3

Terraform module to create an AWS S3 Bucket.

IMPORTANT: We do not pin modules to versions in our examples. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable.

Server access logging

Server access logging provides detailed records for the requests that are made to a bucket and can useful in security and access audits. However logging to the same bucket is not recommended and is disabled using this module. See AWS' explanation here:

Your target bucket should not have server access logging enabled. You can have logs delivered to any bucket that you own that is in the same Region as the source bucket, including the source bucket itself. However, this would cause an infinite loop of logs and is not recommended. For simpler log management, we recommend that you save access logs in a different bucket.

Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html

Requirements

Name	Version
terraform	>= 1.2.0
aws	>= 4.9.0

Providers

Name	Version
aws	>= 4.9.0

Modules

No modules.

Resources

Name	Type
aws_s3_bucket.default	resource
aws_s3_bucket_acl.default	resource
aws_s3_bucket_cors_configuration.default	resource
aws_s3_bucket_inventory.default	resource
aws_s3_bucket_lifecycle_configuration.default	resource
aws_s3_bucket_logging.default	resource
aws_s3_bucket_notification.eventbridge	resource
aws_s3_bucket_object_lock_configuration.default	resource
aws_s3_bucket_ownership_controls.default	resource
aws_s3_bucket_policy.default	resource
aws_s3_bucket_public_access_block.default	resource
aws_s3_bucket_replication_configuration.default	resource
aws_s3_bucket_server_side_encryption_configuration.default	resource
aws_s3_bucket_versioning.default	resource
aws_iam_policy_document.combined	data source
aws_iam_policy_document.logging_policy	data source
aws_iam_policy_document.ssl_policy	data source

Inputs

Name	Description	Type	Default	Required
acl	The canned ACL to apply, defaults to private.	string	"private"	no
block_public_acls	Whether Amazon S3 should block public ACLs for this bucket.	bool	true	no
block_public_policy	Whether Amazon S3 should block public bucket policies for this bucket.	bool	true	no
cors_rule	The CORS rule for the S3 bucket	object({ allowed_headers = list(string) allowed_methods = list(string) allowed_origins = list(string) expose_headers = list(string) max_age_seconds = number })	null	no
eventbridge_enabled	Whether to enable Amazon EventBridge notifications.	bool	false	no
force_destroy	A boolean that indicates all objects should be deleted when deleting the bucket.	bool	false	no
ignore_public_acls	Whether Amazon S3 should ignore public ACLs for this bucket.	bool	true	no
inventory_configuration	Bucket inventory configuration settings	map(object({ enabled = optional(bool, true) filter_prefix = optional(string, null) frequency = optional(string, "Weekly") included_object_versions = optional(string, "Current") optional_fields = optional(list(string), null) destination = object({ account_id = string bucket_arn = string format = optional(string, "Parquet") prefix = optional(string, null) encryption = optional(object({ encryption_type = string kms_key_id = optional(string, null) }), { encryption_type = "sse_s3" }) }) }))	{}	no
kms_key_arn	The KMS key ARN used for the bucket encryption.	string	null	no
lifecycle_rule	List of maps containing lifecycle management configuration settings.	any	[]	no
logging	Logging configuration, logging is disabled by default.	object({ target_bucket = string target_prefix = string })	null	no
logging_source_bucket_arns	Configures which source buckets are allowed to log to this bucket.	list(string)	[]	no
name	The Name of the bucket. If omitted, Terraform will assign a random, unique name. Conflicts with name_prefix.	string	null	no
name_prefix	Creates a unique bucket name beginning with the specified prefix. Conflicts with name.	string	null	no
object_lock_days	The number of days that you want to specify for the default retention period.	number	null	no
object_lock_mode	The default object Lock retention mode to apply to new objects.	string	null	no
object_lock_years	The number of years that you want to specify for the default retention period.	number	null	no
object_ownership_type	The object ownership type for the objects in S3 Bucket, defaults to BucketOwnerEnforced.	string	"BucketOwnerEnforced"	no
policy	A valid bucket policy JSON document.	string	null	no
replication_configuration	Bucket replication configuration settings, specify the rules map keys as integers as these are used to determine the priority of the rules in case of conflict.	object({ iam_role_arn = string rules = map(object({ id = string dest_bucket = string dest_storage_class = optional(string, null) replica_kms_key_arn = optional(string, null) source_selection_criteria = optional(object({ replica_modifications = optional(bool, false) sse_kms_encrypted_objects = optional(bool, false) })) })) })	null	no
restrict_public_buckets	Whether Amazon S3 should restrict public bucket policies for this bucket.	bool	true	no
tags	A mapping of tags to assign to the bucket.	map(string)	{}	no
versioning	Versioning is a means of keeping multiple variants of an object in the same bucket.	bool	false	no

Outputs

Name	Description
arn	ARN of the bucket
name	Name of the bucket

Licensing

100% Open Source and licensed under the Apache License Version 2.0. See LICENSE for full details.