From 0919cfbe8963646487d173ea0274957dde7e83c3 Mon Sep 17 00:00:00 2001 From: Herman Wong Date: Tue, 16 Jan 2024 11:34:18 -1000 Subject: [PATCH 1/3] Precommit/linting fixes. --- README.md | 88 ++++++++++++++++++++++++++++++++++- main.tf | 36 +++++--------- outputs.tf | 8 ++-- providers.tf | 2 +- variables.tf | 129 +-------------------------------------------------- 5 files changed, 105 insertions(+), 158 deletions(-) diff --git a/README.md b/README.md index 5df2ace..04e0b3d 100644 --- a/README.md +++ b/README.md @@ -165,4 +165,90 @@ No modules. ### Copyright -Copyright © 2023 Coalfire Systems Inc. \ No newline at end of file +Copyright © 2023 Coalfire Systems Inc. +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >=1.5.0 | +| [aws](#requirement\_aws) | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 5.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_s3_bucket.s3_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_accelerate_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_accelerate_configuration) | resource | +| [aws_s3_bucket_cors_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource | +| [aws_s3_bucket_lifecycle_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_logging.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_object_lock_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object_lock_configuration) | resource | +| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_policy.s3_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_request_payment_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_request_payment_configuration) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_s3_bucket_website_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [acceleration\_status](#input\_acceleration\_status) | Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended | `bool` | `false` | no | +| [attach\_deny\_insecure\_transport\_policy](#input\_attach\_deny\_insecure\_transport\_policy) | Controls if S3 bucket should have deny non-SSL transport policy attached | `bool` | `false` | no | +| [attach\_elb\_log\_delivery\_policy](#input\_attach\_elb\_log\_delivery\_policy) | Controls if S3 bucket should have ELB log delivery policy attached | `bool` | `false` | no | +| [attach\_lb\_log\_delivery\_policy](#input\_attach\_lb\_log\_delivery\_policy) | Controls if S3 bucket should have ALB/NLB log delivery policy attached | `bool` | `false` | no | +| [attach\_policy](#input\_attach\_policy) | Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy) | `bool` | `false` | no | +| [attach\_public\_policy](#input\_attach\_public\_policy) | Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket) | `bool` | `true` | no | +| [attach\_require\_latest\_tls\_policy](#input\_attach\_require\_latest\_tls\_policy) | Controls if S3 bucket should require the latest version of TLS | `bool` | `false` | no | +| [aws\_iam\_policy\_document](#input\_aws\_iam\_policy\_document) | The text of the policy. Although this is a bucket policy rather than an IAM policy, the aws\_iam\_policy\_document data source may be used, so long as it specifies a principal. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. Note: Bucket policies are limited to 20 KB in size. | `string` | `""` | no | +| [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket. | `bool` | `false` | no | +| [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket. | `bool` | `false` | no | +| [bucket\_policy](#input\_bucket\_policy) | Conditionally create S3 bucket policy. | `bool` | `false` | no | +| [control\_object\_ownership](#input\_control\_object\_ownership) | Whether to manage S3 Bucket Ownership Controls on this bucket. | `bool` | `false` | no | +| [cors\_rule](#input\_cors\_rule) | CORS Configuration specification for this bucket | 
list(object({
    allowed_headers = list(string)
    allowed_methods = list(string)
    allowed_origins = list(string)
    expose_headers  = list(string)
    max_age_seconds = number
  }))
