» Resource: aws_s3_bucket

Provides a S3 bucket resource.

» Example Usage

» Private Bucket w/ Tags

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

» Static Website Hosting

resource "aws_s3_bucket" "b" {
  bucket = "s3-website-test.hashicorp.com"
  acl    = "public-read"
  policy = "${file("policy.json")}"

  website {
    index_document = "index.html"
    error_document = "error.html"

    routing_rules = <<EOF
[{
    "Condition": {
        "KeyPrefixEquals": "docs/"
    },
    "Redirect": {
        "ReplaceKeyPrefixWith": "documents/"
    }
}]
EOF
  }
}

» Using CORS

resource "aws_s3_bucket" "b" {
  bucket = "s3-website-test.hashicorp.com"
  acl    = "public-read"

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["PUT", "POST"]
    allowed_origins = ["https://s3-website-test.hashicorp.com"]
    expose_headers  = ["ETag"]
    max_age_seconds = 3000
  }
}

» Using versioning

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  versioning {
    enabled = true
  }
}

» Enable Logging

resource "aws_s3_bucket" "log_bucket" {
  bucket = "my-tf-log-bucket"
  acl    = "log-delivery-write"
}

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  logging {
    target_bucket = "${aws_s3_bucket.log_bucket.id}"
    target_prefix = "log/"
  }
}

» Using object lifecycle

resource "aws_s3_bucket" "bucket" {
  bucket = "my-bucket"
  acl    = "private"

  lifecycle_rule {
    id      = "log"
    enabled = true

    prefix = "log/"

    tags = {
      "rule"      = "log"
      "autoclean" = "true"
    }

    transition {
      days          = 30
      storage_class = "STANDARD_IA" # or "ONEZONE_IA"
    }

    transition {
      days          = 60
      storage_class = "GLACIER"
    }

    expiration {
      days = 90
    }
  }

  lifecycle_rule {
    id      = "tmp"
    prefix  = "tmp/"
    enabled = true

    expiration {
      date = "2016-01-12"
    }
  }
}

resource "aws_s3_bucket" "versioning_bucket" {
  bucket = "my-versioning-bucket"
  acl    = "private"

  versioning {
    enabled = true
  }

  lifecycle_rule {
    prefix  = "config/"
    enabled = true

    noncurrent_version_transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }

    noncurrent_version_transition {
      days          = 60
      storage_class = "GLACIER"
    }

    noncurrent_version_expiration {
      days = 90
    }
  }
}

» Using replication configuration

provider "aws" {
  region = "eu-west-1"
}

provider "aws" {
  alias  = "central"
  region = "eu-central-1"
}

resource "aws_iam_role" "replication" {
  name = "tf-iam-role-replication-12345"

  assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
POLICY
}

resource "aws_iam_policy" "replication" {
  name = "tf-iam-role-policy-replication-12345"

  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetReplicationConfiguration",
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "${aws_s3_bucket.bucket.arn}"
      ]
    },
    {
      "Action": [
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl"
      ],
      "Effect": "Allow",
      "Resource": [
        "${aws_s3_bucket.bucket.arn}/*"
      ]
    },
    {
      "Action": [
        "s3:ReplicateObject",
        "s3:ReplicateDelete"
      ],
      "Effect": "Allow",
      "Resource": "${aws_s3_bucket.destination.arn}/*"
    }
  ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "replication" {
  role       = "${aws_iam_role.replication.name}"
  policy_arn = "${aws_iam_policy.replication.arn}"
}

resource "aws_s3_bucket" "destination" {
  bucket = "tf-test-bucket-destination-12345"
  region = "eu-west-1"

  versioning {
    enabled = true
  }
}

resource "aws_s3_bucket" "bucket" {
  provider = "aws.central"
  bucket   = "tf-test-bucket-12345"
  acl      = "private"
  region   = "eu-central-1"

  versioning {
    enabled = true
  }

  replication_configuration {
    role = "${aws_iam_role.replication.arn}"

    rules {
      id     = "foobar"
      prefix = "foo"
      status = "Enabled"

      destination {
        bucket        = "${aws_s3_bucket.destination.arn}"
        storage_class = "STANDARD"
      }
    }
  }
}

