Skip to content

Latest commit



126 lines (101 loc) · 14.9 KB

File metadata and controls

126 lines (101 loc) · 14.9 KB


Terraform module to create an AWS S3 Bucket.

IMPORTANT: We do not pin modules to versions in our examples. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable.

Server access logging

Server access logging provides detailed records for the requests that are made to a bucket and can useful in security and access audits. However logging to the same bucket is not recommended and is disabled using this module. See AWS' explanation here:


Your target bucket should not have server access logging enabled. You can have logs delivered to any bucket that you own that is in the same Region as the source bucket, including the source bucket itself. However, this would cause an infinite loop of logs and is not recommended. For simpler log management, we recommend that you save access logs in a different bucket. Source:

By default, there is no naming schema. The bucket logs are stored in the var.logging.target_bucket using the var.logging.target_prefix as prefix only. If you want to further control the log format, var.logging.target_object_key_format can be used. You have two options to control the format:

Simple prefix, which uses the following format for the log file [Desttarget_prefixinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]:

    target_prefix = "log/"
    target_object_key_format = {
      format_type = "simple"

Or partitioned prefix, which uses the following format for the log file with partitioned folders. [target_prefix][SourceAccountId]/​[SourceRegion]/​[SourceBucket]/​[YYYY]/​[MM]/​[DD]/​[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]

    target_prefix = "log/"
    target_object_key_format = {
      format_type           = "partitioned"
      partition_date_source = "EventTime" # DeliveryTime is default


Name Version
terraform >= 1.4.0
aws >= 5.27.0


Name Version
aws >= 5.27.0


Name Source Version
s3_malware_protection_role schubergphilis/mcaf-role/aws ~> 0.4.0


Name Type
aws_guardduty_malware_protection_plan.default resource
aws_s3_bucket.default resource
aws_s3_bucket_acl.default resource
aws_s3_bucket_cors_configuration.default resource
aws_s3_bucket_inventory.default resource
aws_s3_bucket_lifecycle_configuration.default resource
aws_s3_bucket_logging.default resource
aws_s3_bucket_notification.eventbridge resource
aws_s3_bucket_object_lock_configuration.default resource
aws_s3_bucket_ownership_controls.default resource
aws_s3_bucket_policy.default resource
aws_s3_bucket_public_access_block.default resource
aws_s3_bucket_replication_configuration.default resource
aws_s3_bucket_server_side_encryption_configuration.default resource
aws_s3_bucket_versioning.default resource
aws_caller_identity.default data source
aws_iam_policy_document.combined data source
aws_iam_policy_document.logging_policy data source
aws_iam_policy_document.malware_protection_policy data source
aws_iam_policy_document.s3_malware_protection_assume_role data source
aws_iam_policy_document.s3_malware_protection_policy data source
aws_iam_policy_document.ssl_policy data source
aws_region.default data source


Name Description Type Default Required
acl The canned ACL to apply, defaults to private. string "private" no
block_public_acls Whether Amazon S3 should block public ACLs for this bucket. bool true no
block_public_policy Whether Amazon S3 should block public bucket policies for this bucket. bool true no
cors_rule The CORS rule for the S3 bucket
allowed_headers = list(string)
allowed_methods = list(string)
allowed_origins = list(string)
expose_headers = list(string)
max_age_seconds = number
null no
eventbridge_enabled Whether to enable Amazon EventBridge notifications. bool false no
force_destroy A boolean that indicates all objects should be deleted when deleting the bucket. bool false no
ignore_public_acls Whether Amazon S3 should ignore public ACLs for this bucket. bool true no
inventory_configuration Bucket inventory configuration settings
enabled = optional(bool, true)
filter_prefix = optional(string, null)
frequency = optional(string, "Weekly")
included_object_versions = optional(string, "Current")
optional_fields = optional(list(string), null)

destination = object({
account_id = string
bucket_arn = string
format = optional(string, "Parquet")
prefix = optional(string, null)

encryption = optional(object({
encryption_type = string
kms_key_id = optional(string, null)
}), {
encryption_type = "sse_s3"
{} no
kms_key_arn The KMS key ARN used for the bucket encryption. string null no
lifecycle_rule List of lifecycle configuration settings.
id = string
enabled = optional(bool, true)

abort_incomplete_multipart_upload = optional(object({
days_after_initiation = number

expiration = optional(object({
date = optional(string)
days = optional(number)
expired_object_delete_marker = optional(bool)

filter = optional(object({
prefix = optional(string, "")
object_size_greater_than = optional(number)
object_size_less_than = optional(number)

tag = optional(object({
key = string
value = string

# 'and' block for combining multiple predicates
and = optional(object({
object_size_greater_than = optional(number)
object_size_less_than = optional(number)
prefix = optional(string, "")
tags = optional(map(string))

noncurrent_version_expiration = optional(object({
newer_noncurrent_versions = optional(number)
noncurrent_days = optional(number)

noncurrent_version_transition = optional(list(object({
newer_noncurrent_versions = optional(number)
noncurrent_days = optional(number)
storage_class = string

transition = optional(list(object({
date = optional(string)
days = optional(number)
storage_class = string
[] no
logging Logging configuration, logging is disabled by default.
target_bucket = string
target_prefix = string
target_object_key_format = optional(object({
format_type = optional(string) # "simple" or "partitioned"
partition_date_source = optional(string, "DeliveryTime") # Required if format_type is "partitioned", default is DeliveryTime
null no
logging_source_bucket_arns Configures which source buckets are allowed to log to this bucket. list(string) [] no
malware_protection AWS GuardDuty malware protection bucket protection settings.
enabled = optional(bool, false)
object_prefixes = optional(list(string), [])
permissions_boundary = optional(string, null)
{} no
name The Name of the bucket. If omitted, Terraform will assign a random, unique name. Conflicts with name_prefix. string null no
name_prefix Creates a unique bucket name beginning with the specified prefix. Conflicts with name. string null no
object_lock_days The number of days that you want to specify for the default retention period. number null no
object_lock_mode The default object Lock retention mode to apply to new objects. string null no
object_lock_years The number of years that you want to specify for the default retention period. number null no
object_ownership_type The object ownership type for the objects in S3 Bucket, defaults to BucketOwnerEnforced. string "BucketOwnerEnforced" no
policy A valid bucket policy JSON document. string null no
replication_configuration Bucket replication configuration settings, specify the rules map keys as integers as these are used to determine the priority of the rules in case of conflict.
iam_role_arn = string
rules = map(object({
id = string
dest_bucket = string
dest_storage_class = optional(string, null)
replica_kms_key_arn = optional(string, null)

source_selection_criteria = optional(object({
replica_modifications = optional(bool, false)
sse_kms_encrypted_objects = optional(bool, false)
null no
restrict_public_buckets Whether Amazon S3 should restrict public bucket policies for this bucket. bool true no
tags A mapping of tags to assign to the bucket. map(string) {} no
transition_default_minimum_object_size The default minimum object size behavior applied to the lifecycle configuration. Valid values: all_storage_classes_128K (default), varies_by_storage_class string null no
versioning Versioning is a means of keeping multiple variants of an object in the same bucket. bool true no


Name Description
arn ARN of the bucket
id Name of the bucket
name Name of the bucket


100% Open Source and licensed under the Apache License Version 2.0. See LICENSE for full details.