| `null` | no | +| [create\_bucket](#input\_create\_bucket) | Conditionally create S3 bucket. | `bool` | `true` | no | +| [enable\_kms](#input\_enable\_kms) | Enable KMS key for enable\_server\_side\_encryption | `bool` | `true` | no | +| [enable\_lifecycle\_configuration\_rules](#input\_enable\_lifecycle\_configuration\_rules) | enable or disable lifecycle\_configuration\_rules | `bool` | `false` | no | +| [enable\_server\_side\_encryption](#input\_enable\_server\_side\_encryption) | Enable enable\_server\_side\_encryption | `bool` | `true` | no | +| [error\_document](#input\_error\_document) | he name of the error document for the website | `string` | `"error.html"` | no | +| [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no | +| [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | `false` | no | +| [index\_document](#input\_index\_document) | The name of the index document for the website | `string` | `"index.html"` | no | +| [kms\_master\_key\_id](#input\_kms\_master\_key\_id) | The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms. | `string` | `null` | no | +| [lifecycle\_configuration\_rules](#input\_lifecycle\_configuration\_rules) | A list of lifecycle rules | 
list(object({
    id      = string
    prefix  = string
    enabled = bool
    tags    = map(string)

    enable_glacier_transition            = bool
    enable_deeparchive_transition        = bool
    enable_standard_ia_transition        = bool
    enable_current_object_expiration     = bool
    enable_noncurrent_version_expiration = bool

    abort_incomplete_multipart_upload_days         = number
    noncurrent_version_glacier_transition_days     = number
    noncurrent_version_deeparchive_transition_days = number
    noncurrent_version_expiration_days             = number

    standard_transition_days    = number
    glacier_transition_days     = number
    deeparchive_transition_days = number
    expiration_days             = number
  }))
| `null` | no | +| [logging](#input\_logging) | Logging Object to enable and disable logging | `bool` | `false` | no | +| [name](#input\_name) | Name of S3 bucket | `string` | n/a | yes | +| [object\_lock\_configuration](#input\_object\_lock\_configuration) | With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    mode  = string #Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
| `null` | no | +| [object\_ownership](#input\_object\_ownership) | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. | `string` | `"ObjectWriter"` | no | +| [redirect](#input\_redirect) | The redirect behavior for every request to this bucket's website endpoint | `string` | `"documents/"` | no | +| [request\_payer](#input\_request\_payer) | Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer | `bool` | `false` | no | +| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for this bucket. | `bool` | `false` | no | +| [routing\_rule](#input\_routing\_rule) | List of rules that define when a redirect is applied and the redirect behavior | `string` | `"docs/"` | no | +| [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are AES256 and aws:kms. | `string` | `"AES256"` | no | +| [tags](#input\_tags) | Additional tags (e.g. map(`BusinessUnit`,`XYZ`). | `map(any)` | `{}` | no | +| [target\_bucket](#input\_target\_bucket) | The bucket where you want Amazon S3 to store server access logs. | `string` | `""` | no | +| [target\_prefix](#input\_target\_prefix) | A prefix for all log object keys. | `string` | `""` | no | +| [versioning](#input\_versioning) | Enable Versioning of S3. | `bool` | `true` | no | +| [website\_config\_enable](#input\_website\_config\_enable) | enable or disable aws\_s3\_bucket\_website\_configuration | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | The ARN of the s3 bucket. | +| [bucket\_domain\_name](#output\_bucket\_domain\_name) | The Domain of the s3 bucket. | +| [id](#output\_id) | The ID of the s3 bucket. | +| [key\_iam](#output\_key\_iam) | The Domain of the s3 bucket. | + diff --git a/main.tf b/main.tf index 423eaae..1fe0c8b 100644 --- a/main.tf +++ b/main.tf @@ -9,28 +9,28 @@ resource "aws_s3_bucket" "s3_default" { resource "aws_s3_bucket_policy" "s3_default" { count = var.bucket_policy == true ? 1 : 0 - bucket = join("", aws_s3_bucket.s3_default.*.id) + bucket = join("", aws_s3_bucket.s3_default[*].id) policy = var.aws_iam_policy_document } resource "aws_s3_bucket_accelerate_configuration" "example" { count = var.create_bucket && var.acceleration_status == true ? 1 : 0 - bucket = join("", aws_s3_bucket.s3_default.*.id) + bucket = join("", aws_s3_bucket.s3_default[*].id) status = "Enabled" } resource "aws_s3_bucket_request_payment_configuration" "example" { count = var.create_bucket && var.request_payer == true ? 