From ca18b868799ac52e720fd1b9fd14f36bc7227ad5 Mon Sep 17 00:00:00 2001 From: mayank0202 Date: Thu, 14 Nov 2024 00:20:57 +0530 Subject: [PATCH 1/2] Changed the naming convention in variables --- README.md | 2 +- docs/terraform.md | 76 +++++++++++++++++++++++------------------------ main.tf | 4 +-- variables.tf | 2 +- 4 files changed, 42 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index 7b65fb64..9a2f5a2b 100644 --- a/README.md +++ b/README.md @@ -279,7 +279,6 @@ Available targets: | [bucket\_name](#input\_bucket\_name) | Bucket name. If provided, the bucket will be created with this name instead of generating the name from the context | `string` | `null` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [cors\_configuration](#input\_cors\_configuration) | Specifies the allowed headers, methods, origins and exposed headers when using CORS on this bucket | 
list(object({
    id              = optional(string)
    allowed_headers = optional(list(string))
    allowed_methods = optional(list(string))
    allowed_origins = optional(list(string))
    expose_headers  = optional(list(string))
    max_age_seconds = optional(number)
  }))
| `[]` | no | -| [create\_s3\_directory\_bucket](#input\_create\_s3\_directory\_bucket) | Control the creation of the S3 directory bucket. Set to true to create the bucket, false to skip. | `bool` | `false` | no | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | @@ -308,6 +307,7 @@ Available targets: | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [replication\_rules](#input\_replication\_rules) | DEPRECATED (use `s3_replication_rules`): Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | `list(any)` | `null` | no | | [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no | +| [s3\_directory\_bucket\_enabled](#input\_s3\_directory\_bucket\_enabled) | Control the creation of the S3 directory bucket. Set to true to create the bucket, false to skip. | `bool` | `false` | no | | [s3\_object\_ownership](#input\_s3\_object\_ownership) | Specifies the S3 object ownership control.
Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'.
Defaults to "ObjectWriter" for backwards compatibility, but we recommend setting "BucketOwnerEnforced" instead. | `string` | `"ObjectWriter"` | no | | [s3\_replica\_bucket\_arn](#input\_s3\_replica\_bucket\_arn) | A single S3 bucket ARN to use for all replication rules.
Note: The destination bucket can be specified in the replication rule itself
(which allows for multiple destinations), in which case it will take precedence over this variable. | `string` | `""` | no | | [s3\_replication\_enabled](#input\_s3\_replication\_enabled) | Set this to true and specify `s3_replication_rules` to enable replication. `versioning_enabled` must also be `true`. | `bool` | `false` | no | diff --git a/docs/terraform.md b/docs/terraform.md index d8e7b9a3..c3e630b2 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -58,74 +58,74 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [access\_key\_enabled](#input\_access\_key\_enabled) | Set to `true` to create an IAM Access Key for the created IAM user | `bool` | `true` | no | -| [acl](#input\_acl) | The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.
Deprecated by AWS in favor of bucket policies.
Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced".
Defaults to "private" for backwards compatibility, but we recommend setting `s3_object_ownership` to "BucketOwnerEnforced" instead. | `string` | `"private"` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [acl](#input\_acl) | The [canned ACL](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl) to apply.
Deprecated by AWS in favor of bucket policies.
Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced".
