From 249183a4742b81e1ae8445ab5824a436b96f211a Mon Sep 17 00:00:00 2001
From: Bruno Amaral <brunoamaralf@gmail.com>
Date: Tue, 5 Feb 2019 16:03:25 -0300
Subject: [PATCH 1/7] Add .gitignore file.

---
 .gitignore | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..16086b0a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,33 @@
+
+# Created by https://www.gitignore.io/api/terraform
+# Edit at https://www.gitignore.io/?templates=terraform
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# End of https://www.gitignore.io/api/terraform

From da2ec622737d4c7756feac67fe6d3bfa144b6a92 Mon Sep 17 00:00:00 2001
From: Bruno Amaral <brunoamaralf@gmail.com>
Date: Wed, 6 Feb 2019 13:17:53 -0300
Subject: [PATCH 2/7] Add module files and examples. Update README.md

---
 README.md                          | 209 +++++++++++++++++++++++++++++
 examples/s3-cors/main.tf           |  34 +++++
 examples/s3-lifecycle-rule/main.tf |  67 +++++++++
 examples/s3-logging/main.tf        |  32 +++++
 examples/s3-replication/main.tf    |  48 +++++++
 examples/s3-versioning/main.tf     |  25 ++++
 examples/s3-website/main.tf        |  36 +++++
 main.tf                            | 197 +++++++++++++++++++++++++++
 outputs.tf                         |  40 ++++++
 variables.tf                       | 167 +++++++++++++++++++++++
 10 files changed, 855 insertions(+)
 create mode 100644 examples/s3-cors/main.tf
 create mode 100644 examples/s3-lifecycle-rule/main.tf
 create mode 100644 examples/s3-logging/main.tf
 create mode 100644 examples/s3-replication/main.tf
 create mode 100644 examples/s3-versioning/main.tf
 create mode 100644 examples/s3-website/main.tf
 create mode 100644 main.tf
 create mode 100644 outputs.tf
 create mode 100644 variables.tf