1 : 0 - bucket = join("", aws_s3_bucket.s3_default.*.id) + bucket = join("", aws_s3_bucket.s3_default[*].id) payer = "Requester" } resource "aws_s3_bucket_versioning" "example" { count = var.create_bucket && var.versioning == true ? 1 : 0 - bucket = join("", aws_s3_bucket.s3_default.*.id) + bucket = join("", aws_s3_bucket.s3_default[*].id) versioning_configuration { status = "Enabled" } @@ -38,7 +38,7 @@ resource "aws_s3_bucket_versioning" "example" { resource "aws_s3_bucket_logging" "example" { count = var.create_bucket && var.logging == true ? 1 : 0 - bucket = join("", aws_s3_bucket.s3_default.*.id) + bucket = join("", aws_s3_bucket.s3_default[*].id) target_bucket = var.target_bucket target_prefix = var.target_prefix @@ -46,7 +46,7 @@ resource "aws_s3_bucket_logging" "example" { resource "aws_s3_bucket_server_side_encryption_configuration" "example" { count = var.create_bucket && var.enable_server_side_encryption == true ? 1 : 0 - bucket = join("", aws_s3_bucket.s3_default.*.id) + bucket = join("", aws_s3_bucket.s3_default[*].id) rule { apply_server_side_encryption_by_default { @@ -59,7 +59,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "example" { resource "aws_s3_bucket_object_lock_configuration" "example" { count = var.create_bucket && var.object_lock_configuration != null ? 1 : 0 - bucket = join("", aws_s3_bucket.s3_default.*.id) + bucket = join("", aws_s3_bucket.s3_default[*].id) object_lock_enabled = "Enabled" @@ -75,7 +75,7 @@ resource "aws_s3_bucket_object_lock_configuration" "example" { resource "aws_s3_bucket_cors_configuration" "example" { count = var.create_bucket && var.cors_rule != null ? 1 : 0 - bucket = join("", aws_s3_bucket.s3_default.*.id) + bucket = join("", aws_s3_bucket.s3_default[*].id) dynamic "cors_rule" { for_each = var.cors_rule == null ? [] : var.cors_rule @@ -93,7 +93,7 @@ resource "aws_s3_bucket_cors_configuration" "example" { resource "aws_s3_bucket_website_configuration" "example" { count = var.create_bucket && var.website_config_enable == true ? 1 : 0 - bucket = join("", aws_s3_bucket.s3_default.*.id) + bucket = join("", aws_s3_bucket.s3_default[*].id) index_document { suffix = var.index_document @@ -113,23 +113,11 @@ resource "aws_s3_bucket_website_configuration" "example" { } } -locals { - acl_grants = var.grants == null ? var.acl_grants : flatten( - [ - for g in var.grants : [ - for p in g.permissions : { - id = g.id - type = g.type - permission = p - uri = g.uri - } - ] - ]) -} - resource "aws_s3_bucket_lifecycle_configuration" "default" { + #checkov:skip=CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads" - False Positive due to dynamic block + count = var.create_bucket && var.enable_lifecycle_configuration_rules == true ? 1 : 0 - bucket = join("", aws_s3_bucket.s3_default.*.id) + bucket = join("", aws_s3_bucket.s3_default[*].id) dynamic "rule" { for_each = var.lifecycle_configuration_rules diff --git a/outputs.tf b/outputs.tf index 32f79c4..b11b42b 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,19 +1,19 @@ output "id" { - value = join("", aws_s3_bucket.s3_default.*.id) + value = join("", aws_s3_bucket.s3_default[*].id) description = "The ID of the s3 bucket." } output "arn" { - value = join("", aws_s3_bucket.s3_default.*.arn) + value = join("", aws_s3_bucket.s3_default[*].arn) description = "The ARN of the s3 bucket." } output "bucket_domain_name" { - value = join("", aws_s3_bucket.s3_default.*.bucket_domain_name) + value = join("", aws_s3_bucket.s3_default[*].bucket_domain_name) description = "The Domain of the s3 bucket." } output "key_iam" { - value = join("", aws_s3_bucket.s3_default.*.bucket_domain_name) + value = join("", aws_s3_bucket.s3_default[*].bucket_domain_name) description = "The Domain of the s3 bucket." } \ No newline at end of file diff --git a/providers.tf b/providers.tf index a8aab0b..5998071 100644 --- a/providers.tf +++ b/providers.tf @@ -5,5 +5,5 @@ terraform { source = "hashicorp/aws" version = "~> 5.0" } -} + } } \ No newline at end of file diff --git a/variables.tf b/variables.tf index bf8921e..4e158c3 100644 --- a/variables.tf +++ b/variables.tf @@ -21,18 +21,6 @@ variable "versioning" { description = "Enable Versioning of S3." } -variable "acl" { - type = string - default = null - description = "Canned ACL to apply