Defaults to "private" for backwards compatibility, but we recommend setting `s3_object_ownership` to "BucketOwnerEnforced" instead. | `string` | `"private"` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | | [allow\_encrypted\_uploads\_only](#input\_allow\_encrypted\_uploads\_only) | Set to `true` to prevent uploads of unencrypted objects to S3 bucket | `bool` | `false` | no | | [allow\_ssl\_requests\_only](#input\_allow\_ssl\_requests\_only) | Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `false` | no | -| [allowed\_bucket\_actions](#input\_allowed\_bucket\_actions) | List of actions the user is permitted to perform on the S3 bucket | `list(string)` | 
[
  "s3:PutObject",
  "s3:PutObjectAcl",
  "s3:GetObject",
  "s3:DeleteObject",
  "s3:ListBucket",
  "s3:ListBucketMultipartUploads",
  "s3:GetBucketLocation",
  "s3:AbortMultipartUpload"
]
| no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [availability\_zone\_id](#input\_availability\_zone\_id) | The ID of the availability zone. | `string` | `null` | no | +| [allowed\_bucket\_actions](#input\_allowed\_bucket\_actions) | List of actions the user is permitted to perform on the S3 bucket | `list(string)` | 
[
  "s3:PutObject",
  "s3:PutObjectAcl",
  "s3:GetObject",
  "s3:DeleteObject",
  "s3:ListBucket",
  "s3:ListBucketMultipartUploads",
  "s3:GetBucketLocation",
  "s3:AbortMultipartUpload"
]
| no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [availability\_zone\_id](#input\_availability\_zone\_id) | The ID of the availability zone. | `string` | `""` | no | | [block\_public\_acls](#input\_block\_public\_acls) | Set to `false` to disable the blocking of new public access lists on the bucket | `bool` | `true` | no | | [block\_public\_policy](#input\_block\_public\_policy) | Set to `false` to disable the blocking of new public policies on the bucket | `bool` | `true` | no | -| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Set this to true to use Amazon S3 Bucket Keys for SSE-KMS, which may or may not reduce the number of AWS KMS requests.
For more information, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html | `bool` | `false` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Set this to true to use Amazon S3 Bucket Keys for SSE-KMS, which may or may not reduce the number of AWS KMS requests.
For more information, see: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html | `bool` | `false` | no | | [bucket\_name](#input\_bucket\_name) | Bucket name. If provided, the bucket will be created with this name instead of generating the name from the context | `string` | `null` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | -| [cors\_configuration](#input\_cors\_configuration) | Specifies the allowed headers, methods, origins and exposed headers when using CORS on this bucket | 
list(object({
    id              = optional(string)
    allowed_headers = optional(list(string))
    allowed_methods = optional(list(string))
    allowed_origins = optional(list(string))
    expose_headers  = optional(list(string))
    max_age_seconds = optional(number)
  }))
| `[]` | no | -| [create\_s3\_directory\_bucket](#input\_create\_s3\_directory\_bucket) | Control the creation of the S3 directory bucket. Set to true to create the bucket, false to skip. | `bool` | `false` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | +| [cors\_configuration](#input\_cors\_configuration) | Specifies the allowed headers, methods, origins and exposed headers when using CORS on this bucket | 
list(object({
    id              = optional(string)
    allowed_headers = optional(list(string))
    allowed_methods = optional(list(string))
    allowed_origins = optional(list(string))
    expose_headers  = optional(list(string))
    max_age_seconds = optional(number)
  }))
| `[]` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [event\_notification\_details](#input\_event\_notification\_details) | (optional) S3 event notification details | 
object({
    enabled = bool
    lambda_list = optional(list(object({
      lambda_function_arn = string
      events              = optional(list(string), ["s3:ObjectCreated:*"])
      filter_prefix       = string
      filter_suffix       = string
    })), [])