diff --git a/README.md b/README.md
index 31231d29..6b7d0da1 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,211 @@
 # terraform-aws-s3-bucket
 Terraform module which creates S3 bucket resources on AWS
+
+Terraform module which creates S3 Buckets on AWS.
+
+These S3 Bucket configurations are supported:
+
+- cors
+- lifecycle-rules
+- logging
+- replication (Cross Region Replication - CRR)*
+- versioning
+- website
+
+```
+These configurations are not supported yet:
+
+In Cross Region Replication (in replication_configuration/rules block):
+- priority (the argument is not supported yet).
+- filter (the argument is not supported yet).
+
+Object Lock Configuration block(object_lock_configuration) (this configuration block is not supported yet).
+```
+
+# Usage:
+
+- **Private Bucket**
+
+```
+  module "my_bucket" {
+  source = "../.."
+  bucket = "my-tf-test-bucket"
+  acl    = "private"
+}
+```
+
+# Examples:
+
+* [S3-CORS](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/s3-cors)
+* [S3-Lifecycle-Rules](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/s3-lifecycle-rules)
+* [S3-Logging](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/s3-logging)
+* [S3-Replication](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/s3-replication)
+* [S3-Versioning](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/s3-versioning)
+* [S3-Website](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/s3-website)
+
+# Inputs notes:
+```
+The Terraform "aws_s3_bucket" resource has some nested configuration blocks and this was translated
+to this module as lists of objects. Each configuration block was renamed as it follows: 
+<CONFIG_BLOCK_NAME>_inputs
+``` 
+  
+
+```
+module "aws_s3_bucket" {
+  source = "../.."
+  bucket = "s3-tf-example-logging"
+  acl    = "private"
+
+  logging_inputs = [
+  {
+    target_bucket = "s3-tf-example-logger"
+    target_prefix = "log/"
+  },
+  ]
+```
+The **logging_inputs** list will be converted to a **logging** configuration block:
+```
+logging {
+  target_bucket = "s3-tf-example-logger"
+  target_prefix = "log/"
+}
+```
+# Inputs:
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| bucket | (Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. | string | null | no | 
+| bucket_prefix | (Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. | string | null | no |
+| acl | The canned ACL to apply. Defaults to "private". | string | null | no |
+| policy | A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide | string | null | no |
+| tags | A mapping of tags to assign to the bucket. | map | null | no |
+| force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | boolean | false | no |
+| website_inputs | A website object (documented below). | list(object) | null | no | 
+| cors_rule_inputs | A rule of Cross-Origin Resource Sharing (documented below). | list(object) | null | no | 
+| versioning_inputs | A state of versioning (documented below) | list(object) | null | no | 
+| logging_inputs | A settings of bucket logging (documented below). | list(object) | null | no | 
+| lifecycle_rule_inputs | A configuration of object lifecycle management (documented below). | list(object) | null | no | 
+| acceleration_status | Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. | string | null | no | 
+| region | If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee. | string | null | no | 
+| request_payer | Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. | string | null | no |
+| replication_configuration_inputs | A configuration of replication configuration (documented below). | list(object) | null | no |
+| server_side_encryption_configuration_inputs | A configuration of server-side encryption configuration (documented below) | list(object) | null | no |
+| **object_lock_configuration_inputs** | **(Not implemented yet)** A configuration of S3 object locking (documented below) | list(object) | null | no |
+
+
+# website_inputs:
+| Name | Description | Type | Required | 
+|------|-------------|:----:|:-----:|
+| index_document | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders. | string | yes (unless using redirect_all_requests_to) |
+| error_document | An absolute path to the document to return in case of a 4XX error. | string | no |
+| redirect_all_requests_to | A hostname to redirect all website requests for this bucket to. Hostname can optionally be prefixed with a protocol (http:// or https://) to use when redirecting requests. The default is the protocol that is used in the original request. | string | no |
+| routing_rules | A json array containing routing rules describing redirect behavior and when redirects are applied. | string | no | 
+
+# cors_rule_inputs:
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| allowed_headers | Specifies which headers are allowed. | list(string) | no |
+| allowed_methods | Specifies which methods are allowed. Can be GET, PUT, POST, DELETE or HEAD. | list(string) | yes |
+| allowed_origins | Specifies which origins are allowed. | list(string) | yes |
+| expose_headers | Specifies expose header in the response. | list(string) | no |
+| max_age_seconds | Specifies time in seconds that browser can cache the response for a preflight request.  | number | no |'
+
+# versioning_inputs
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| enabled | Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket. | boolean | no |
+| mfa_delete | Enable MFA delete for either Change the versioning state of your bucket or Permanently delete an object version. Default is false. | boolean | no |
+
+# logging_inputs
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| target_bucket| The name of the bucket that will receive the log objects. | string | yes |
+| target_prefix | To specify a key prefix for log objects. | string | no |
+
+---
+
+# lifecycle_rule_inputs
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| id | Unique identifier for the rule. | string | no |
+| prefix | Object key prefix identifying one or more objects to which the rule applies. | string | no |
+| tags | Specifies object tags key and value. | map | no |
+| enabled | Specifies lifecycle rule status. | boolean | yes |
+| abort_incomplete_multipart_upload_days | Specifies the number of days after initiating a multipart upload when the multipart be  completed. | number | no | 
+| expiration_inputs | Specifies a period in the object's expire (documented below). | list(object) | no |
+| transition_inputs | Specifies a period in the object's transitions (documented below). | list(object) | no |
+| noncurrent_version_expiration_inputs | Specifies when noncurrent object versions expire (documented below). | list(object) | no |
+| noncurrent_version_transition_inputs | Specifies when noncurrent object versions transitions (documented below).  | list(object) | no |
+
+# lifecycle_rule_inputs/expiration_inputs:
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| date | Specifies the date after which you want the corresponding action to take effect. | string | no |
+| days | Specifies the number of days after object creation when the specific rule action takes effect. | string | no |
+| expired_object_delete_marker | On a versioned bucket (versioning-enabled or versioning-suspended bucket), you can add this element in the lifecycle configuration to direct Amazon S3 to delete expired object delete markers. | string | no |
+
+# lifecycle_rule_inputs/transition_inputs:
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| date | Specifies the date after which you want the corresponding action to take effect. | string | no |
+| days | Specifies the number of days after object creation when the specific rule action takes effect. | string | no |
+| storage_class | Specifies the Amazon S3 storage class to which you want the object to transition. Can be ONEZONE_IA, STANDARD_IA, INTELLIGENT_TIERING, or GLACIER. | string | yes |
+
+# lifecycle_rule_inputs/noncurrent_version_expiration:
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| days | Specifies the number of days after object creation when the specific rule action takes effect. | string | yes |
+
+# lifecycle_rule_inputs/noncurrent_version_transition:
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| days | Specifies the number of days after object creation when the specific rule action takes effect. | string | yes |
