» Resource: aws_s3_bucket

Provides a S3 bucket resource.

» Example Usage

» Private Bucket w/ Tags

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

» Static Website Hosting

resource "aws_s3_bucket" "b" {
  bucket = "s3-website-test.hashicorp.com"
  acl    = "public-read"
  policy = "${file("policy.json")}"

  website {
    index_document = "index.html"
    error_document = "error.html"

    routing_rules = <<EOF
[{
    "Condition": {
        "KeyPrefixEquals": "docs/"
    },
    "Redirect": {
        "ReplaceKeyPrefixWith": "documents/"
    }
}]
EOF
  }
}

» Using CORS

resource "aws_s3_bucket" "b" {
  bucket = "s3-website-test.hashicorp.com"
  acl    = "public-read"

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["PUT", "POST"]
    allowed_origins = ["https://s3-website-test.hashicorp.com"]
    expose_headers  = ["ETag"]
    max_age_seconds = 3000
  }
}

» Using versioning

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  versioning {
    enabled = true
  }
}

» Enable Logging

resource "aws_s3_bucket" "log_bucket" {
  bucket = "my-tf-log-bucket"
  acl    = "log-delivery-write"
}

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  logging {
    target_bucket = "${aws_s3_bucket.log_bucket.id}"
    target_prefix = "log/"
  }
}

» Using object lifecycle

resource "aws_s3_bucket" "bucket" {
  bucket = "my-bucket"
  acl    = "private"

  lifecycle_rule {
    id      = "log"
    enabled = true

    prefix = "log/"

    tags = {
      "rule"      = "log"
      "autoclean" = "true"
    }

    transition {
      days          = 30
      storage_class = "STANDARD_IA" # or "ONEZONE_IA"
    }

    transition {
      days          = 60
      storage_class = "GLACIER"
    }

    expiration {
      days = 90
    }
  }

  lifecycle_rule {
    id      = "tmp"
    prefix  = "tmp/"
    enabled = true

    expiration {
      date = "2016-01-12"
    }
  }
}

resource "aws_s3_bucket" "versioning_bucket" {
  bucket = "my-versioning-bucket"
  acl    = "private"

  versioning {
    enabled = true
  }

  lifecycle_rule {
    prefix  = "config/"
    enabled = true

    noncurrent_version_transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }

    noncurrent_version_transition {
      days          = 60
      storage_class = "GLACIER"
    }

    noncurrent_version_expiration {
      days = 90
    }
  }
}

» Using replication configuration

provider "aws" {
  region = "eu-west-1"
}

provider "aws" {
  alias  = "central"
  region = "eu-central-1"
}

resource "aws_iam_role" "replication" {
  name = "tf-iam-role-replication-12345"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
POLICY
}

resource "aws_iam_policy" "replication" {
  name = "tf-iam-role-policy-replication-12345"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetReplicationConfiguration",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "${aws_s3_bucket.bucket.arn}"
      ]
    },
    {
      "Action": [
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl"
      ],
      "Effect": "Allow",
      "Resource": [
        "${aws_s3_bucket.bucket.arn}/*"
      ]
    },
    {
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete"
      ],
      "Effect": "Allow",
      "Resource": "${aws_s3_bucket.destination.arn}/*"
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "replication" {
  role       = "${aws_iam_role.replication.name}"
  policy_arn = "${aws_iam_policy.replication.arn}"
}

resource "aws_s3_bucket" "destination" {
  bucket = "tf-test-bucket-destination-12345"
  region = "eu-west-1"

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket" "bucket" {
  provider = "aws.central"
  bucket   = "tf-test-bucket-12345"
  acl      = "private"
  region   = "eu-central-1"

  versioning {
    enabled = true
  }

  replication_configuration {
    role = "${aws_iam_role.replication.arn}"

    rules {
      id     = "foobar"
      prefix = "foo"
      status = "Enabled"

      destination {
        bucket        = "${aws_s3_bucket.destination.arn}"
        storage_class = "STANDARD"
      }
    }
  }
}

» Enable Default Server Side Encryption

resource "aws_kms_key" "mykey" {
  description             = "This key is used to encrypt bucket objects"
  deletion_window_in_days = 10
}

resource "aws_s3_bucket" "mybucket" {
  bucket = "mybucket"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.mykey.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