    queue_list = optional(list(object({
      queue_arn = string
      events    = optional(list(string), ["s3:ObjectCreated:*"])
    })), [])

    topic_list = optional(list(object({
      topic_arn = string
      events    = optional(list(string), ["s3:ObjectCreated:*"])
    })), [])

  })
| 
{
  "enabled": false
}
| no | -| [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner.
More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no | -| [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.
THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no | -| [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.
Conflicts with `acl`. Set `acl` to `null` to use this.
Deprecated by AWS in favor of bucket policies.
Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | 
list(object({
    id          = string
    type        = string
    permissions = list(string)
    uri         = string
  }))
| `[]` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [event\_notification\_details](#input\_event\_notification\_details) | (optional) S3 event notification details | 
object({
    enabled = bool
    lambda_list = optional(list(object({
      lambda_function_arn = string
      events              = optional(list(string), ["s3:ObjectCreated:*"])
      filter_prefix       = string
      filter_suffix       = string
    })), [])

    queue_list = optional(list(object({
      queue_arn = string
      events    = optional(list(string), ["s3:ObjectCreated:*"])
    })), [])

    topic_list = optional(list(object({
      topic_arn = string
      events    = optional(list(string), ["s3:ObjectCreated:*"])
    })), [])

  })
| 
{
  "enabled": false
}
| no | +| [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner.
More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no | +| [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.
THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no | +| [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.
Conflicts with `acl`. Set `acl` to `null` to use this.
Deprecated by AWS in favor of bucket policies.
Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | 
list(object({
    id          = string
    type        = string
    permissions = list(string)
    uri         = string
  }))
| `[]` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | | [ignore\_public\_acls](#input\_ignore\_public\_acls) | Set to `false` to disable the ignoring of public access lists on the bucket | `bool` | `true` | no | | [kms\_master\_key\_arn](#input\_kms\_master\_key\_arn) | The AWS KMS master key ARN used for the `SSE-KMS` encryption. This can only be used when you set the value of `sse_algorithm` as `aws:kms`. The default aws/s3 AWS KMS master key is used if this element is absent while the `sse_algorithm` is `aws:kms` | `string` | `""` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | -| [lifecycle\_configuration\_rules](#input\_lifecycle\_configuration\_rules) | A list of lifecycle V2 rules | 
list(object({
    enabled = optional(bool, true)
    id      = string

    abort_incomplete_multipart_upload_days = optional(number)

    # `filter_and` is the `and` configuration block inside the `filter` configuration.
    # This is the only place you should specify a prefix.
    filter_and = optional(object({
      object_size_greater_than = optional(number) # integer >= 0
      object_size_less_than    = optional(number) # integer >= 1
      prefix                   = optional(string)
      tags                     = optional(map(string), {})
    }))
    expiration = optional(object({
      date                         = optional(string) # string, RFC3339 time format, GMT
      days                         = optional(number) # integer > 0
      expired_object_delete_marker = optional(bool)
    }))
    noncurrent_version_expiration = optional(object({
      newer_noncurrent_versions = optional(number) # integer > 0
      noncurrent_days           = optional(number) # integer >= 0
    }))
    transition = optional(list(object({
      date          = optional(string) # string, RFC3339 time format, GMT
      days          = optional(number) # integer > 0
      storage_class = optional(string)
      # string/enum, one of GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.
    })), [])

    noncurrent_version_transition = optional(list(object({
      newer_noncurrent_versions = optional(number) # integer >= 0
      noncurrent_days           = optional(number) # integer >= 0
      storage_class             = optional(string)
      # string/enum, one of GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.
    })), [])
  }))
| `[]` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | +| [lifecycle\_configuration\_rules](#input\_lifecycle\_configuration\_rules) | A list of lifecycle V2 rules | 
list(object({
    enabled = optional(bool, true)
    id      = string

    abort_incomplete_multipart_upload_days = optional(number)

    # `filter_and` is the `and` configuration block inside the `filter` configuration.
    # This is the only place you should specify a prefix.
    filter_and = optional(object({
      object_size_greater_than = optional(number) # integer >= 0
      object_size_less_than    = optional(number) # integer >= 1
      prefix                   = optional(string)
      tags                     = optional(map(string), {})
    }))
    expiration = optional(object({
      date                         = optional(string) # string, RFC3339 time format, GMT
      days                         = optional(number) # integer > 0
      expired_object_delete_marker = optional(bool)
    }))
    noncurrent_version_expiration = optional(object({
      newer_noncurrent_versions = optional(number) # integer > 0
      noncurrent_days           = optional(number) # integer >= 0
    }))
    transition = optional(list(object({
      date          = optional(string) # string, RFC3339 time format, GMT
      days          = optional(number) # integer > 0
      storage_class = optional(string)
      # string/enum, one of GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.
    })), [])

    noncurrent_version_transition = optional(list(object({
      newer_noncurrent_versions = optional(number) # integer >= 0
      noncurrent_days           = optional(number) # integer >= 0
      storage_class             = optional(string)
      # string/enum, one of GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.
    })), [])
  }))
| `[]` | no | | [lifecycle\_rule\_ids](#input\_lifecycle\_rule\_ids) | DEPRECATED (use `lifecycle_configuration_rules`): A list of IDs to assign to corresponding `lifecycle_rules` | `list(string)` | `[]` | no | -| [lifecycle\_rules](#input\_lifecycle\_rules) | DEPRECATED (`use lifecycle_configuration_rules`): A list of lifecycle rules | 
list(object({
    prefix  = string
    enabled = bool
    tags    = map(string)

    enable_glacier_transition            = bool
    enable_deeparchive_transition        = bool
    enable_standard_ia_transition        = bool
    enable_current_object_expiration     = bool
    enable_noncurrent_version_expiration = bool

    abort_incomplete_multipart_upload_days         = number
    noncurrent_version_glacier_transition_days     = number
    noncurrent_version_deeparchive_transition_days = number
    noncurrent_version_expiration_days             = number