+| storage_class | Specifies the Amazon S3 storage class to which you want the object to transition. Can be ONEZONE_IA, STANDARD_IA, INTELLIGENT_TIERING, or GLACIER. | string | yes |
+
+---
+
+# replication_configuration_inputs
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| role | The ARN of the IAM role for Amazon S3 to assume when replicating the objects. | string | yes |
+| rules_inputs | Specifies the rules managing the replication (documented below).  | list(object) | yes |
+
+# replication_configuration_inputs/rules_inputs:
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| id | Unique identifier for the rule.| string | no |
+| destination | Specifies the destination for the rule (documented below).| list(object) | yes |
+| source_selection_criteria | Specifies special object selection criteria (documented below).| list(object) | no |
+| prefix | Object keyname prefix identifying one or more objects to which the rule applies.| string | no |
+| status | The status of the rule. Either Enabled or Disabled. The rule is ignored if status is not Enabled.| string | yes |
+
+<!--| priority | The priority associated with the rule.| string | no |-->
+<!--| filter | Filter that identifies subset of objects to which the replication rule applies (documented below). | string | no |-->
+
+# replication_configuration_inputs/rules_inputs/destination_inputs:
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| bucket | The ARN of the S3 bucket where you want Amazon S3 to store replicas of the object identified by the rule. | string | yes |
+| storage_class | The class of storage used to store the object. Can be STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, or GLACIER. | string | no |
+| replica_kms_key_id | Destination KMS encryption key ARN for SSE-KMS replication. Must be used in conjunction with sse_kms_encrypted_objects source selection criteria. | string | no |
+| access_control_translation | Specifies the overrides to use for object owners on replication. Must be used in conjunction with account_id owner override configuration. | list(object) | no |
+| account_id | The Account ID to use for overriding the object owner on replication. Must be used in conjunction with access_control_translation override configuration. | string | no | 
+
+# replication_configuration_inputs/rules_inputs/destination_inputs/access_control_translation_inputs:
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| owner | The override value for the owner on replicated objects. Currently only Destination is supported. | string | yes | 
+
+# replication_configuration_inputs/rules_inputs/source_selection_criteria_inputs:
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| enabled | Boolean which indicates if this criteria is enabled.(It refers to _sse_kms_encrypted_objects/enabled_ config.) | boolean | yes |
+
+---
+
+# server_side_encryption_configuration_inputs:
+| Name | Description | Type | Required |
+|------|-------------|:----:|:-----:|
+| sse_algorithm | The server-side encryption algorithm to use. Valid values are AES256 and aws:kms (It refers to server_side_encryption_configuration/rule/apply_server_side_encryption_by_default/sse_algorithm ) | string | yes |
+| kms_master_key_id | The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms. (It refers to server_side_encryption_configuration/rule/apply_server_side_encryption_by_default/kms_master_key_id ) | string | no |
+
diff --git a/examples/s3-cors/main.tf b/examples/s3-cors/main.tf
new file mode 100644
index 00000000..45eea912
--- /dev/null
+++ b/examples/s3-cors/main.tf
@@ -0,0 +1,34 @@
+variable "region" {
+  default = "us-west-2"
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region     = var.region
+}
+
+// Calling module:
+
+module "aws_s3_bucket" {
+  source = "../.."
+  bucket = "s3-tf-example-cors"
+  acl    = "private"
+
+  cors_rule_inputs =[
+    {
+    allowed_headers = ["*"]
+    allowed_methods = ["PUT","POST"]
+    allowed_origins = ["https://s3-website-test.hashicorp.com","https://s3-website-test.hashicorp.io"]
+    expose_headers  = ["ETag"]
+    max_age_seconds = 3000
+    },
+    {
+    allowed_headers = ["*"]
+    allowed_methods = ["GET"]
+    allowed_origins = ["https://s3-website-test.hashicorp.io"]
+    expose_headers  = ["ETag"]
+    max_age_seconds = 3000
+    },
+  ]
+
+}
\ No newline at end of file
diff --git a/examples/s3-lifecycle-rule/main.tf b/examples/s3-lifecycle-rule/main.tf
new file mode 100644
index 00000000..29ab16ab
--- /dev/null
+++ b/examples/s3-lifecycle-rule/main.tf
@@ -0,0 +1,67 @@
+variable "region" {
+  default = "us-west-2"
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region     = var.region
+}
+
+// Calling module:
+
+module "aws_s3_bucket" {
+  source = "../.."
+  bucket = "s3-tf-example-lifecycle"
+  acl    = "private"
+
+  lifecycle_rule_inputs = [{
+    id      = "log"
+    enabled = true
+    prefix = "log/"
+    abort_incomplete_multipart_upload_days = null
+    tags = {
+      "rule"      = "log"
+      "autoclean" = "true"
+    }
+
+    expiration_inputs = [{
+      days = 90
+      date = null
+      expired_object_delete_marker = null
+      },
+      ]
+    transition_inputs = []
+    noncurrent_version_transition_inputs = []
+    noncurrent_version_expiration_inputs = []
+
+  },
+  {
+    id      = "log1"
+    enabled = true
+    prefix = "log1/"
+    abort_incomplete_multipart_upload_days = null
+    tags = {
+      "rule"      = "log1"
+      "autoclean" = "true"
+       }
+
+    expiration_inputs = []      
+    transition_inputs = []
+    noncurrent_version_transition_inputs = [
+      {
+      days          = 30
+      storage_class = "STANDARD_IA"
+      },
+      {
+      days          = 60
+      storage_class = "ONEZONE_IA"
+      },
+      {
+      days = 90
+      storage_class = "GLACIER"
+      },
+    ]
+    noncurrent_version_expiration_inputs = []
+    },
+  ]  
+}
\ No newline at end of file
diff --git a/examples/s3-logging/main.tf b/examples/s3-logging/main.tf
new file mode 100644
index 00000000..2c327db8
--- /dev/null
+++ b/examples/s3-logging/main.tf
@@ -0,0 +1,32 @@
+variable "region" {
+  default = "us-west-2"
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region     = var.region
+}
+
+// Calling module:
+
+module "log_bucket" {
+  source = "../.."  
+  bucket = "s3-tf-example-logger"
+  acl    = "log-delivery-write"
+
+
+}
+
+module "aws_s3_bucket" {
+  source = "../.."
+  bucket = "s3-tf-example-logging"
+  acl    = "private"
+
+  logging_inputs = [
+  {
+    target_bucket = "s3-tf-example-logger"
+    target_prefix = "log/"
+  },
+  ]
+
+}
diff --git a/examples/s3-replication/main.tf b/examples/s3-replication/main.tf
new file mode 100644
index 00000000..ba945ca2
--- /dev/null
+++ b/examples/s3-replication/main.tf
@@ -0,0 +1,48 @@
+variable "region" {
+  default = "ca-central-1"
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region     = var.region
+}
+
+module "bucket" {
+  source = "../.."
+  bucket   = "s3-tf-example-replication"
+  acl      = "private"
+
+  versioning_inputs = [
+    {
+    enabled    = true
+    mfa_delete = null
+  },
+  ]
+
+  replication_configuration_inputs = [
+    {
+    role = "<ROLE_ARN>" // Place the IAM Role to access the destination bucket
+
+    rules_inputs = [
+      {
+      id     = "foobar"
+      prefix = "foo"
+      status = "Enabled"
+      priority = null
+      source_selection_criteria_inputs  = null
+      filter_inputs = null
+      
+      destination_inputs = [
+        {
+        bucket        = "<DESTINATION_BUCKET>" // Place the destination bicket ARN
+        storage_class = "STANDARD"
+        replica_kms_key_id = null
+        account_id = null
+        access_control_translation_inputs = null
+        },
+      ]
+    },
+    ]
+  },
+  ]
+}
diff --git a/examples/s3-versioning/main.tf b/examples/s3-versioning/main.tf
new file mode 100644
index 00000000..fd847773
--- /dev/null
+++ b/examples/s3-versioning/main.tf
@@ -0,0 +1,25 @@
+variable "region" {
+  default = "us-west-2"
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region     = var.region
+}
+
+// Calling module:
+
+module "aws_s3_bucket" {
+  source = "../.."
+  bucket = "s3-tf-example-versioning"
+  acl    = "private"
+
+versioning_inputs = [
+  {
+    enabled = true
+    mfa_delete = null
+  },
+]
+
+
+}
\ No newline at end of file
