cloudposse · pazaan · Jul 5, 2024 · Jul 19, 2024 · Jul 19, 2024 · Jul 21, 2024
@@ -2,7 +2,7 @@
 _extends: .github
 repository:
   name: terraform-aws-tfstate-backend
-  description: Terraform module that provision an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
+  description: Terraform module that provisions an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-module, aws, tfstate, dynamodb, locking, aws-dynamodb, terraform-modules, dynamodb-table, s3-bucket, backend, terraform-state, remote-state, hcl2
 
@@ -292,7 +292,7 @@ Available targets:
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM replication role | `string` | `""` | no |
-| <a name="input_prevent_unencrypted_uploads"></a> [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Prevent uploads of unencrypted objects to S3 | `bool` | `true` | no |
+| <a name="input_prevent_unencrypted_uploads"></a> [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Enforce requirement to specify encryption key when uploading content to the S3 bucket.<br>The name of this variable is a little misleading.  Since a default encryption key is created<br>for the bucket by this module, contents are always encrypted at rest.<br>Setting this variable to `true` (the default) will require that uploads to the bucket will need<br>to be initiated with a specific encryption key.<br>If this variable is set to `true` and an upload is attempted without specifying an encryption key<br>(including using the S3 Console), an "Access Denied" error will be thrown by AWS. | `bool` | `true` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS profile name as set in the shared credentials file | `string` | `""` | no |
 | <a name="input_read_capacity"></a> [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units when using provisioned mode | `number` | `5` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |

@@ -86,7 +86,7 @@
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM replication role | `string` | `""` | no |
-| <a name="input_prevent_unencrypted_uploads"></a> [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Prevent uploads of unencrypted objects to S3 | `bool` | `true` | no |
+| <a name="input_prevent_unencrypted_uploads"></a> [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Enforce requirement to specify encryption key when uploading content to the S3 bucket.<br>The name of this variable is a little misleading.  Since a default encryption key is created<br>for the bucket by this module, contents are always encrypted at rest.<br>Setting this variable to `true` (the default) will require that uploads to the bucket will need<br>to be initiated with a specific encryption key.<br>If this variable is set to `true` and an upload is attempted without specifying an encryption key<br>(including using the S3 Console), an "Access Denied" error will be thrown by AWS. | `bool` | `true` | no |
 | <a name="input_profile"></a> [profile](#input\_profile) | AWS profile name as set in the shared credentials file | `string` | `""` | no |
 | <a name="input_read_capacity"></a> [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units when using provisioned mode | `number` | `5` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |

@@ -1,160 +1,6 @@
 variable "region" {
-  type = string
-}
-
-variable "arn_format" {
-  type        = string
-  default     = "arn:aws"
-  description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions."
-}
-
-variable "acl" {
-  type        = string
-  description = "The canned ACL to apply to the S3 bucket"
-  default     = "private"
-}
-
-variable "billing_mode" {
-  default     = "PROVISIONED"
-  description = "DynamoDB billing mode"
-}
-
-variable "read_capacity" {
-  default     = 5
-  description = "DynamoDB read capacity units"
-}
-
-variable "write_capacity" {
-  default     = 5
-  description = "DynamoDB write capacity units"
-}
-
-variable "force_destroy" {
-  type        = bool
-  description = "A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable"
-  default     = false
-}
-
-variable "mfa_delete" {
-  type        = bool
-  description = "A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 )"
-  default     = false
-}
-
-variable "enable_point_in_time_recovery" {
-  type        = bool
-  description = "Enable DynamoDB point-in-time recovery"
-  default     = true
-}
-
-variable "enable_server_side_encryption" {
-  type        = bool
-  description = "Enable DynamoDB server-side encryption"
-  default     = true
-}
-
-variable "enable_public_access_block" {
-  type        = bool
-  description = "Enable Bucket Public Access Block"
-  default     = true
-}
-
-variable "block_public_acls" {
-  type        = bool
-  description = "Whether Amazon S3 should block public ACLs for this bucket"
-  default     = true
-}
-
-variable "ignore_public_acls" {
-  type        = bool
-  description = "Whether Amazon S3 should ignore public ACLs for this bucket"
-  default     = true
-}
-
-variable "block_public_policy" {
-  description = "Whether Amazon S3 should block public bucket policies for this bucket"
-  default     = true
-}
-
-variable "restrict_public_buckets" {
-  type        = bool
-  description = "Whether Amazon S3 should restrict public bucket policies for this bucket"
-  default     = true
-}
-
-variable "prevent_unencrypted_uploads" {
-  type        = bool
-  default     = true
-  description = "Prevent uploads of unencrypted objects to S3"
-}
-
-variable "profile" {
-  type        = string
-  default     = ""
-  description = "AWS profile name as set in the shared credentials file"
-}
-
-variable "role_arn" {
-  type        = string
-  default     = ""
-  description = "The role to be assumed"
-}
-
-variable "terraform_backend_config_file_name" {
-  type        = string
-  default     = "terraform.tf"
-  description = "Name of terraform backend config file"
-}
-
-variable "terraform_backend_config_file_path" {
   type        = string
-  default     = ""
-  description = "Directory for the terraform backend config file, usually `.`. The default is to create no file."
-}
-
-variable "terraform_backend_config_template_file" {
-  type        = string
-  default     = ""
-  description = "The path to the template used to generate the config file"
-}
-
-variable "terraform_version" {
-  type        = string
-  default     = "0.12.2"
-  description = "The minimum required terraform version"
-}
-
-variable "terraform_state_file" {
-  type        = string
-  default     = "terraform.tfstate"
-  description = "The path to the state file inside the bucket"
-}
-
-variable "s3_bucket_name" {
-  type        = string
-  default     = ""
-  description = "S3 bucket name. If not provided, the name will be generated by the label module in the format namespace-stage-name"
-}
-
-variable "s3_replication_enabled" {
-  type        = bool
-  default     = false
-  description = "Set this to true and specify `s3_replica_bucket_arn` to enable replication"
-}
-
-variable "s3_replica_bucket_arn" {
-  type        = string
-  default     = ""
-  description = "The ARN of the S3 replica bucket (destination)"
-}
-
-variable "logging" {
-  type = object({
-    bucket_name = string
-    prefix      = string
-  })
-  default     = null
-  description = "Bucket access logging configuration."
+  description = "AWS region"
 }
 
 variable "bucket_enabled" {

@@ -92,7 +92,15 @@ variable "restrict_public_buckets" {
 variable "prevent_unencrypted_uploads" {
   type        = bool
   default     = true
-  description = "Prevent uploads of unencrypted objects to S3"
+  description = <<-EOT
+    Enforce requirement to specify encryption key when uploading content to the S3 bucket.
+    The name of this variable is a little misleading.  Since a default encryption key is created
+    for the bucket by this module, contents are always encrypted at rest.
+    Setting this variable to `true` (the default) will require that uploads to the bucket will need
+    to be initiated with a specific encryption key.
+    If this variable is set to `true` and an upload is attempted without specifying an encryption key
+    (including using the S3 Console), an "Access Denied" error will be thrown by AWS.
+    EOT
 }
 
 variable "profile" {