    standard_transition_days    = number
    glacier_transition_days     = number
    deeparchive_transition_days = number
    expiration_days             = number
  }))
| `null` | no | -| [logging](#input\_logging) | Bucket access logging configuration. Empty list for no logging, list of 1 to enable logging. | 
list(object({
    bucket_name = string
    prefix      = string
  }))
| `[]` | no | +| [lifecycle\_rules](#input\_lifecycle\_rules) | DEPRECATED (`use lifecycle_configuration_rules`): A list of lifecycle rules | 
list(object({
    prefix  = string
    enabled = bool
    tags    = map(string)

    enable_glacier_transition            = bool
    enable_deeparchive_transition        = bool
    enable_standard_ia_transition        = bool
    enable_current_object_expiration     = bool
    enable_noncurrent_version_expiration = bool

    abort_incomplete_multipart_upload_days         = number
    noncurrent_version_glacier_transition_days     = number
    noncurrent_version_deeparchive_transition_days = number
    noncurrent_version_expiration_days             = number

    standard_transition_days    = number
    glacier_transition_days     = number
    deeparchive_transition_days = number
    expiration_days             = number
  }))
| `null` | no | +| [logging](#input\_logging) | Bucket access logging configuration. Empty list for no logging, list of 1 to enable logging. | 
list(object({
    bucket_name = string
    prefix      = string
  }))
| `[]` | no | | [minimum\_tls\_version](#input\_minimum\_tls\_version) | Set the minimum TLS version for in-transit traffic | `string` | `null` | no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
| `null` | no | +| [object\_lock\_configuration](#input\_object\_lock\_configuration) | A configuration for S3 object locking. With S3 Object Lock, you can store objects using a `write once, read many` (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    mode  = string # Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
| `null` | no | | [privileged\_principal\_actions](#input\_privileged\_principal\_actions) | List of actions to permit `privileged_principal_arns` to perform on bucket and bucket prefixes (see `privileged_principal_arns`) | `list(string)` | `[]` | no | -| [privileged\_principal\_arns](#input\_privileged\_principal\_arns) | List of maps. Each map has a key, an IAM Principal ARN, whose associated value is
a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,
in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. | `list(map(list(string)))` | `[]` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [privileged\_principal\_arns](#input\_privileged\_principal\_arns) | List of maps. Each map has a key, an IAM Principal ARN, whose associated value is
a list of S3 path prefixes to grant `privileged_principal_actions` permissions for that principal,
in addition to the bucket itself, which is automatically included. Prefixes should not begin with '/'. | `list(map(list(string)))` | `[]` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [replication\_rules](#input\_replication\_rules) | DEPRECATED (use `s3_replication_rules`): Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | `list(any)` | `null` | no | | [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no | -| [s3\_object\_ownership](#input\_s3\_object\_ownership) | Specifies the S3 object ownership control.
Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'.
Defaults to "ObjectWriter" for backwards compatibility, but we recommend setting "BucketOwnerEnforced" instead. | `string` | `"ObjectWriter"` | no | -| [s3\_replica\_bucket\_arn](#input\_s3\_replica\_bucket\_arn) | A single S3 bucket ARN to use for all replication rules.
Note: The destination bucket can be specified in the replication rule itself
(which allows for multiple destinations), in which case it will take precedence over this variable. | `string` | `""` | no | +| [s3\_directory\_bucket\_enabled](#input\_s3\_directory\_bucket\_enabled) | Control the creation of the S3 directory bucket. Set to true to create the bucket, false to skip. | `bool` | `false` | no | +| [s3\_object\_ownership](#input\_s3\_object\_ownership) | Specifies the S3 object ownership control.
Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'.
Defaults to "ObjectWriter" for backwards compatibility, but we recommend setting "BucketOwnerEnforced" instead. | `string` | `"ObjectWriter"` | no | +| [s3\_replica\_bucket\_arn](#input\_s3\_replica\_bucket\_arn) | A single S3 bucket ARN to use for all replication rules.
Note: The destination bucket can be specified in the replication rule itself
(which allows for multiple destinations), in which case it will take precedence over this variable. | `string` | `""` | no | | [s3\_replication\_enabled](#input\_s3\_replication\_enabled) | Set this to true and specify `s3_replication_rules` to enable replication. `versioning_enabled` must also be `true`. | `bool` | `false` | no | | [s3\_replication\_permissions\_boundary\_arn](#input\_s3\_replication\_permissions\_boundary\_arn) | Permissions boundary ARN for the created IAM replication role. | `string` | `null` | no | -| [s3\_replication\_rules](#input\_s3\_replication\_rules) | Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | 
list(object({
    id       = optional(string)
    priority = optional(number)
    prefix   = optional(string)
    status   = optional(string, "Enabled")
    # delete_marker_replication { status } had been flattened for convenience
    delete_marker_replication_status = optional(string, "Disabled")
    # Add the configuration as it appears in the resource, for consistency
    # this nested version takes precedence if both are provided.
    delete_marker_replication = optional(object({
      status = string
    }))