» Using ACL policy grants

data "aws_canonical_user_id" "current_user" {}

resource "aws_s3_bucket" "bucket" {
  bucket = "mybucket"

  grant {
    id          = "${data.aws_canonical_user_id.current_user.id}"
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
  }

  grant {
    type        = "Group"
    permissions = ["READ", "WRITE"]
    uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
  }
}

» Argument Reference

The following arguments are supported:

The website object supports the following:

  • index_document - (Required, unless using redirect_all_requests_to) Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders.
  • error_document - (Optional) An absolute path to the document to return in case of a 4XX error.
  • redirect_all_requests_to - (Optional) A hostname to redirect all website requests for this bucket to. Hostname can optionally be prefixed with a protocol (http:// or https://) to use when redirecting requests. The default is the protocol that is used in the original request.
  • routing_rules - (Optional) A json array containing routing rules describing redirect behavior and when redirects are applied.

The CORS object supports the following:

  • allowed_headers (Optional) Specifies which headers are allowed.
  • allowed_methods (Required) Specifies which methods are allowed. Can be GET, PUT, POST, DELETE or HEAD.
  • allowed_origins (Required) Specifies which origins are allowed.
  • expose_headers (Optional) Specifies expose header in the response.
  • max_age_seconds (Optional) Specifies time in seconds that browser can cache the response for a preflight request.

The versioning object supports the following:

  • enabled - (Optional) Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket.
  • mfa_delete - (Optional) Enable MFA delete for either Change the versioning state of your bucket or Permanently delete an object version. Default is false. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS

The logging object supports the following:

  • target_bucket - (Required) The name of the bucket that will receive the log objects.
  • target_prefix - (Optional) To specify a key prefix for log objects.

The lifecycle_rule object supports the following:

  • id - (Optional) Unique identifier for the rule.
  • prefix - (Optional) Object key prefix identifying one or more objects to which the rule applies.
  • tags - (Optional) Specifies object tags key and value.
  • enabled - (Required) Specifies lifecycle rule status.
  • abort_incomplete_multipart_upload_days (Optional) Specifies the number of days after initiating a multipart upload when the multipart upload must be completed.
  • expiration - (Optional) Specifies a period in the object's expire (documented below).
  • transition - (Optional) Specifies a period in the object's transitions (documented below).
  • noncurrent_version_expiration - (Optional) Specifies when noncurrent object versions expire (documented below).
  • noncurrent_version_transition - (Optional) Specifies when noncurrent object versions transitions (documented below).

At least one of expiration, transition, noncurrent_version_expiration, noncurrent_version_transition must be specified.

The expiration object supports the following

  • date (Optional) Specifies the date after which you want the corresponding action to take effect.
  • days (Optional) Specifies the number of days after object creation when the specific rule action takes effect.
  • expired_object_delete_marker (Optional) On a versioned bucket (versioning-enabled or versioning-suspended bucket), you can add this element in the lifecycle configuration to direct Amazon S3 to delete expired object delete markers.

The transition object supports the following

  • date (Optional) Specifies the date after which you want the corresponding action to take effect.
  • days (Optional) Specifies the number of days after object creation when the specific rule action takes effect.
  • storage_class (Required) Specifies the Amazon S3 storage class to which you want the object to transition. Can be ONEZONE_IA, STANDARD_IA, INTELLIGENT_TIERING, GLACIER, or DEEP_ARCHIVE.

The noncurrent_version_expiration object supports the following

  • days (Required) Specifies the number of days noncurrent object versions expire.

The noncurrent_version_transition object supports the following

  • days (Required) Specifies the number of days noncurrent object versions transition.
  • storage_class (Required) Specifies the Amazon S3 storage class to which you want the noncurrent object versions to transition. Can be ONEZONE_IA, STANDARD_IA, INTELLIGENT_TIERING, GLACIER, or DEEP_ARCHIVE.

The replication_configuration object supports the following:

  • role - (Required) The ARN of the IAM role for Amazon S3 to assume when replicating the objects.
  • rules - (Required) Specifies the rules managing the replication (documented below).