diff --git a/examples/s3-website/main.tf b/examples/s3-website/main.tf
new file mode 100644
index 00000000..fb35bce9
--- /dev/null
+++ b/examples/s3-website/main.tf
@@ -0,0 +1,36 @@
+variable "region" {
+  default = "us-west-2"
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region     = var.region
+}
+
+// Calling module:
+
+module "aws_s3_bucket" {
+  source = "../.."
+  bucket = "s3-tf-example-website"
+  acl    = "private"
+
+website_inputs = [
+  {    
+    index_document = "index.html"
+    error_document = "error.html"
+    redirect_all_requests_to = null
+    routing_rules = <<EOF
+    [{
+    "Condition": {
+        "KeyPrefixEquals": "docs/"
+    },
+    "Redirect": {
+        "ReplaceKeyPrefixWith": "documents/"
+    } 
+    }]
+    EOF
+  }
+]
+
+
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
new file mode 100644
index 00000000..4c4da0de
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,197 @@
+resource "aws_s3_bucket" "this" {
+    bucket                 = var.bucket
+    bucket_prefix          = var.bucket_prefix
+    acl                    = var.acl
+    policy                 = var.policy
+    tags                   = var.tags
+    force_destroy          = var.force_destroy
+    acceleration_status    = var.acceleration_status 
+    region                 = var.region
+    request_payer          = var.request_payer
+
+    dynamic "website" {
+        for_each = var.website_inputs == null ? [] : var.website_inputs
+
+        content {
+            index_document           = website.value.index_document
+            error_document           = website.value.error_document
+            redirect_all_requests_to = website.value.redirect_all_requests_to
+            routing_rules            = website.value.routing_rules
+        }
+    }
+
+    dynamic "cors_rule" {
+        for_each = var.cors_rule_inputs == null ? [] : var.cors_rule_inputs
+
+        content {
+            allowed_headers         = cors_rule.value.allowed_headers
+            allowed_methods         = cors_rule.value.allowed_methods
+            allowed_origins         = cors_rule.value.allowed_origins
+            expose_headers          = cors_rule.value.expose_headers
+            max_age_seconds         = cors_rule.value.max_age_seconds
+        }
+    }
+
+    dynamic "versioning" {
+        for_each = var.versioning_inputs == null ? [] : var.versioning_inputs
+
+        content {
+            enabled                  = versioning.value.enabled
+            mfa_delete               = versioning.value.mfa_delete
+        }
+    }   
+ 
+
+    dynamic "logging" {
+        for_each = var.logging_inputs == null ? [] : var.logging_inputs
+
+        content {
+          target_bucket            = logging.value.target_bucket
+          target_prefix            = logging.value.target_prefix
+        }
+    }  
+
+    dynamic "lifecycle_rule" {
+        for_each = var.lifecycle_rule_inputs == null ? [] : var.lifecycle_rule_inputs
+
+        content {
+          id                                     = lifecycle_rule.value.id  
+          prefix                                 = lifecycle_rule.value.prefix
+          tags                                   = lifecycle_rule.value.tags
+          enabled                                = lifecycle_rule.value.enabled 
+          abort_incomplete_multipart_upload_days = lifecycle_rule.value.abort_incomplete_multipart_upload_days
+
+          dynamic "expiration" {
+              for_each = lifecycle_rule.value.expiration_inputs == null ? [] : lifecycle_rule.value.expiration_inputs
+
+              content {
+                  date                           = expiration.value.date
+                  days                           = expiration.value.days
+                  expired_object_delete_marker   = expiration.value.expired_object_delete_marker 
+              }
+          }
+
+          dynamic "transition" {
+              for_each = lifecycle_rule.value.transition_inputs == null ? [] : lifecycle_rule.value.transition_inputs
+          
+              content {
+                  date                           = transition.value.date
+                  days                           = transition.value.days 
+                  storage_class                  = transition.value.storage_class
+              }
+          }        
+ 
+          dynamic "noncurrent_version_transition" {
+              for_each = lifecycle_rule.value.noncurrent_version_transition_inputs == null ? [] : lifecycle_rule.value.noncurrent_version_transition_inputs
+          
+              content {
+                  days                           = noncurrent_version_transition.value.days 
+                  storage_class                  = noncurrent_version_transition.value.storage_class
+              }
+          }      
+
+          dynamic "noncurrent_version_expiration" {
+              for_each = lifecycle_rule.value.noncurrent_version_expiration_inputs == null ? [] : lifecycle_rule.value.noncurrent_version_expiration_inputs
+          
+              content {
+                  days                           = noncurrent_version_expiration.value.days 
+              }
+          }    
+        }
+    }
+    
+    dynamic "replication_configuration" {
+        for_each = var.replication_configuration_inputs == null ? [] : var.replication_configuration_inputs
+
+        content {
+                role                          = replication_configuration.value.role  
+                dynamic "rules" {
+                  for_each = replication_configuration.value.rules_inputs == null ? [] : replication_configuration.value.rules_inputs
+
+                  content {
+                     id                       = rules.value.id
+                    // priority                 = rules.value.priority
+                     prefix                   = rules.value.prefix
+                     status                   = rules.value.status
+                     
+                     dynamic "destination" {
+                       for_each = rules.value.destination_inputs == null ? [] : rules.value.destination_inputs
+
+                       content {
+                         bucket                      = destination.value.bucket
+                         storage_class               = destination.value.storage_class
+                         replica_kms_key_id          = destination.value.replica_kms_key_id
+                         account_id                  = destination.value.account_id
+                                   
+                         dynamic "access_control_translation" {
+                           for_each = destination.value.access_control_translation_inputs == null ? [] : destination.value.access_control_translation_inputs
+
+                           content {
+                             owner               = access_control_translation.value.owner 
+                           }
+                         }
+                       }
+                      }
+
+                     dynamic "source_selection_criteria" {
+                         for_each = rules.value.source_selection_criteria_inputs == null ? [] : rules.value.source_selection_criteria_inputs
+
+                         content {       
+                           sse_kms_encrypted_objects {
+                             enabled                 = source_selection_criteria.value.enabled
+                           }    
+                         }
+                     }
+                     /*
+                     dynamic "filter" {
+                         for_each = rules.value.filter_inputs == null ? [] : rules.value.filter_inputs
+
+                         content {
+                             prefix                            = filter.value.prefix
+                             tags                              = filter.value.tags
+                         }
+                     }
+                     */
+                  }
+                }
+        } 
+    }
+
+    dynamic "server_side_encryption_configuration" {
+        for_each = var.server_side_encryption_configuration_inputs == null ? [] : var.server_side_encryption_configuration_inputs
+
+        content {
+            rule {
+                apply_server_side_encryption_by_default {
+                    sse_algorithm                               = server_side_encryption_configuration.value.sse_algorithm
