We value your privacy
The module creates an object storage bucket in AWS S3 with default server-side encryption (SSE-S3). Allows configuring essential parameters:
Module supports server-side encryption with Key Management Service (SSE-KMS) for object storage. Both customer and AWS-managed KMS keys are acceptable. Customer managed KMS key for encryption configuration will be configured by default or user can provide his own key. If neither customer nor AWS-managed key is set for SSE-KMS configuration, SSE-S3 encryption will be used for encryption configuration.
Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:
shellterraform login solutions.corewide.com
Initialize mandatory providers:
Copy and paste into your Terraform configuration and insert the variables:
hclmodule "tf_aws_s3_bucket" {
source = "solutions.corewide.com/aws/tf-aws-s3-bucket/aws"
version = "~> 2.0.2"
# specify module inputs here or try one of the examples below
...
}
Initialize the setup:
shellterraform init
Corewide DevOps team strictly follows Semantic Versioning
Specification
to
provide our clients with products that have predictable upgrades between versions. We
recommend
pinning
patch versions of our modules using pessimistic
constraint operator (~>) to prevent breaking changes during upgrades.
To get new features during the upgrades (without breaking compatibility), use
~> 2.0 and run
terraform init -upgrade
For the safest setup, use strict pinning with version = "2.0.2"
| tf-aws-kms-key | $50 |
The module creates an object storage bucket in AWS S3 with default server-side encryption (SSE-S3). Allows configuring essential parameters:
Module supports server-side encryption with Key Management Service (SSE-KMS) for object storage. Both customer and AWS-managed KMS keys are acceptable. Customer managed KMS key for encryption configuration will be configured by default or user can provide his own key. If neither customer nor AWS-managed key is set for SSE-KMS configuration, SSE-S3 encryption will be used for encryption configuration.
All notable changes to this project are documented here.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
kms_key output with the details of used KMS key (if the KMS encryption is selected with non-default KMS key)tf-aws-kms-key module dependency from 1.0 to 1.1 to align with the latest security adjustmentsBREAKING CHANGE: now the encryption setup utilizes the module-managed KMS key by default. Upgrade from an older version is possible with manual changes, see Upgrade Notes section
module-managed KMS encryption modeadd_random_suffix is disabledFirst stable version
v1.x to v2.xThe module from v2.0 utilizes the module-managed KMS encryption mode by default. Update the module declaration according to the requirements and examples to match the designed configuration.
To continue managing S3 bucket with the default S3 server-side encryption (with AES-256 algorithm) add options like below:
hclmodule "s3" {
...
kms_encryption = {
mode = "sse-s3"
}
...
}
Minimal setup with default parameters:
hclmodule "s3" {
source = "solutions.corewide.com/aws/tf-aws-s3-bucket/aws"
version = "~> 2.0"
name = "foo"
}
Setup with custom configuration and acceleration enabled:
hclmodule "s3" {
source = "solutions.corewide.com/aws/tf-aws-s3-bucket/aws"
version = "~> 1.2"
name = "foo"
accelerate = true
add_random_suffix = true
bucket_policies = {
allow-access-from-another-account = data.aws_iam_policy_document.allow_access_from_another_account.json
}
}
data "aws_iam_policy_document" "allow_access_from_another_account" {
statement {
principals {
type = "AWS"
identifiers = ["123456789012"]
}
actions = [
"s3:GetObject",
"s3:ListBucket",
]
resources = [
"arn:aws:s3:::foo",
"arn:aws:s3:::foo/*",
]
}
}
Create S3 bucket with the default SSE-S3 encryption (with AES-256 algorithm):
hclmodule "s3" {
source = "solutions.corewide.com/aws/tf-aws-s3-bucket/aws"
version = "~> 2.0"
name = "foo"
kms_encryption = {
mode = "sse-s3"
}
}
Create S3 bucket with the SSE-KMS encryption enabled and KMS key created externally:
hclmodule "s3" {
source = "solutions.corewide.com/aws/tf-aws-s3-bucket/aws"
version = "~> 2.0"
name = "foo"
kms_encryption = {
mode = "custom"
key_arn = "arn:aws:kms:eu-west-1:1234567890:key/123qwer-45ty-678qwe-9012-3456tyqwe"
}
}
Create S3 bucket with the SSE-KMS encryption enabled and AWS-managed KMS key:
hclmodule "s3" {
source = "solutions.corewide.com/aws/tf-aws-s3-bucket/aws"
version = "~> 2.0"
name = "foo"
kms_encryption = {
mode = "default"
}
}
Simple configuration with publicly accessible storage:
hclmodule "s3" {
source = "solutions.corewide.com/aws/tf-aws-s3-bucket/aws"
version = "~> 2.0"
name = "foo"
access_mode = "public-read"
}
| Variable | Description | Type | Default | Required | Sensitive |
|---|---|---|---|---|---|
name |
S3 bucket name. Maximum length is 63 characters (56 characters when add_random_suffix is enabled) |
string |
yes | no | |
accelerate |
Toggle S3 transfer acceleration | bool |
false |
no | no |
access_mode |
S3 bucket access mode. Allowed values: private, public-read |
string |
private |
no | no |
add_random_suffix |
Append a random suffix to the bucket name to ensure uniqueness. Please note: modifying this variable will trigger the re-creation of the bucket | bool |
false |
no | no |
bucket_policies |
Valid bucket policy JSON documents for assigning to managed S3 bucket in the key-value format. Each key defines policy name, and the value - its JSON document | map(string) |
{} |
no | no |
kms_encryption |
KMS Encryption parameters | object |
{} |
no | no |
kms_encryption.key_arn |
ARN of the KMS key (required if mode is custom) |
string |
no | no | |
kms_encryption.mode |
Encryption mode. Possible values: default - The default AWS KMS master key is used; custom - A valid non-null key_arn must be provided; module-managed - The module automatilcally creates and uses KMS-key; sse-s3 - S3 server-side encryption (with AES-256 algorithm) |
string |
module-managed |
no | no |
tags |
Tag(s) that must be assigned to S3 bucket | map(string) |
{} |
no | no |
versioning |
Toggle S3 bucket versioning | bool |
true |
no | no |
| Output | Description | Type | Sensitive |
|---|---|---|---|
accelerated_bucket_endpoint |
S3 bucket access endpoint with Transfer Acceleration enabled | computed |
no |
bucket |
Contains all the S3 Bucket attributes | resource |
no |
kms_key |
Contains KMS key parameters if the KMS encryption is selected with non-default KMS key (full data with the KMS key policy is available only for the module-managed KMS encryption mode) |
computed |
no |
| Dependency | Version | Kind |
|---|---|---|
terraform |
>= 1.1 |
CLI |
hashicorp/aws |
~> 5.0 |
provider |
hashicorp/random |
~> 3.3 |
provider |
tf-aws-kms-key |
~> 1.1 |
module |