» Enable Default Server Side Encryption

resource "aws_kms_key" "mykey" {
  description             = "This key is used to encrypt bucket objects"
  deletion_window_in_days = 10
}

resource "aws_s3_bucket" "mybucket" {
  bucket = "mybucket"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.mykey.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

» Argument Reference

The following arguments are supported:

The website object supports the following:

  • index_document - (Required, unless using redirect_all_requests_to) Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders.
  • error_document - (Optional) An absolute path to the document to return in case of a 4XX error.
  • redirect_all_requests_to - (Optional) A hostname to redirect all website requests for this bucket to. Hostname can optionally be prefixed with a protocol (http:// or https://) to use when redirecting requests. The default is the protocol that is used in the original request.
  • routing_rules - (Optional) A json array containing routing rules describing redirect behavior and when redirects are applied.

The CORS object supports the following:

  • allowed_headers (Optional) Specifies which headers are allowed.
  • allowed_methods (Required) Specifies which methods are allowed. Can be GET, PUT, POST, DELETE or HEAD.
  • allowed_origins (Required) Specifies which origins are allowed.
  • expose_headers (Optional) Specifies expose header in the response.
  • max_age_seconds (Optional) Specifies time in seconds that browser can cache the response for a preflight request.

The versioning object supports the following:

  • enabled - (Optional) Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket.
  • mfa_delete - (Optional) Enable MFA delete for either Change the versioning state of your bucket or Permanently delete an object version. Default is false.

The logging object supports the following:

  • target_bucket - (Required) The name of the bucket that will receive the log objects.
  • target_prefix - (Optional) To specify a key prefix for log objects.

The lifecycle_rule object supports the following:

  • id - (Optional) Unique identifier for the rule.
  • prefix - (Optional) Object key prefix identifying one or more objects to which the rule applies.
  • tags - (Optional) Specifies object tags key and value.
  • enabled - (Required) Specifies lifecycle rule status.
  • abort_incomplete_multipart_upload_days (Optional) Specifies the number of days after initiating a multipart upload when the multipart upload must be completed.
  • expiration - (Optional) Specifies a period in the object's expire (documented below).
  • transition - (Optional) Specifies a period in the object's transitions (documented below).
  • noncurrent_version_expiration - (Optional) Specifies when noncurrent object versions expire (documented below).
  • noncurrent_version_transition - (Optional) Specifies when noncurrent object versions transitions (documented below).

At least one of expiration, transition, noncurrent_version_expiration, noncurrent_version_transition must be specified.

The expiration object supports the following

  • date (Optional) Specifies the date after which you want the corresponding action to take effect.
  • days (Optional) Specifies the number of days after object creation when the specific rule action takes effect.
  • expired_object_delete_marker (Optional) On a versioned bucket (versioning-enabled or versioning-suspended bucket), you can add this element in the lifecycle configuration to direct Amazon S3 to delete expired object delete markers.

The transition object supports the following

  • date (Optional) Specifies the date after which you want the corresponding action to take effect.
  • days (Optional) Specifies the number of days after object creation when the specific rule action takes effect.
  • storage_class (Required) Specifies the Amazon S3 storage class to which you want the object to transition. Can be ONEZONE_IA, STANDARD_IA, INTELLIGENT_TIERING, GLACIER, or DEEP_ARCHIVE.

The noncurrent_version_expiration object supports the following

  • days (Required) Specifies the number of days an object is noncurrent object versions expire.

The noncurrent_version_transition object supports the following

  • days (Required) Specifies the number of days an object is noncurrent object versions expire.
  • storage_class (Required) Specifies the Amazon S3 storage class to which you want the noncurrent versions object to transition. Can be ONEZONE_IA, STANDARD_IA, INTELLIGENT_TIERING, GLACIER, or DEEP_ARCHIVE.

