feat: add object_lock_configuration support

johncblandii · johncblandii · commit c499981ca5b3 · 2026-01-20T16:10:07.000-06:00
Add S3 Object Lock pass-through support to the cloudtrail-s3-bucket module. This enables compliance requirements like PCI by allowing WORM (write-once-read-many) protection on CloudTrail logs. Object Lock must be enabled at bucket creation time and requires versioning (enabled by default).
diff --git a/README.md b/README.md
@@ -43,6 +43,7 @@ The module supports the following:
 1. Forced [server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) at rest for the S3 bucket
 2. S3 bucket [versioning](https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html) to easily recover from both unintended user actions and application failures
 3. S3 bucket is protected from deletion if it's not empty ([force_destroy](https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#force_destroy) set to `false`)
+4. [S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html) for WORM (write-once-read-many) protection, useful for compliance requirements (e.g., PCI)
 
 
 > [!TIP]
@@ -73,6 +74,29 @@ module "s3_bucket" {
 }
 ```
 
+### With S3 Object Lock (for compliance)
+
+S3 Object Lock can only be enabled at bucket creation time and requires versioning (enabled by default).
+
+```hcl
+module "s3_bucket" {
+  source = "cloudposse/cloudtrail-s3-bucket/aws"
+  # Cloud Posse recommends pinning every module to a specific version
+  # version     = "x.x.x"
+  namespace = "eg"
+  stage     = "prod"
+  name      = "cluster"
+
+  versioning_enabled = true
+
+  object_lock_configuration = {
+    mode  = "GOVERNANCE"
+    days  = 365
+    years = null
+  }
+}
+```
+
 > [!IMPORTANT]
 > In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation
 > and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version
@@ -155,6 +179,7 @@ module "s3_bucket" {
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_noncurrent_version_expiration_days"></a> [noncurrent\_version\_expiration\_days](#input\_noncurrent\_version\_expiration\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no |
 | <a name="input_noncurrent_version_transition_days"></a> [noncurrent\_version\_transition\_days](#input\_noncurrent\_version\_transition\_days) | Specifies when noncurrent object versions transitions | `number` | `30` | no |
+| <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | <pre>object({<br/>    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.<br/>    days  = number<br/>    years = number<br/>  })</pre> | `null` | no |
 | <a name="input_policy"></a> [policy](#input\_policy) | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy | `string` | `""` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br/>Characters matching the regex will be removed from the ID elements.<br/>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_restrict_public_buckets"></a> [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no |
diff --git a/README.yaml b/README.yaml
@@ -57,6 +57,7 @@ description: |-
   1. Forced [server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html) at rest for the S3 bucket
   2. S3 bucket [versioning](https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html) to easily recover from both unintended user actions and application failures
   3. S3 bucket is protected from deletion if it's not empty ([force_destroy](https://www.terraform.io/docs/providers/aws/r/s3_bucket.html#force_destroy) set to `false`)
+  4. [S3 Object Lock](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html) for WORM (write-once-read-many) protection, useful for compliance requirements (e.g., PCI)
 
 # How to use this project
 usage: |-
@@ -71,5 +72,28 @@ usage: |-
   }
   ```
 
+  ### With S3 Object Lock (for compliance)
+
+  S3 Object Lock can only be enabled at bucket creation time and requires versioning (enabled by default).
+
+  ```hcl
+  module "s3_bucket" {
+    source = "cloudposse/cloudtrail-s3-bucket/aws"
+    # Cloud Posse recommends pinning every module to a specific version
+    # version     = "x.x.x"
+    namespace = "eg"
+    stage     = "prod"
+    name      = "cluster"
+
+    versioning_enabled = true
+
+    object_lock_configuration = {
+      mode  = "GOVERNANCE"
+      days  = 365
+      years = null
+    }
+  }
+  ```
+
 include: []
 contributors: []
diff --git a/main.tf b/main.tf
@@ -29,6 +29,7 @@ module "s3_bucket" {
   bucket_notifications_enabled           = var.bucket_notifications_enabled
   bucket_notifications_type              = var.bucket_notifications_type
   bucket_notifications_prefix            = var.bucket_notifications_prefix
+  object_lock_configuration              = var.object_lock_configuration
 
   context = module.this.context
 }
diff --git a/variables.tf b/variables.tf
@@ -147,4 +147,14 @@ variable "bucket_notifications_prefix" {
   type        = string
   description = "Prefix filter. Used to manage object notifications"
   default     = ""
+}
+
+variable "object_lock_configuration" {
+  type = object({
+    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
+    days  = number
+    years = number
+  })
+  default     = null
+  description = "A configuration for S3 object locking. With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely."
 }

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ module "s3_bucket" {`
`29`	`29`	`bucket_notifications_enabled = var.bucket_notifications_enabled`
`30`	`30`	`bucket_notifications_type = var.bucket_notifications_type`
`31`	`31`	`bucket_notifications_prefix = var.bucket_notifications_prefix`
	`32`	`+ object_lock_configuration = var.object_lock_configuration`
`32`	`33`
`33`	`34`	`context = module.this.context`
`34`	`35`	`}`