    # destination_bucket is specified here rather than inside the destination object because before optional
    # attributes, it made it easier to work with the Terraform type system and create a list of consistent type.
    # It is preserved for backward compatibility, but the nested version takes priority if both are provided.
    destination_bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn

    destination = object({
      bucket        = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn
      storage_class = optional(string, "STANDARD")
      # replica_kms_key_id at this level is for backward compatibility, and is overridden by the one in `encryption_configuration`
      replica_kms_key_id = optional(string, "")
      encryption_configuration = optional(object({
        replica_kms_key_id = string
      }))
      access_control_translation = optional(object({
        owner = string
      }))
      # account_id is for backward compatibility, overridden by account
      account_id = optional(string)
      account    = optional(string)
      # For convenience, specifying either metrics or replication_time enables both
      metrics = optional(object({
        event_threshold = optional(object({
          minutes = optional(number, 15) # Currently 15 is the only valid number
        }), { minutes = 15 })
        status = optional(string, "Enabled")
      }), { status = "Disabled" })
      # To preserve backward compatibility, Replication Time Control (RTC) is automatically enabled
      # when metrics are enabled. To enable metrics without RTC, you must explicitly configure
      # replication_time.status = "Disabled".
      replication_time = optional(object({
        time = optional(object({
          minutes = optional(number, 15) # Currently 15 is the only valid number
        }), { minutes = 15 })
        status = optional(string)
      }))
    })

    source_selection_criteria = optional(object({
      replica_modifications = optional(object({
        status = string # Either Enabled or Disabled
      }))
      sse_kms_encrypted_objects = optional(object({
        status = optional(string)
      }))
    }))
    # filter.prefix overrides top level prefix
    filter = optional(object({
      prefix = optional(string)
      tags   = optional(map(string), {})
    }))
  }))
| `null` | no | +| [s3\_replication\_rules](#input\_s3\_replication\_rules) | Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | 
list(object({
    id       = optional(string)
    priority = optional(number)
    prefix   = optional(string)
    status   = optional(string, "Enabled")
    # delete_marker_replication { status } had been flattened for convenience
    delete_marker_replication_status = optional(string, "Disabled")
    # Add the configuration as it appears in the resource, for consistency
    # this nested version takes precedence if both are provided.
    delete_marker_replication = optional(object({
      status = string
    }))

    # destination_bucket is specified here rather than inside the destination object because before optional
    # attributes, it made it easier to work with the Terraform type system and create a list of consistent type.
    # It is preserved for backward compatibility, but the nested version takes priority if both are provided.
    destination_bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn

    destination = object({
      bucket        = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn
      storage_class = optional(string, "STANDARD")
      # replica_kms_key_id at this level is for backward compatibility, and is overridden by the one in `encryption_configuration`
      replica_kms_key_id = optional(string, "")
      encryption_configuration = optional(object({
        replica_kms_key_id = string
      }))
      access_control_translation = optional(object({
        owner = string
      }))
      # account_id is for backward compatibility, overridden by account
      account_id = optional(string)
      account    = optional(string)
      # For convenience, specifying either metrics or replication_time enables both
      metrics = optional(object({
        event_threshold = optional(object({
          minutes = optional(number, 15) # Currently 15 is the only valid number
        }), { minutes = 15 })
        status = optional(string, "Enabled")
      }), { status = "Disabled" })
      # To preserve backward compatibility, Replication Time Control (RTC) is automatically enabled
      # when metrics are enabled. To enable metrics without RTC, you must explicitly configure
      # replication_time.status = "Disabled".
      replication_time = optional(object({
        time = optional(object({
          minutes = optional(number, 15) # Currently 15 is the only valid number
        }), { minutes = 15 })
        status = optional(string)
      }))
    })