The replication_configuration object supports the following:

  • role - (Required) The ARN of the IAM role for Amazon S3 to assume when replicating the objects.
  • rules - (Required) Specifies the rules managing the replication (documented below).

The rules object supports the following:

  • id - (Optional) Unique identifier for the rule.
  • priority - (Optional) The priority associated with the rule.
  • destination - (Required) Specifies the destination for the rule (documented below).
  • source_selection_criteria - (Optional) Specifies special object selection criteria (documented below).
  • prefix - (Optional) Object keyname prefix identifying one or more objects to which the rule applies.
  • status - (Required) The status of the rule. Either Enabled or Disabled. The rule is ignored if status is not Enabled.
  • filter - (Optional) Filter that identifies subset of objects to which the replication rule applies (documented below).

The destination object supports the following:

  • bucket - (Required) The ARN of the S3 bucket where you want Amazon S3 to store replicas of the object identified by the rule.
  • storage_class - (Optional) The class of storage used to store the object. Can be STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, or DEEP_ARCHIVE.
  • replica_kms_key_id - (Optional) Destination KMS encryption key ARN for SSE-KMS replication. Must be used in conjunction with sse_kms_encrypted_objects source selection criteria.
  • access_control_translation - (Optional) Specifies the overrides to use for object owners on replication. Must be used in conjunction with account_id owner override configuration.
  • account_id - (Optional) The Account ID to use for overriding the object owner on replication. Must be used in conjunction with access_control_translation override configuration.

The source_selection_criteria object supports the following:

  • sse_kms_encrypted_objects - (Optional) Match SSE-KMS encrypted objects (documented below). If specified, replica_kms_key_id in destination must be specified as well.

The sse_kms_encrypted_objects object supports the following:

  • enabled - (Required) Boolean which indicates if this criteria is enabled.

The filter object supports the following:

  • prefix - (Optional) Object keyname prefix that identifies subset of objects to which the rule applies.
  • tags - (Optional) A mapping of tags that identifies subset of objects to which the rule applies. The rule applies only to objects having all the tags in its tagset.

The server_side_encryption_configuration object supports the following:

  • rule - (required) A single object for server-side encryption by default configuration. (documented below)

The rule object supports the following:

The apply_server_side_encryption_by_default object supports the following:

  • sse_algorithm - (required) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms
  • kms_master_key_id - (optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms.

The access_control_translation object supports the following:

  • owner - (Required) The override value for the owner on replicated objects. Currently only Destination is supported.

The object_lock_configuration object supports the following:

  • object_lock_enabled - (Required) Indicates whether this bucket has an Object Lock configuration enabled. Valid value is Enabled.
  • rule - (Optional) The Object Lock rule in place for this bucket.

The rule object supports the following:

  • default_retention - (Required) The default retention period that you want to apply to new objects placed in this bucket.

The default_retention object supports the following:

  • mode - (Required) The default Object Lock retention mode you want to apply to new objects placed in this bucket. Valid values are GOVERNANCE and COMPLIANCE.
  • days - (Optional) The number of days that you want to specify for the default retention period.
  • years - (Optional) The number of years that you want to specify for the default retention period.

Either days or years must be specified, but not both.

» Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The name of the bucket.
  • arn - The ARN of the bucket. Will be of format arn:aws:s3:::bucketname.
  • bucket_domain_name - The bucket domain name. Will be of format bucketname.s3.amazonaws.com.
  • bucket_regional_domain_name - The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.
  • hosted_zone_id - The Route 53 Hosted Zone ID for this bucket's region.
  • region - The AWS region this bucket resides in.
  • website_endpoint - The website endpoint, if the bucket is configured with a website. If not, this will be an empty string.
  • website_domain - The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.

» Import

S3 bucket can be imported using the bucket, e.g.

$ terraform import aws_s3_bucket.bucket bucket-name