Skip to content

pbs/terraform-aws-s3-module

Repository files navigation

PBS TF S3 Module

Installation

Using the Repo Source

Use this URL for the source of the module. See the usage examples below for more details.

github.com/pbs/terraform-aws-s3-module?ref=4.0.14

Alternative Installation Methods

More information can be found on these install methods and more in the documentation here.

Usage

This module provisions an S3 bucket.

The bucket will be AES256 encrypted, without the option to adjust that.

By default, the bucket will be versioned. This can be adjusted by using the is_versioned parameter.

If your use case requires adjusting the CORS configuration of the bucket, that is exposed through the cors_rules parameter.

Integrate this module like so:

module "s3" {
  source = "github.com/pbs/terraform-aws-s3-module?ref=4.0.14"

  # Tagging Parameters
  organization = var.organization
  environment  = var.environment
  product      = var.product
  repo         = var.repo

  # Optional Parameters
}

It is highly recommended that you integrate an inventory prefix when using this module.

Do this like so:

module "s3" {
  source  = "../modules/s3"

  # Tagging Parameters
  organization = var.organization
  environment  = var.environment
  product      = var.product
  repo         = var.repo

  # Optional Parameters
  inventory_bucket = var.inventory_bucket
}

Adding This Version of the Module

If this repo is added as a subtree, then the version of the module should be close to the version shown here:

4.0.14

Note, however that subtrees can be altered as desired within repositories.

Further documentation on usage can be found here.

Below is automatically generated documentation on this Terraform module using terraform-docs


Requirements

Name Version
terraform >= 1.3.2
aws >= 4.5.0

Providers

Name Version
aws 5.24.0

Modules

Name Source Version
s3_policy github.com/pbs/terraform-aws-s3-bucket-policy-module 1.0.21

Resources

Name Type
aws_iam_role.replication_role resource
aws_iam_role_policy.replication_policy resource
aws_s3_bucket.bucket resource
aws_s3_bucket_acl.acl resource
aws_s3_bucket_cors_configuration.cors_configuration resource
aws_s3_bucket_inventory.inventory_prefix resource
aws_s3_bucket_lifecycle_configuration.lifecycle_configuration resource
aws_s3_bucket_ownership_controls.ownership_controls resource
aws_s3_bucket_public_access_block.public_access_block resource
aws_s3_bucket_replication_configuration.replication resource
aws_s3_bucket_server_side_encryption_configuration.encryption resource
aws_s3_bucket_versioning.versioning resource
aws_caller_identity.current data source
aws_default_tags.common_tags data source
aws_iam_policy_document.s3_assume_role_policy data source

Inputs

Name Description Type Default Required
environment Environment (sharedtools, dev, staging, qa, prod) string n/a yes
organization Organization using this module. Used to prefix tags so that they are easily identified as being from your organization string n/a yes
product Tag used to group resources according to product string n/a yes
repo Tag used to point to the repo using this module string n/a yes
acl ACL configuration for the bucket. If an ACL is not provided, the bucket will be created with ACLs disabled
object({
canned_acl = optional(string)
expected_bucket_owner = optional(string)
access_control_policy = optional(object({
grants = set(object({
grantee = object({
type = string
email_address = optional(string)
id = optional(string)
uri = optional(string)
})
permission = string
}))
owner = object({
id = string
display_name = optional(string)
})
}))
})
null no
allow_anonymous_vpce_access Create bucket policy that allows anonymous VPCE access. bool false no
block_public_acls Whether Amazon S3 should block public ACLs for this bucket. bool true no
block_public_policy Whether Amazon S3 should block public bucket policies for this bucket. bool true no
bucket_policy Policy to apply to the bucket. If null, one will be guessed based on other variables. string null no
cloudfront_oac_access_statements List of objects that define the CloudFront origin access identity access statement. Each object must have a cloudfront_arn and path key.
list(object({
cloudfront_arn = string
path = optional(string, "*")
}))
[] no
cors_rules CORS Rules
set(object({
allowed_headers = list(string),
allowed_methods = list(string),
allowed_origins = list(string),
expose_headers = list(string),
max_age_seconds = number
}))
[] no
create_bucket_policy Create a bucket policy for the bucket bool true no
force_destroy Allow destruction of an S3 bucket without clearing out the contents first bool false no
force_tls Deny HTTP requests that are made to the bucket without TLS. bool true no
ignore_public_acls Whether Amazon S3 should ignore public ACLs for this bucket. bool true no
inventory_config Inventory configuration
object({
enabled = optional(bool, true)