to the S3 bucket." -} - -variable "mfa_delete" { - type = bool - default = false - description = "Enable MFA delete for either Change the versioning state of your bucket or Permanently delete an object version." -} - variable "enable_server_side_encryption" { type = bool default = true @@ -54,7 +42,7 @@ variable "enable_kms" { variable "kms_master_key_id" { type = string description = "The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms." - default = null + default = null } variable "enable_lifecycle_configuration_rules" { @@ -90,80 +78,6 @@ variable "lifecycle_configuration_rules" { description = "A list of lifecycle rules" } -variable "lifecycle_infrequent_storage_transition_enabled" { - type = bool - default = false - description = "Specifies infrequent storage transition lifecycle rule status." -} - -variable "lifecycle_infrequent_storage_object_prefix" { - type = string - default = "" - sensitive = true - description = "Object key prefix identifying one or more objects to which the lifecycle rule applies." -} - -variable "lifecycle_days_to_infrequent_storage_transition" { - type = number - default = 60 - description = "Specifies the number of days after object creation when it will be moved to standard infrequent access storage." -} - -variable "lifecycle_glacier_transition_enabled" { - type = bool - default = false - description = "Specifies Glacier transition lifecycle rule status." -} - -variable "lifecycle_glacier_object_prefix" { - type = string - default = "" - sensitive = true - description = "Object key prefix identifying one or more objects to which the lifecycle rule applies." -} - -variable "lifecycle_days_to_deep_archive_transition" { - type = number - default = 180 - description = "Specifies the number of days after object creation when it will be moved to DEEP ARCHIVE ." -} - -variable "lifecycle_deep_archive_transition_enabled" { - type = bool - default = false - description = "Specifies DEEP ARCHIVE transition lifecycle rule status." -} - -variable "lifecycle_deep_archive_object_prefix" { - type = string - default = "" - sensitive = true - description = "Object key prefix identifying one or more objects to which the lifecycle rule applies." -} - -variable "lifecycle_days_to_glacier_transition" { - type = number - default = 180 - description = "Specifies the number of days after object creation when it will be moved to Glacier storage." -} - -variable "lifecycle_expiration_enabled" { - type = bool - default = false - description = "Specifies expiration lifecycle rule status." -} - -variable "lifecycle_expiration_object_prefix" { - type = string - default = "" - description = "Object key prefix identifying one or more objects to which the lifecycle rule applies." -} - -variable "lifecycle_days_to_expiration" { - type = number - default = 365 - description = "Specifies the number of days after object creation when the object expires." -} # Module : S3 BUCKET POLICY # Description : Terraform S3 Bucket Policy module variables. @@ -187,41 +101,6 @@ variable "force_destroy" { description = "A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable." } -variable "bucket_prefix" { - type = string - default = null - description = " (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix." -} - -variable "grants" { - type = list(object({ - id = string - type = string - permissions = list(string) - uri = string - })) - default = null - description = "ACL Policy grant.conflict with acl.set acl null to use this" -} - -variable "acl_grants" { - type = list(object({ - id = string - type = string - permission = string - uri = string - })) - default = null - - description = "A list of policy grants for the bucket. Conflicts with `acl`. Set `acl` to `null` to use this." -} - -variable "owner_id" { - type = string - default = "" - description = "The canonical user ID associated with the AWS account." -} - variable "website_config_enable" { type = bool default = false @@ -303,12 +182,6 @@ variable "cors_rule" { description = "CORS Configuration specification for this bucket" } -variable "replication_configuration" { - description = "Map containing cross-region replication configuration." - type = any - default = {} -} - variable "attach_public_policy" { description = "Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket)" type = bool From 