+                    kms_master_key_id                           = server_side_encryption_configuration.value.kms_master_key_id
+                }
+            }
+        }
+    }
+/*
+    dynamic "object_lock_configuration" {
+        for_each = var.object_lock_configuration_inputs == null ? [] : var.object_lock_configuration_inputs
+
+        content {
+            object_lock_enabled                          = object_lock_configuration.value.object_lock_enabled
+            dynamic "rule" {
+                for_each = object_lock_configuration.value.rule_inputs == null ? [] : object_lock_configuration.value.rule_inputs
+
+                content {
+                    default_retention {
+                            mode                         = rule.value.mode 
+                            days                         = rule.value.days
+                            years                        = rule.value.years
+                    }
+                }
+            }
+        }
+    }  
+*/
+}
+
+
+
+
+
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 00000000..ce75aa4a
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,40 @@
+output "id" {
+    description = "The name of the bucket."
+    value       = "${element(concat(aws_s3_bucket.this.*.id, list("")), 0)}"
+}
+
+output "arn" {
+    description = "The ARN of the bucket. Will be of format arn:aws:s3:::bucketname."
+    value       = "${element(concat(aws_s3_bucket.this.*.arn, list("")), 0)}"
+}
+
+
+output "bucket_domain_name" {
+    description = "The bucket domain name. Will be of format bucketname.s3.amazonaws.com."
+    value       = "${element(concat(aws_s3_bucket.this.*.bucket_domain_name, list("")), 0)}"
+}
+
+output "bucket_regional_domain_name" {
+    description = "The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL."
+    value       = "${element(concat(aws_s3_bucket.this.*.bucket_regional_domain_name, list("")), 0)}"
+}
+
+output "hosted_zone_id" {
+    description = "The Route 53 Hosted Zone ID for this bucket's region."
+    value       = "${element(concat(aws_s3_bucket.this.*.hosted_zone_id, list("")), 0)}"
+}
+
+output "region" {
+    description = "The AWS region this bucket resides in."
+    value       = "${element(concat(aws_s3_bucket.this.*.region, list("")), 0)}"
+}
+
+output "website_endpoint" {
+    description = "The website endpoint, if the bucket is configured with a website. If not, this will be an empty string."
+    value       = "${element(concat(aws_s3_bucket.this.*.website_endpoint, list("")), 0)}"
+}
+
+output "website_domain" {
+    description = "The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records. "
+    value       = "${element(concat(aws_s3_bucket.this.*.website_domain, list("")), 0)}"
+}    
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 00000000..f90ca864
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,167 @@
+variable "bucket" {
+    description = "(Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name."
+    default     = null
+}
+
+variable "bucket_prefix" {
+    description = "(Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket."
+    default     = null
+}
+
+variable "acl" {
+    description = "(Optional) The canned ACL to apply. Defaults to 'private'."
+    default     = "private"
+}
+
+variable "policy" {
+    description = "(Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide."
+    default     = null
+}
+
+variable "tags" {
+    description = "(Optional) A mapping of tags to assign to the bucket."
+    default     = {}
+}
+
+variable "force_destroy" {
+    description = "(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable."
+    default     = false
+}
+
+variable "acceleration_status" {
+    description = "(Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended."
+    default     = null
+}
+
+variable "region" {
+    description = "(Optional) If specified, the AWS region this bucket should reside in. Otherwise, the region used by the callee."
+    default     = null
+}
+
+variable "request_payer" {
+    description = "(Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information."
+    default     = null
+}
+
+variable "website_inputs" {
+    type    = list(object({
+      index_document           = string
+      error_document           = string
+      redirect_all_requests_to = string
+      routing_rules            = string 
+    }))
+    default = null
+}
+
+variable "cors_rule_inputs" {
+    type    = list(object({
+       allowed_headers         = list(string)
+       allowed_methods         = list(string)
+       allowed_origins         = list(string)
+       expose_headers          = list(string)
+       max_age_seconds         = number     
+    }))
+    default = null
+}
+
+variable "versioning_inputs" {
+    type    = list(object({     
+      enabled                  = string
+      mfa_delete               = string      
+    }))
+    default = null
+}
+
+variable "logging_inputs" {
+    type    = list(object({     
+      target_bucket            = string 
+      target_prefix            = string
+    }))
+    default = null
+}
+
+// Lifecycle rules variables:
+variable "lifecycle_rule_inputs" {
+    type    = list(object({     
+      id                                          = string  
+      prefix                                      = string
+      tags                                        = map(string)
+      enabled                                     = string
+      abort_incomplete_multipart_upload_days      = string 
+      expiration_inputs                           = list(object({
+        date                                      = string
+        days                                      = number
+        expired_object_delete_marker              = string
+      }))
+      transition_inputs                           = list(object({
+        date                                      = string             
+        days                                      = number
+        storage_class                             = string
+      }))
+      noncurrent_version_transition_inputs        = list(object({             
+        days                                      = number
+        storage_class                             = string
+      }))
+      noncurrent_version_expiration_inputs        = list(object({             
+        days                                      = number
+      }))
+    }))
+    default = null
+}
+
+// Replication configuration variables:
+variable "replication_configuration_inputs" {
+    type                                   = list(object({     
+      role                                 = string 
+      rules_inputs                         = list(object({     
+        id                                 = string
+      //  priority                           = number
+        prefix                             = string
+        status                             = string
+        destination_inputs                 = list(object({
+          bucket                           = string
+          storage_class                    = string
+          replica_kms_key_id               = string
+          account_id                       = string
+          access_control_translation_inputs  = list(object({ 
+            owner                            = string     
+          }))
+        }))
+        source_selection_criteria_inputs   = list(object({
+          enabled                          = string
+        }))
+      /*  filter_inputs                      = list(object({
+          prefix                           = string
+          tags                             = map(string)
+        }))
+      */ 
+      }))
+    }))
+    default = null
+}
+
+
+// Server side encryption config:
+variable "server_side_encryption_configuration_inputs" {
+    type    = list(object({
+      sse_algorithm               = string
+      kms_master_key_id           = string
+    }))
+    default = null
+}
+
+//Object lock config
+/*
+variable "object_lock_configuration_inputs" {
+  type                           = list(object({
+    object_lock_enabled          = string 
+    rule_inputs                  = list(object({
+      mode                       = string 
+      days                       = number
+      years                      = number
+    }))
+  }))     
+  default = null
+}
+*/
+