    source_selection_criteria = optional(object({
      replica_modifications = optional(object({
        status = string # Either Enabled or Disabled
      }))
      sse_kms_encrypted_objects = optional(object({
        status = optional(string)
      }))
    }))
    # filter.prefix overrides top level prefix
    filter = optional(object({
      prefix = optional(string)
      tags   = optional(map(string), {})
    }))
  }))
| `null` | no | | [s3\_replication\_source\_roles](#input\_s3\_replication\_source\_roles) | Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy). | `list(string)` | `[]` | no | | [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket | `list(string)` | `[]` | no | -| [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON) that are merged together into the exported document.
Statements defined in source\_policy\_documents must have unique SIDs.
Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no | +| [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON) that are merged together into the exported document.
Statements defined in source\_policy\_documents must have unique SIDs.
Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no | | [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no | | [ssm\_base\_path](#input\_ssm\_base\_path) | The base path for SSM parameters where created IAM user's access key is stored | `string` | `"/s3_user/"` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [store\_access\_key\_in\_ssm](#input\_store\_access\_key\_in\_ssm) | Set to `true` to store the created IAM user's access key in SSM Parameter Store,
`false` to store them in Terraform state as outputs.
Since Terraform state would contain the secrets in plaintext,
use of SSM Parameter Store is recommended. | `bool` | `false` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [store\_access\_key\_in\_ssm](#input\_store\_access\_key\_in\_ssm) | Set to `true` to store the created IAM user's access key in SSM Parameter Store,
`false` to store them in Terraform state as outputs.
Since Terraform state would contain the secrets in plaintext,
use of SSM Parameter Store is recommended. | `bool` | `false` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [transfer\_acceleration\_enabled](#input\_transfer\_acceleration\_enabled) | Set this to `true` to enable S3 Transfer Acceleration for the bucket.
Note: When this is set to `false` Terraform does not perform drift detection
and will not disable Transfer Acceleration if it was enabled outside of Terraform.
To disable it via Terraform, you must set this to `true` and then to `false`.
Note: not all regions support Transfer Acceleration. | `bool` | `false` | no | +| [transfer\_acceleration\_enabled](#input\_transfer\_acceleration\_enabled) | Set this to `true` to enable S3 Transfer Acceleration for the bucket.
Note: When this is set to `false` Terraform does not perform drift detection
and will not disable Transfer Acceleration if it was enabled outside of Terraform.
To disable it via Terraform, you must set this to `true` and then to `false`.
Note: not all regions support Transfer Acceleration. | `bool` | `false` | no | | [user\_enabled](#input\_user\_enabled) | Set to `true` to create an IAM user with permission to access the bucket | `bool` | `false` | no | | [user\_permissions\_boundary\_arn](#input\_user\_permissions\_boundary\_arn) | Permission boundary ARN for the IAM user created to access the bucket. | `string` | `null` | no | | [versioning\_enabled](#input\_versioning\_enabled) | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no | -| [website\_configuration](#input\_website\_configuration) | Specifies the static website hosting configuration object | 
list(object({
    index_document = string
    error_document = string
    routing_rules = list(object({
      condition = object({
        http_error_code_returned_equals = string
        key_prefix_equals               = string
      })
      redirect = object({
        host_name               = string
        http_redirect_code      = string
        protocol                = string
        replace_key_prefix_with = string
        replace_key_with        = string
      })
    }))
  }))
| `[]` | no | -| [website\_redirect\_all\_requests\_to](#input\_website\_redirect\_all\_requests\_to) | If provided, all website requests will be redirected to the specified host name and protocol | 
list(object({
    host_name = string
    protocol  = string
  }))
| `[]` | no | +| [website\_configuration](#input\_website\_configuration) | Specifies the static website hosting configuration object | 
list(object({
    index_document = string
    error_document = string
    routing_rules = list(object({
      condition = object({
        http_error_code_returned_equals = string
        key_prefix_equals               = string