44703470316f02d2d349731871ba117b524e8e7b Mon Sep 17 00:00:00 2001 From: Herman Wong Date: Tue, 16 Jan 2024 12:34:47 -1000 Subject: [PATCH 2/3] Try default lifecycle rules. --- variables.tf | 57 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 36 insertions(+), 21 deletions(-) diff --git a/variables.tf b/variables.tf index 4e158c3..c0dbce1 100644 --- a/variables.tf +++ b/variables.tf @@ -47,34 +47,49 @@ variable "kms_master_key_id" { variable "enable_lifecycle_configuration_rules" { type = bool - default = false + default = true description = "enable or disable lifecycle_configuration_rules" } variable "lifecycle_configuration_rules" { type = list(object({ id = string - prefix = string + prefix = optional(string, null) enabled = bool - tags = map(string) - - enable_glacier_transition = bool - enable_deeparchive_transition = bool - enable_standard_ia_transition = bool - enable_current_object_expiration = bool - enable_noncurrent_version_expiration = bool - - abort_incomplete_multipart_upload_days = number - noncurrent_version_glacier_transition_days = number - noncurrent_version_deeparchive_transition_days = number - noncurrent_version_expiration_days = number - - standard_transition_days = number - glacier_transition_days = number - deeparchive_transition_days = number - expiration_days = number + tags = optional(map(string), null) + + enable_glacier_transition = optional(bool, true) + enable_deeparchive_transition = optional(bool, false) + enable_standard_ia_transition = optional(bool, false) + enable_current_object_expiration = optional(bool, true) + enable_noncurrent_version_expiration = optional(bool, true) + + abort_incomplete_multipart_upload_days = optional(number, null) + noncurrent_version_glacier_transition_days = optional(number, null) + noncurrent_version_deeparchive_transition_days = optional(number, null) + noncurrent_version_expiration_days = optional(number, null) + + standard_transition_days = optional(number, null) + glacier_transition_days = optional(number, null) + deeparchive_transition_days = optional(number, null) + expiration_days = optional(number, null) })) - default = null + default = [ + { + id = "default" + enabled = true + + enable_glacier_transition = true + enable_current_object_expiration = true + enable_noncurrent_version_expiration = true + + abort_incomplete_multipart_upload_days = 1 + noncurrent_version_glacier_transition_days = 90 + noncurrent_version_expiration_days = 365 + glacier_transition_days = 90 + expiration_days = 365 + } + ] description = "A list of lifecycle rules" } @@ -250,4 +265,4 @@ variable "attach_policy" { description = "Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy)" type = bool default = false -} \ No newline at end of file +} From 3af8135aaa1770e5ccc68d1453eda3d0d0f5816b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 16 Jan 2024 22:51:47 +0000 Subject: [PATCH 3/3] terraform-docs: automated action --- README.md | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 04e0b3d..e18d1b0 100644 --- a/README.md +++ b/README.md @@ -83,8 +83,6 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [acceleration\_status](#input\_acceleration\_status) | Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended | `bool` | `false` | no | -| [acl](#input\_acl) | Canned ACL to apply to the S3 bucket. | `string` | `null` | no | -| [acl\_grants](#input\_acl\_grants) | A list of policy grants for the bucket. Conflicts with `acl`. Set `acl` to `null` to use this. | 
list(object({
    id         = string
    type       = string
    permission = string
    uri        = string
  }))
| `null` | no | | [attach\_deny\_insecure\_transport\_policy](#input\_attach\_deny\_insecure\_transport\_policy) | Controls if S3 bucket should have deny non-SSL transport policy attached | `bool` | `false` | no | | [attach\_elb\_log\_delivery\_policy](#input\_attach\_elb\_log\_delivery\_policy) | Controls if S3 bucket should have ELB log delivery policy attached | `bool` | `false` | no | | [attach\_lb\_log\_delivery\_policy](#input\_attach\_lb\_log\_delivery\_policy) | Controls if S3 bucket should have ALB/NLB log delivery policy attached | `bool` | `false` | no | @@ -95,40 +93,23 @@ No modules. | [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket. | `bool` | `false` | no | | [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket. | `bool` | `false` | no | | [bucket\_policy](#input\_bucket\_policy) | Conditionally create S3 bucket policy. | `bool` | `false` | no | -| [bucket\_prefix](#input\_bucket\_prefix) | (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. | `string` | `null` | no | | [control\_object\_ownership](#input\_control\_object\_ownership) | Whether to manage S3 Bucket Ownership Controls on this bucket. | `bool` | `false` | no | | [cors\_rule](#input\_cors\_rule) | CORS Configuration specification for this bucket | 