From e0fda0d4a5ca1e5ac97bb5140916a6d54e3d1c1f Mon Sep 17 00:00:00 2001
From: Bruno Amaral <brunoamaralf@gmail.com>
Date: Wed, 6 Feb 2019 15:58:12 -0300
Subject: [PATCH 3/7] Add outputs to README.md

---
 README.md | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 6b7d0da1..0e172856 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,6 @@
 # terraform-aws-s3-bucket
 Terraform module which creates S3 bucket resources on AWS
 
-Terraform module which creates S3 Buckets on AWS.
-
 These S3 Bucket configurations are supported:
 
 - cors
@@ -209,3 +207,14 @@ logging {
 | sse_algorithm | The server-side encryption algorithm to use. Valid values are AES256 and aws:kms (It refers to server_side_encryption_configuration/rule/apply_server_side_encryption_by_default/sse_algorithm ) | string | yes |
 | kms_master_key_id | The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms. (It refers to server_side_encryption_configuration/rule/apply_server_side_encryption_by_default/kms_master_key_id ) | string | no |
 
+# outputs
+| Name | Description |
+|------|-------------|
+| id | The name of the bucket. |
+| arn | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. |
+| bucket_domain_name | The bucket domain name. Will be of format bucketname.s3.amazonaws.com. |
+| bucket_regional_domain_name | The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL. |
+| hosted_zone_id | The Route 53 Hosted Zone ID for this bucket's region. |
+| region | The AWS region this bucket resides in. |
+| website_endpoint | The website endpoint, if the bucket is configured with a website. If not, this will be an empty string. |
+| website_domain | The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.
\ No newline at end of file

From e347cbd8a1c7c9ffb29e79d2fc31d93b5d864fb9 Mon Sep 17 00:00:00 2001
From: Bruno Amaral <brunoamaralf@gmail.com>
Date: Fri, 8 Feb 2019 14:31:16 -0300
Subject: [PATCH 4/7] Update README.md

---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 0e172856..547c8dff 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,9 @@
 # terraform-aws-s3-bucket
 Terraform module which creates S3 bucket resources on AWS
 
+__terraform-aws-s3-bucket module compatible with terraform 0.12+ dev version.
+To run the examples, please compile Terraform from the master branch at https://github.com/hashicorp/terraform and use the plugins from "alpha4" release(https://github.com/hashicorp/terraform/releases/tag/v0.12.0-alpha4).__
+
 These S3 Bucket configurations are supported:
 
 - cors
@@ -217,4 +220,4 @@ logging {
 | hosted_zone_id | The Route 53 Hosted Zone ID for this bucket's region. |
 | region | The AWS region this bucket resides in. |
 | website_endpoint | The website endpoint, if the bucket is configured with a website. If not, this will be an empty string. |
-| website_domain | The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.
\ No newline at end of file
+| website_domain | The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.

From fe3854949e2e7692fe6654b2021216dbe3c740e2 Mon Sep 17 00:00:00 2001
From: Bruno Amaral <brunoamaralf@gmail.com>
Date: Thu, 23 May 2019 10:40:56 -0300
Subject: [PATCH 5/7] Update README.md

---
 README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 547c8dff..e7ae87df 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,7 @@
 # terraform-aws-s3-bucket
 Terraform module which creates S3 bucket resources on AWS
 
-__terraform-aws-s3-bucket module compatible with terraform 0.12+ dev version.
-To run the examples, please compile Terraform from the master branch at https://github.com/hashicorp/terraform and use the plugins from "alpha4" release(https://github.com/hashicorp/terraform/releases/tag/v0.12.0-alpha4).__
+__terraform-aws-s3-bucket module compatible with terraform 0.12+.__
 
 These S3 Bucket configurations are supported:
 

From 425ba2f449759568ed3f19a3d9412b2d9a665bdb Mon Sep 17 00:00:00 2001
From: bamaralf <brunoamaralf@gmail.com>
Date: Thu, 16 Jun 2022 12:26:53 -0300
Subject: [PATCH 6/7] Add the inteligent tiering configuration to the module

---
 .gitignore                | 34 ----------------------------------
 README.md                 |  2 ++
 examples/complete/main.tf | 25 +++++++++++++++++++++++++
 main.tf                   | 34 +++++++++++++++++++++++++++++++---
 variables.tf              |  6 ++++++
 wrappers/main.tf          |  1 +
 6 files changed, 65 insertions(+), 37 deletions(-)

diff --git a/.gitignore b/.gitignore
index 8635d3ee..bd2b8f33 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,21 +1,9 @@
-<<<<<<< HEAD
-<<<<<<< HEAD
-
-# Created by https://www.gitignore.io/api/terraform
-# Edit at https://www.gitignore.io/?templates=terraform
-
-### Terraform ###
-# Local .terraform directories
-**/.terraform/*
-
-=======
 # Local .terraform directories
 **/.terraform/*
 
 # Terraform lockfile
 .terraform.lock.hcl
 
->>>>>>> upstream/master
 # .tfstate files
 *.tfstate
 *.tfstate.*
@@ -23,19 +11,11 @@
 # Crash log files
 crash.log
 
-<<<<<<< HEAD
-# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
-# .tfvars files are managed as part of configuration and so should be included in
-# version control.
-#
-# example.tfvars
-=======
 # Exclude all .tfvars files, which are likely to contain sentitive data, such as
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
->>>>>>> upstream/master
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
@@ -44,22 +24,8 @@ override.tf.json
 *_override.tf
 *_override.tf.json
 
-<<<<<<< HEAD
-# Include override files you do wish to add to version control using negated pattern
-#
-# !example_override.tf
-
-# End of https://www.gitignore.io/api/terraform
-=======
-.terraform
-terraform.tfstate
-*.tfstate*
-terraform.tfvars
->>>>>>> upstream/master
-=======
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
 