included_object_versions = optional(string, "All")
destination = object({
bucket = object({
name = string
format = optional(string, "Parquet")
prefix = optional(string)
account_id = optional(string)
})
})
filter = optional(object({
prefix = string
}))
schedule = optional(object({
frequency = string
}), {
frequency = "Daily"
})
optional_fields = optional(list(string), [
"Size",
"LastModifiedDate",
"StorageClass",
"IntelligentTieringAccessTier",
])
})
null no
is_versioned Is versioning enabled? bool true no
lifecycle_rules List of maps containing configuration of object lifecycle management.
list(object({
id = string
enabled = optional(bool, true)
filter = optional(object({
and = optional(list(object({
object_size_greater_than = optional(number)
object_size_less_than = optional(number)
prefix = optional(string)
tags = optional(map(string))
})))
object_size_greater_than = optional(number)
object_size_less_than = optional(number)
prefix = optional(string)
tag = optional(object({
key = string
value = string
}))
}))
abort_incomplete_multipart_upload_days = optional(number)
expiration = optional(object({
date = optional(string)
days = optional(number)
expired_object_delete_marker = optional(bool)
}))
noncurrent_version_expiration = optional(object({
days = optional(number)
}))
noncurrent_version_transition = optional(list(object({
days = optional(number)
storage_class = optional(string)
})), [])
transition = optional(list(object({
date = optional(string)
days = optional(number)
storage_class = string
})), [])
}))
[
{
"abort_incomplete_multipart_upload_days": 7,
"enabled": true,
"id": "default-lifecycle-rule",
"noncurrent_version_transition": [
{
"days": 30,
"storage_class": "GLACIER"
}
],
"transition": [
{
"days": 7,
"storage_class": "INTELLIGENT_TIERING"
}
]
}
]
no
name Name to use for the bucket. If null, will default to product. string null no
override_policy_documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid from earlier documents in the list. Statements with non-blank sids will also override statements with the same sid from documents provided in the source_json and source_policy_documents arguments. Non-overriding statements will be added to the exported document. list(string) null no
replication_configuration_set Set of (single) replication that needs to be managed by this bucket. If empty, no replication takes place.
set(object({
role = string,
rules = set(object({
id = string
priority = number
status = string
destination_account_id = string
destination_bucket = string
destination_access_control_translation_owner = string
}))
}))
[] no
replication_configuration_shortcut Shorthand version of the configuration used in replication_configuration_set. Is overridden by replication_configuration_set if defined.
object({
destination_account_id = string
destination_bucket = string
})
null no
replication_source The account number and role for the source bucket in a replication configuration.
object({
account_id = string
role = string
})
null no
restrict_public_buckets Whether Amazon S3 should restrict public bucket policies for this bucket. bool true no
source_policy_documents List of IAM policy documents that are merged together into the exported document. Statements defined in source_policy_documents or source_json must have unique sids. Statements with the same sid from documents assigned to the override_json and override_policy_documents arguments will override source statements. list(string) null no
tags Extra tags map(string) {} no
use_prefix Create bucket with prefix instead of explicit name bool true no
vpce Name of the VPC endpoint that should have access to this bucket. Only used when allow_anonymous_vpce_access is true. string null no

Outputs

Name Description
arn ARN of the bucket
name Name of the bucket
regional_domain_name Regional domain name
replication_role Replication role if exists