list(object({
    allowed_headers = list(string)
    allowed_methods = list(string)
    allowed_origins = list(string)
    expose_headers  = list(string)
    max_age_seconds = number
  }))
| `null` | no | | [create\_bucket](#input\_create\_bucket) | Conditionally create S3 bucket. | `bool` | `true` | no | | [enable\_kms](#input\_enable\_kms) | Enable KMS key for enable\_server\_side\_encryption | `bool` | `true` | no | -| [enable\_lifecycle\_configuration\_rules](#input\_enable\_lifecycle\_configuration\_rules) | enable or disable lifecycle\_configuration\_rules | `bool` | `false` | no | +| [enable\_lifecycle\_configuration\_rules](#input\_enable\_lifecycle\_configuration\_rules) | enable or disable lifecycle\_configuration\_rules | `bool` | `true` | no | | [enable\_server\_side\_encryption](#input\_enable\_server\_side\_encryption) | Enable enable\_server\_side\_encryption | `bool` | `true` | no | | [error\_document](#input\_error\_document) | he name of the error document for the website | `string` | `"error.html"` | no | | [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no | -| [grants](#input\_grants) | ACL Policy grant.conflict with acl.set acl null to use this | 
list(object({
    id          = string
    type        = string
    permissions = list(string)
    uri         = string
  }))
| `null` | no | | [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | `false` | no | | [index\_document](#input\_index\_document) | The name of the index document for the website | `string` | `"index.html"` | no | | [kms\_master\_key\_id](#input\_kms\_master\_key\_id) | The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse\_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse\_algorithm is aws:kms. | `string` | `null` | no | -| [lifecycle\_configuration\_rules](#input\_lifecycle\_configuration\_rules) | A list of lifecycle rules | 
list(object({
    id      = string
    prefix  = string
    enabled = bool
    tags    = map(string)

    enable_glacier_transition            = bool
    enable_deeparchive_transition        = bool
    enable_standard_ia_transition        = bool
    enable_current_object_expiration     = bool
    enable_noncurrent_version_expiration = bool

    abort_incomplete_multipart_upload_days         = number
    noncurrent_version_glacier_transition_days     = number
    noncurrent_version_deeparchive_transition_days = number
    noncurrent_version_expiration_days             = number

    standard_transition_days    = number
    glacier_transition_days     = number
    deeparchive_transition_days = number
    expiration_days             = number
  }))
| `null` | no | -| [lifecycle\_days\_to\_deep\_archive\_transition](#input\_lifecycle\_days\_to\_deep\_archive\_transition) | Specifies the number of days after object creation when it will be moved to DEEP ARCHIVE . | `number` | `180` | no | -| [lifecycle\_days\_to\_expiration](#input\_lifecycle\_days\_to\_expiration) | Specifies the number of days after object creation when the object expires. | `number` | `365` | no | -| [lifecycle\_days\_to\_glacier\_transition](#input\_lifecycle\_days\_to\_glacier\_transition) | Specifies the number of days after object creation when it will be moved to Glacier storage. | `number` | `180` | no | -| [lifecycle\_days\_to\_infrequent\_storage\_transition](#input\_lifecycle\_days\_to\_infrequent\_storage\_transition) | Specifies the number of days after object creation when it will be moved to standard infrequent access storage. | `number` | `60` | no | -| [lifecycle\_deep\_archive\_object\_prefix](#input\_lifecycle\_deep\_archive\_object\_prefix) | Object key prefix identifying one or more objects to which the lifecycle rule applies. | `string` | `""` | no | -| [lifecycle\_deep\_archive\_transition\_enabled](#input\_lifecycle\_deep\_archive\_transition\_enabled) | Specifies