 *.zip
->>>>>>> upstream/master
diff --git a/README.md b/README.md
index 4c05bcf1..9b1ee990 100644
--- a/README.md
+++ b/README.md
@@ -138,6 +138,7 @@ No modules.
 | [aws_s3_bucket_accelerate_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_accelerate_configuration) | resource |
 | [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_cors_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
+| [aws_s3_bucket_intelligent_tiering_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_intelligent_tiering_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_object_lock_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object_lock_configuration) | resource |
@@ -180,6 +181,7 @@ No modules.
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
 | <a name="input_grant"></a> [grant](#input\_grant) | An ACL policy grant. Conflicts with `acl` | `any` | `[]` | no |
 | <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | `false` | no |
+| <a name="input_intelligent_tiering_config"></a> [intelligent\_tiering\_config](#input\_intelligent\_tiering\_config) | Map containing inteligent tiering config encryption configuration. | `any` | `{}` | no |
 | <a name="input_lifecycle_rule"></a> [lifecycle\_rule](#input\_lifecycle\_rule) | List of maps containing configuration of object lifecycle management. | `any` | `[]` | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Map containing access bucket logging configuration. | `map(string)` | `{}` | no |
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | Map containing S3 object locking configuration. | `any` | `{}` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 2b3cebb8..20bd44ee 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -114,6 +114,31 @@ module "s3_bucket" {
     Owner = "Anton"
   }
 
+  intelligent_tiering_config = {
+    general = {
+      status = "Enabled"
+      filter = {
+        prefix = "/"
+        tags   = { Environment = "dev" }
+      }
+      tiering = {
+        "ARCHIVE_ACCESS" = {
+          days = 180
+        }
+      }
+    },
+    documents = {
+      status = false
+      filter = {
+        prefix = "documents/"
+      }
+      tiering = {
+        "ARCHIVE_ACCESS" = {
+          days = 125
+        }
+      }
+    }
+  }
   # Note: Object Lock configuration can be enabled only on new buckets
   # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object_lock_configuration
   object_lock_enabled = true
diff --git a/main.tf b/main.tf
index cc76cea9..438b4925 100644
--- a/main.tf
+++ b/main.tf
@@ -6,9 +6,10 @@ locals {
   attach_policy = var.attach_require_latest_tls_policy || var.attach_elb_log_delivery_policy || var.attach_lb_log_delivery_policy || var.attach_deny_insecure_transport_policy || var.attach_policy
 
   # Variables with type `any` should be jsonencode()'d when value is coming from Terragrunt
-  grants          = try(jsondecode(var.grant), var.grant)
-  cors_rules      = try(jsondecode(var.cors_rule), var.cors_rule)
-  lifecycle_rules = try(jsondecode(var.lifecycle_rule), var.lifecycle_rule)
+  grants                     = try(jsondecode(var.grant), var.grant)
+  cors_rules                 = try(jsondecode(var.cors_rule), var.cors_rule)
+  lifecycle_rules            = try(jsondecode(var.lifecycle_rule), var.lifecycle_rule)
+  intelligent_tiering_config = try(jsondecode(var.intelligent_tiering_config), var.intelligent_tiering_config)
 }
 
 resource "aws_s3_bucket" "this" {
@@ -707,3 +708,30 @@ resource "aws_s3_bucket_ownership_controls" "this" {
     aws_s3_bucket.this
   ]
 }
+
+resource "aws_s3_bucket_intelligent_tiering_configuration" "this" {
+  for_each = local.create_bucket ? local.intelligent_tiering_config : {}
+
+  name   = each.key
+  bucket = aws_s3_bucket.this[0].id
+  status = each.value.status || each.value.status == "Enabled" ? "Enabled" : "Disabled"
+
+  dynamic "filter" {
+    for_each = length(try(flatten([each.value.filter]), [])) == 0 ? [true] : []
+
+    content {
+      prefix = try(filter.value.prefix, null)
+      tags   = try(filter.value.tags, null)
+    }
+  }
+
+  dynamic "tiering" {
+    for_each = each.value.tiering
+
+    content {
+      access_tier = tiering.key
+      days        = tiering.value.days
+    }
+  }
+
+}
diff --git a/variables.tf b/variables.tf
index 447f0ffb..3a114526 100644
--- a/variables.tf
+++ b/variables.tf
@@ -201,3 +201,9 @@ variable "putin_khuylo" {
   type        = bool
   default     = true
 }
+
+variable "intelligent_tiering_config" {
+  description = "Map containing inteligent tiering config encryption configuration."
+  type        = any
+  default     = {}
+}
diff --git a/wrappers/main.tf b/wrappers/main.tf
index ea8315c2..5d5498a3 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -37,4 +37,5 @@ module "wrapper" {
   control_object_ownership              = try(each.value.control_object_ownership, var.defaults.control_object_ownership, false)
   object_ownership                      = try(each.value.object_ownership, var.defaults.object_ownership, "ObjectWriter")
   putin_khuylo                          = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true)
+  intelligent_tiering_config            = try(each.value.intelligent_tiering_config, var.defaults.intelligent_tiering_config, {})
 }

From af057b30ae1b72f08e2b3e6bc72413b53dab5dec Mon Sep 17 00:00:00 2001
From: Anton Babenko <anton@antonbabenko.com>
Date: Fri, 17 Jun 2022 21:26:24 +0200
Subject: [PATCH 7/7] Fixed code and examples

---
 README.md                 |  2 +-
 examples/complete/main.tf | 56 ++++++++++++++++++++++-----------------
 main.tf                   | 19 ++++++-------
 variables.tf              | 12 ++++-----
 wrappers/main.tf          |  2 +-
 5 files changed, 49 insertions(+), 42 deletions(-)

diff --git a/README.md b/README.md
index 9b1ee990..8997984f 100644
--- a/README.md
+++ b/README.md
@@ -181,7 +181,7 @@ No modules.
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
 | <a name="input_grant"></a> [grant](#input\_grant) | An ACL policy grant. Conflicts with `acl` | `any` | `[]` | no |
 | <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | `false` | no |
-| <a name="input_intelligent_tiering_config"></a> [intelligent\_tiering\_config](#input\_intelligent\_tiering\_config) | Map containing inteligent tiering config encryption configuration. | `any` | `{}` | no |
+| <a name="input_intelligent_tiering"></a> [intelligent\_tiering](#input\_intelligent\_tiering) | Map containing intelligent tiering configuration. | `any` | `{}` | no |
 | <a name="input_lifecycle_rule"></a> [lifecycle\_rule](#input\_lifecycle\_rule) | List of maps containing configuration of object lifecycle management. | `any` | `[]` | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Map containing access bucket logging configuration. | `map(string)` | `{}` | no |
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | Map containing S3 object locking configuration. | `any` | `{}` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 20bd44ee..11473236 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -114,31 +114,6 @@ module "s3_bucket" {
     Owner = "Anton"
   }
 