The rules object supports the following:

  • id - (Optional) Unique identifier for the rule.
  • priority - (Optional) The priority associated with the rule.
  • destination - (Required) Specifies the destination for the rule (documented below).
  • source_selection_criteria - (Optional) Specifies special object selection criteria (documented below).
  • prefix - (Optional) Object keyname prefix identifying one or more objects to which the rule applies.
  • status - (Required) The status of the rule. Either Enabled or Disabled. The rule is ignored if status is not Enabled.
  • filter - (Optional) Filter that identifies subset of objects to which the replication rule applies (documented below).
  • For a specific rule, prefix conflicts with filter
  • If any rule has filter specified then they all must
  • priority is optional (with a default value of 0) but must be unique between multiple rules

The destination object supports the following:

  • bucket - (Required) The ARN of the S3 bucket where you want Amazon S3 to store replicas of the object identified by the rule.
  • storage_class - (Optional) The class of storage used to store the object. Can be STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, or DEEP_ARCHIVE.
  • replica_kms_key_id - (Optional) Destination KMS encryption key ARN for SSE-KMS replication. Must be used in conjunction with sse_kms_encrypted_objects source selection criteria.
  • access_control_translation - (Optional) Specifies the overrides to use for object owners on replication. Must be used in conjunction with account_id owner override configuration.
  • account_id - (Optional) The Account ID to use for overriding the object owner on replication. Must be used in conjunction with access_control_translation override configuration.

The source_selection_criteria object supports the following:

  • sse_kms_encrypted_objects - (Optional) Match SSE-KMS encrypted objects (documented below). If specified, replica_kms_key_id in destination must be specified as well.

The sse_kms_encrypted_objects object supports the following:

  • enabled - (Required) Boolean which indicates if this criteria is enabled.

The filter object supports the following:

  • prefix - (Optional) Object keyname prefix that identifies subset of objects to which the rule applies.
  • tags - (Optional) A map of tags that identifies subset of objects to which the rule applies. The rule applies only to objects having all the tags in its tagset.

The server_side_encryption_configuration object supports the following:

  • rule - (required) A single object for server-side encryption by default configuration. (documented below)

The rule object supports the following:

The apply_server_side_encryption_by_default object supports the following:

  • sse_algorithm - (required) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms
  • kms_master_key_id - (optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms.

The grant object supports the following:

  • id - (optional) Canonical user id to grant for. Used only when type is CanonicalUser.
  • type - (required) - Type of grantee to apply for. Valid values are CanonicalUser and Group. AmazonCustomerByEmail is not supported.
  • permissions - (required) List of permissions to apply for grantee. Valid values are READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL.
  • uri - (optional) Uri address to grant for. Used only when type is Group.

The access_control_translation object supports the following:

  • owner - (Required) The override value for the owner on replicated objects. Currently only Destination is supported.

The object_lock_configuration object supports the following:

  • object_lock_enabled - (Required) Indicates whether this bucket has an Object Lock configuration enabled. Valid value is Enabled.
  • rule - (Optional) The Object Lock rule in place for this bucket.

The rule object supports the following:

  • default_retention - (Required) The default retention period that you want to apply to new objects placed in this bucket.

The default_retention object supports the following:

  • mode - (Required) The default Object Lock retention mode you want to apply to new objects placed in this bucket. Valid values are GOVERNANCE and COMPLIANCE.
  • days - (Optional) The number of days that you want to specify for the default retention period.
  • years - (Optional) The number of years that you want to specify for the default retention period.

Either days or years must be specified, but not both.

» Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The name of the bucket.
  • arn - The ARN of the bucket. Will be of format arn:aws:s3:::bucketname.
  • bucket_domain_name - The bucket domain name. Will be of format bucketname.s3.amazonaws.com.
  • bucket_regional_domain_name - The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.
  • hosted_zone_id - The Route 53 Hosted Zone ID for this bucket's region.
  • region - The AWS region this bucket resides in.
  • website_endpoint - The website endpoint, if the bucket is configured with a website. If not, this will be an empty string.
  • website_domain - The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.

» Import

S3 bucket can be imported using the bucket, e.g.

$ terraform import aws_s3_bucket.bucket bucket-name