      })
      redirect = object({
        host_name               = string
        http_redirect_code      = string
        protocol                = string
        replace_key_prefix_with = string
        replace_key_with        = string
      })
    }))
  }))
| `[]` | no | +| [website\_redirect\_all\_requests\_to](#input\_website\_redirect\_all\_requests\_to) | If provided, all website requests will be redirected to the specified host name and protocol | 
list(object({
    host_name = string
    protocol  = string
  }))
| `[]` | no | ## Outputs | Name | Description | |------|-------------| -| [access\_key\_id](#output\_access\_key\_id) | The access key ID, if `var.user_enabled && var.access_key_enabled`.
While sensitive, it does not need to be kept secret, so this is output regardless of `var.store_access_key_in_ssm`. | +| [access\_key\_id](#output\_access\_key\_id) | The access key ID, if `var.user_enabled && var.access_key_enabled`.
While sensitive, it does not need to be kept secret, so this is output regardless of `var.store_access_key_in_ssm`. | | [access\_key\_id\_ssm\_path](#output\_access\_key\_id\_ssm\_path) | The SSM Path under which the S3 User's access key ID is stored | | [bucket\_arn](#output\_bucket\_arn) | Bucket ARN | | [bucket\_domain\_name](#output\_bucket\_domain\_name) | FQDN of bucket | @@ -136,7 +136,7 @@ | [bucket\_website\_endpoint](#output\_bucket\_website\_endpoint) | The bucket website endpoint, if website is enabled | | [enabled](#output\_enabled) | Is module enabled | | [replication\_role\_arn](#output\_replication\_role\_arn) | The ARN of the replication IAM Role | -| [secret\_access\_key](#output\_secret\_access\_key) | The secret access key will be output if created and not stored in SSM. However, the secret access key, if created,
will be written to the Terraform state file unencrypted, regardless of any other settings.
See the [Terraform documentation](https://www.terraform.io/docs/state/sensitive-data.html) for more details. | +| [secret\_access\_key](#output\_secret\_access\_key) | The secret access key will be output if created and not stored in SSM. However, the secret access key, if created,
will be written to the Terraform state file unencrypted, regardless of any other settings.
See the [Terraform documentation](https://www.terraform.io/docs/state/sensitive-data.html) for more details. | | [secret\_access\_key\_ssm\_path](#output\_secret\_access\_key\_ssm\_path) | The SSM Path under which the S3 User's secret access key is stored | | [user\_arn](#output\_user\_arn) | The ARN assigned by AWS for the user | | [user\_enabled](#output\_user\_enabled) | Is user creation enabled | diff --git a/main.tf b/main.tf index 83993ff4..256b4926 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,7 @@ locals { enabled = module.this.enabled partition = join("", data.aws_partition.current[*].partition) - directory_bucket_name = var.create_s3_directory_bucket ? "${local.bucket_name}-${var.availability_zone_id}" : "" + directory_bucket_name = var.s3_directory_bucket_enabled ? "${local.bucket_name}-${var.availability_zone_id}" : "" object_lock_enabled = local.enabled && var.object_lock_configuration != null replication_enabled = local.enabled && var.s3_replication_enabled @@ -615,7 +615,7 @@ resource "aws_s3_bucket_notification" "bucket_notification" { /// Directory Bucket // https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_directory_bucket resource "aws_s3_directory_bucket" "default" { - count = var.create_s3_directory_bucket ? 1 : 0 + count = var.s3_directory_bucket_enabled ? 1 : 0 bucket = local.directory_bucket_name force_destroy = var.force_destroy diff --git a/variables.tf b/variables.tf index 3b9e732b..1b7d77d9 100644 --- a/variables.tf +++ b/variables.tf @@ -493,7 +493,7 @@ variable "event_notification_details" { } } -variable "create_s3_directory_bucket" { +variable "s3_directory_bucket_enabled" { description = "Control the creation of the S3 directory bucket. Set to true to create the bucket, false to skip." type = bool default = false From 1fe36ee35693ec899402d533b139cf7942b26ce5 Mon Sep 17 00:00:00 2001 From: RB <7775707+nitrocode@users.noreply.github.com> Date: Wed, 13 Nov 2024 23:19:28 -0600 Subject: [PATCH 2/2] fix: add missing local.enabled --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 256b4926..40ccda5e 100644 --- a/main.tf +++ b/main.tf @@ -615,7 +615,7 @@ resource "aws_s3_bucket_notification" "bucket_notification" { /// Directory Bucket // https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_directory_bucket resource "aws_s3_directory_bucket" "default" { - count = var.s3_directory_bucket_enabled ? 1 : 0 + count = local.enabled && var.s3_directory_bucket_enabled ? 1 : 0 bucket = local.directory_bucket_name force_destroy = var.force_destroy