DEEP ARCHIVE transition lifecycle rule status. | `bool` | `false` | no | -| [lifecycle\_expiration\_enabled](#input\_lifecycle\_expiration\_enabled) | Specifies expiration lifecycle rule status. | `bool` | `false` | no | -| [lifecycle\_expiration\_object\_prefix](#input\_lifecycle\_expiration\_object\_prefix) | Object key prefix identifying one or more objects to which the lifecycle rule applies. | `string` | `""` | no | -| [lifecycle\_glacier\_object\_prefix](#input\_lifecycle\_glacier\_object\_prefix) | Object key prefix identifying one or more objects to which the lifecycle rule applies. | `string` | `""` | no | -| [lifecycle\_glacier\_transition\_enabled](#input\_lifecycle\_glacier\_transition\_enabled) | Specifies Glacier transition lifecycle rule status. | `bool` | `false` | no | -| [lifecycle\_infrequent\_storage\_object\_prefix](#input\_lifecycle\_infrequent\_storage\_object\_prefix) | Object key prefix identifying one or more objects to which the lifecycle rule applies. | `string` | `""` | no | -| [lifecycle\_infrequent\_storage\_transition\_enabled](#input\_lifecycle\_infrequent\_storage\_transition\_enabled) | Specifies infrequent storage transition lifecycle rule status. | `bool` | `false` | no | +| [lifecycle\_configuration\_rules](#input\_lifecycle\_configuration\_rules) | A list of lifecycle rules | 
list(object({
    id      = string
    prefix  = optional(string, null)
    enabled = bool
    tags    = optional(map(string), null)

    enable_glacier_transition            = optional(bool, true)
    enable_deeparchive_transition        = optional(bool, false)
    enable_standard_ia_transition        = optional(bool, false)
    enable_current_object_expiration     = optional(bool, true)
    enable_noncurrent_version_expiration = optional(bool, true)

    abort_incomplete_multipart_upload_days         = optional(number, null)
    noncurrent_version_glacier_transition_days     = optional(number, null)
    noncurrent_version_deeparchive_transition_days = optional(number, null)
    noncurrent_version_expiration_days             = optional(number, null)

    standard_transition_days    = optional(number, null)
    glacier_transition_days     = optional(number, null)
    deeparchive_transition_days = optional(number, null)
    expiration_days             = optional(number, null)
  }))
| 
[
  {
    "abort_incomplete_multipart_upload_days": 1,
    "enable_current_object_expiration": true,
    "enable_glacier_transition": true,
    "enable_noncurrent_version_expiration": true,
    "enabled": true,
    "expiration_days": 365,
    "glacier_transition_days": 90,
    "id": "default",
    "noncurrent_version_expiration_days": 365,
    "noncurrent_version_glacier_transition_days": 90
  }
]
| no | | [logging](#input\_logging) | Logging Object to enable and disable logging | `bool` | `false` | no | -| [mfa\_delete](#input\_mfa\_delete) | Enable MFA delete for either Change the versioning state of your bucket or Permanently delete an object version. | `bool` | `false` | no | | [name](#input\_name) | Name of S3 bucket | `string` | n/a | yes | | [object\_lock\_configuration](#input\_object\_lock\_configuration) | With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. | 
object({
    mode  = string #Valid values are GOVERNANCE and COMPLIANCE.
    days  = number
    years = number
  })
| `null` | no | | [object\_ownership](#input\_object\_ownership) | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. | `string` | `"ObjectWriter"` | no | -| [owner\_id](#input\_owner\_id) | The canonical user ID associated with the AWS account. | `string` | `""` | no | | [redirect](#input\_redirect) | The redirect behavior for every request to this bucket's website endpoint | `string` | `"documents/"` | no | -| [replication\_configuration](#input\_replication\_configuration) | Map containing cross-region replication configuration. | `any` | `{}` | no | | [request\_payer](#input\_request\_payer) | Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer | `bool` | `false` | no | | [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for this bucket. | `bool` | `false` | no | | [routing\_rule](#input\_routing\_rule) | List of rules that define when a redirect is applied and the redirect behavior | `string` | `"docs/"` | no |