-  intelligent_tiering_config = {
-    general = {
-      status = "Enabled"
-      filter = {
-        prefix = "/"
-        tags   = { Environment = "dev" }
-      }
-      tiering = {
-        "ARCHIVE_ACCESS" = {
-          days = 180
-        }
-      }
-    },
-    documents = {
-      status = false
-      filter = {
-        prefix = "documents/"
-      }
-      tiering = {
-        "ARCHIVE_ACCESS" = {
-          days = 125
-        }
-      }
-    }
-  }
   # Note: Object Lock configuration can be enabled only on new buckets
   # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object_lock_configuration
   object_lock_enabled = true
@@ -318,4 +293,35 @@ module "s3_bucket" {
       }
     },
   ]
+
+  intelligent_tiering = {
+    general = {
+      status = "Enabled"
+      filter = {
+        prefix = "/"
+        tags = {
+          Environment = "dev"
+        }
+      }
+      tiering = {
+        ARCHIVE_ACCESS = {
+          days = 180
+        }
+      }
+    },
+    documents = {
+      status = false
+      filter = {
+        prefix = "documents/"
+      }
+      tiering = {
+        ARCHIVE_ACCESS = {
+          days = 125
+        }
+        DEEP_ARCHIVE_ACCESS = {
+          days = 200
+        }
+      }
+    }
+  }
 }
diff --git a/main.tf b/main.tf
index 438b4925..9da84258 100644
--- a/main.tf
+++ b/main.tf
@@ -6,10 +6,10 @@ locals {
   attach_policy = var.attach_require_latest_tls_policy || var.attach_elb_log_delivery_policy || var.attach_lb_log_delivery_policy || var.attach_deny_insecure_transport_policy || var.attach_policy
 
   # Variables with type `any` should be jsonencode()'d when value is coming from Terragrunt
-  grants                     = try(jsondecode(var.grant), var.grant)
-  cors_rules                 = try(jsondecode(var.cors_rule), var.cors_rule)
-  lifecycle_rules            = try(jsondecode(var.lifecycle_rule), var.lifecycle_rule)
-  intelligent_tiering_config = try(jsondecode(var.intelligent_tiering_config), var.intelligent_tiering_config)
+  grants              = try(jsondecode(var.grant), var.grant)
+  cors_rules          = try(jsondecode(var.cors_rule), var.cors_rule)
+  lifecycle_rules     = try(jsondecode(var.lifecycle_rule), var.lifecycle_rule)
+  intelligent_tiering = try(jsondecode(var.intelligent_tiering), var.intelligent_tiering)
 }
 
 resource "aws_s3_bucket" "this" {
@@ -710,18 +710,19 @@ resource "aws_s3_bucket_ownership_controls" "this" {
 }
 
 resource "aws_s3_bucket_intelligent_tiering_configuration" "this" {
-  for_each = local.create_bucket ? local.intelligent_tiering_config : {}
+  for_each = { for k, v in local.intelligent_tiering : k => v if local.create_bucket }
 
   name   = each.key
   bucket = aws_s3_bucket.this[0].id
-  status = each.value.status || each.value.status == "Enabled" ? "Enabled" : "Disabled"
+  status = try(tobool(each.value.status) ? "Enabled" : "Disabled", title(lower(each.value.status)), null)
 
+  # Max 1 block - filter
   dynamic "filter" {
-    for_each = length(try(flatten([each.value.filter]), [])) == 0 ? [true] : []
+    for_each = length(try(flatten([each.value.filter]), [])) == 0 ? [] : [true]
 
     content {
-      prefix = try(filter.value.prefix, null)
-      tags   = try(filter.value.tags, null)
+      prefix = try(each.value.filter.prefix, null)
+      tags   = try(each.value.filter.tags, null)
     }
   }
 
diff --git a/variables.tf b/variables.tf
index 3a114526..c1d09f1b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -148,6 +148,12 @@ variable "server_side_encryption_configuration" {
   default     = {}
 }
 
+variable "intelligent_tiering" {
+  description = "Map containing intelligent tiering configuration."
+  type        = any
+  default     = {}
+}
+
 variable "object_lock_configuration" {
   description = "Map containing S3 object locking configuration."
   type        = any
@@ -201,9 +207,3 @@ variable "putin_khuylo" {
   type        = bool
   default     = true
 }
-
-variable "intelligent_tiering_config" {
-  description = "Map containing inteligent tiering config encryption configuration."
-  type        = any
-  default     = {}
-}
diff --git a/wrappers/main.tf b/wrappers/main.tf
index 5d5498a3..1d1f7af5 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -28,6 +28,7 @@ module "wrapper" {
   lifecycle_rule                        = try(each.value.lifecycle_rule, var.defaults.lifecycle_rule, [])
   replication_configuration             = try(each.value.replication_configuration, var.defaults.replication_configuration, {})
   server_side_encryption_configuration  = try(each.value.server_side_encryption_configuration, var.defaults.server_side_encryption_configuration, {})
+  intelligent_tiering                   = try(each.value.intelligent_tiering, var.defaults.intelligent_tiering, {})
   object_lock_configuration             = try(each.value.object_lock_configuration, var.defaults.object_lock_configuration, {})
   object_lock_enabled                   = try(each.value.object_lock_enabled, var.defaults.object_lock_enabled, false)
   block_public_acls                     = try(each.value.block_public_acls, var.defaults.block_public_acls, false)
@@ -37,5 +38,4 @@ module "wrapper" {
   control_object_ownership              = try(each.value.control_object_ownership, var.defaults.control_object_ownership, false)
   object_ownership                      = try(each.value.object_ownership, var.defaults.object_ownership, "ObjectWriter")
   putin_khuylo                          = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true)
-  intelligent_tiering_config            = try(each.value.intelligent_tiering_config, var.defaults.intelligent_tiering_config, {})
 }