terraform-aws-s3logging-bucket

Create and manage a bucket suitable for access logging for other S3 buckets.

Usage

Basic usage:

module "s3logging-bucket" {
  source = "rhythmictech/s3logging-bucket/aws"
}

Combine with other S3-based modules, like our cloudtrail bucket module:

module "s3logging-bucket" {
  source = "rhythmictech/s3logging-bucket/aws"
  version = "3.3.0"
}

module "cloudtrail-bucket" {
  source         = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket?ref=v4.0.0"

  logging_bucket      = module.s3logging-bucket.s3_bucket_name
  region              = var.region
}

module "cloudtrail-logging" {
  source            = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging?ref=v1.3.0"

  cloudtrail_bucket = module.cloudtrail-bucket.s3_bucket_name
  kms_key_id        = module.cloudtrail-bucket.kms_key_id
  region            = var.region
}

Requirements

Name	Version
terraform	>= 1.3
aws	>= 4

Providers

Name	Version
aws	4.48.0

Modules

No modules.

Resources

Name	Type
aws_s3_bucket.this	resource
aws_s3_bucket_acl.this	resource
aws_s3_bucket_lifecycle_configuration.this	resource
aws_s3_bucket_ownership_controls.this	resource
aws_s3_bucket_policy.this	resource
aws_s3_bucket_public_access_block.this	resource
aws_s3_bucket_server_side_encryption_configuration.this	resource
aws_s3_bucket_versioning.this	resource
aws_caller_identity.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
bucket_name	Name to apply to bucket (use bucket_name or bucket_suffix)	string	null	no
bucket_suffix	Suffix to apply to the bucket (use bucket_name or bucket_suffix). When using bucket_suffix, the bucket name will be [account_id]-[region]-s3logging-[bucket_suffix].	string	"default"	no
kms_key_id	KMS key to encrypt bucket with.	string	null	no
lifecycle_rules	lifecycle rules to apply to the bucket	list(object( { id = string enabled = optional(bool, true) expiration = optional(number) prefix = optional(number) noncurrent_version_expiration = optional(number) transition = optional(list(object({ days = number storage_class = string }))) }))	[ { "id": "expire-noncurrent-objects-after-ninety-days", "noncurrent_version_expiration": 90 }, { "id": "transition-to-IA-after-30-days", "transition": [ { "days": 30, "storage_class": "STANDARD_IA" } ] }, { "expiration": 2557, "id": "delete-after-seven-years" } ]	no
object_ownership	Specifies S3 object ownership control. Defaults to BucketOwnerPreferred for backwards-compatibility. Recommended value is BucketOwnerEnforced.	string	"BucketOwnerEnforced"	no
tags	Tags to add to supported resources	map(string)	{}	no
versioning_enabled	Whether or not to use versioning on the bucket. This can be useful for audit purposes since objects in a logging bucket should not be updated.	bool	true	no

Outputs

Name	Description
s3_bucket_arn	The ARN of the bucket
s3_bucket_domain_name	The domain name of the bucket
s3_bucket_name	The name of the bucket

History

Between versions 1.x and 2.x, there were breaking changes. In particular, resource names were changed to follow a this convention. The following commands (with some customization for naming) will automatically migrate existing states:

terraform state mv module.s3logging-bucket.aws_s3_bucket.s3logging_bucket module.s3logging-bucket.aws_s3_bucket.this
terraform state mv module.s3logging-bucket.aws_s3_bucket_public_access_block.block_public_access module.s3logging-bucket.aws_s3_bucket_public_access_block.this

The region var was also been removed.