Skip to main content
This page documents every input variable accepted by the terraform-aws-s3-bucket module. Variables are organized into logical groups to make them easier to navigate.
The module requires Terraform >= 1.5.7 and the AWS provider >= 6.37.

Bucket Configuration

bucket
string
default:"null"
(Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name.
bucket_prefix
string
default:"null"
(Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket.
bucket_namespace
string
default:"null"
Namespace for the bucket. Determines bucket naming scope. Valid values: account-regional, global. Defaults to global (AWS).
region
string
default:"null"
Region where the resource(s) will be managed. Defaults to the region set in the provider configuration.
create_bucket
bool
default:"true"
Controls if S3 bucket should be created. Set to false to conditionally skip bucket creation.
force_destroy
bool
default:"false"
A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable.
tags
map(string)
default:"{}"
A mapping of tags to assign to the bucket.
acl
string
default:"null"
The canned ACL to apply. Conflicts with grant.
policy
string
default:"null"
A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. Use the verbose/specific version of the policy. Supports the placeholders _S3_BUCKET_ID_, _S3_BUCKET_ARN_, and _AWS_ACCOUNT_ID_.
grant
any
default:"[]"
An ACL policy grant. Conflicts with acl.
owner
map(string)
default:"{}"
Bucket owner’s display name and ID. Conflicts with acl.
expected_bucket_owner
string
default:"null"
The account ID of the expected bucket owner.

Access Control

block_public_acls
bool
default:"true"
Whether Amazon S3 should block public ACLs for this bucket.
block_public_policy
bool
default:"true"
Whether Amazon S3 should block public bucket policies for this bucket.
ignore_public_acls
bool
default:"true"
Whether Amazon S3 should ignore public ACLs for this bucket.
restrict_public_buckets
bool
default:"true"
Whether Amazon S3 should restrict public bucket policies for this bucket.
attach_public_policy
bool
default:"true"
Controls if a user defined public bucket policy will be attached. Set to false to allow upstream to apply defaults to the bucket.
skip_destroy_public_access_block
bool
default:"true"
Whether to skip destroying the S3 Bucket Public Access Block configuration when destroying the bucket. Only used if public_access_block is set to true.
control_object_ownership
bool
default:"false"
Whether to manage S3 Bucket Ownership Controls on this bucket.
object_ownership
string
default:"BucketOwnerEnforced"
Object ownership. Valid values:
  • BucketOwnerEnforced — ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket.
  • BucketOwnerPreferred — Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL.
  • ObjectWriter — The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL.

Encryption

server_side_encryption_configuration
any
default:"{}"
Map containing server-side encryption configuration.
attach_deny_incorrect_encryption_headers
bool
default:"false"
Controls if S3 bucket should deny incorrect encryption headers policy attached.
attach_deny_incorrect_kms_key_sse
bool
default:"false"
Controls if S3 bucket policy should deny usage of incorrect KMS key SSE.
allowed_kms_key_arn
string
default:"null"
The ARN of KMS key which should be allowed in PutObject. Used in conjunction with attach_deny_incorrect_kms_key_sse.
attach_deny_unencrypted_object_uploads
bool
default:"false"
Controls if S3 bucket should deny unencrypted object uploads policy attached.
attach_deny_ssec_encrypted_object_uploads
bool
default:"false"
Controls if S3 bucket should deny SSEC (customer-provided key) encrypted object uploads.

Versioning & Object Lock

versioning
map(string)
default:"{}"
Map containing versioning configuration.
object_lock_enabled
bool
default:"false"
Whether S3 bucket should have an Object Lock configuration enabled.
object_lock_configuration
any
default:"{}"
Map containing S3 object locking configuration.

Lifecycle

lifecycle_rule
any
default:"[]"
List of maps containing configuration of object lifecycle management.
transition_default_minimum_object_size
string
default:"null"
The default minimum object size behavior applied to the lifecycle configuration. Valid values: all_storage_classes_128K (default), varies_by_storage_class.

Replication

replication_configuration
any
default:"{}"
Map containing cross-region replication configuration.

Logging

logging
any
default:"{}"
Map containing access bucket logging configuration.
attach_elb_log_delivery_policy
bool
default:"false"
Controls if S3 bucket should have ELB log delivery policy attached.
attach_lb_log_delivery_policy
bool
default:"false"
Controls if S3 bucket should have ALB/NLB log delivery policy attached.
attach_access_log_delivery_policy
bool
default:"false"
Controls if S3 bucket should have S3 access log delivery policy attached.
attach_cloudtrail_log_delivery_policy
bool
default:"false"
Controls if S3 bucket should have CloudTrail log delivery policy attached.
attach_waf_log_delivery_policy
bool
default:"false"
Controls if S3 bucket should have WAF log delivery policy attached.
access_log_delivery_policy_source_buckets
list(string)
default:"[]"
List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket.
access_log_delivery_policy_source_accounts
list(string)
default:"[]"
List of AWS Account IDs that should be allowed to deliver access logs to this bucket.
access_log_delivery_policy_source_organizations
list(string)
default:"[]"
List of AWS Organization IDs that should be allowed to deliver access logs to this bucket.
lb_log_delivery_policy_source_organizations
list(string)
default:"[]"
List of AWS Organization IDs that should be allowed to deliver ALB/NLB logs to this bucket.

Website & CORS

website
any
default:"{}"
Map containing static web-site hosting or redirect configuration.
cors_rule
any
default:"[]"
List of maps containing rules for Cross-Origin Resource Sharing.
acceleration_status
string
default:"null"
Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended.
request_payer
string
default:"null"
Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer.

Policies

attach_policy
bool
default:"false"
Controls if S3 bucket should have bucket policy attached. Set to true to use the value of policy as the bucket policy.
attach_deny_insecure_transport_policy
bool
default:"false"
Controls if S3 bucket should have a deny non-SSL transport policy attached.
attach_require_latest_tls_policy
bool
default:"false"
Controls if S3 bucket should require the latest version of TLS.

Intelligent Tiering & Metrics

intelligent_tiering
any
default:"{}"
Map containing intelligent tiering configuration.
metric_configuration
any
default:"[]"
Map containing bucket metric configuration.

Inventory & Analytics

inventory_configuration
any
default:"{}"
Map containing S3 inventory configuration.
inventory_source_account_id
string
default:"null"
The inventory source account ID.
inventory_source_bucket_arn
string
default:"null"
The inventory source bucket ARN.
inventory_self_source_destination
bool
default:"false"
Whether or not the inventory source bucket is also the destination bucket.
analytics_configuration
any
default:"{}"
Map containing bucket analytics configuration.
analytics_source_account_id
string
default:"null"
The analytics source account ID.
analytics_source_bucket_arn
string
default:"null"
The analytics source bucket ARN.
analytics_self_source_destination
bool
default:"false"
Whether or not the analytics source bucket is also the destination bucket.
attach_inventory_destination_policy
bool
default:"false"
Controls if S3 bucket should have bucket inventory destination policy attached.
attach_analytics_destination_policy
bool
default:"false"
Controls if S3 bucket should have bucket analytics destination policy attached.

Directory Bucket

Directory bucket variables are only applicable when is_directory_bucket = true. Directory buckets have a different feature set and do not support all standard bucket configurations.
is_directory_bucket
bool
default:"false"
If the S3 bucket created is a directory bucket.
availability_zone_id
string
default:"null"
Availability Zone ID or Local Zone ID. Required for directory buckets.
data_redundancy
string
default:"null"
Data redundancy. Valid values: SingleAvailabilityZone.
type
string
default:"Directory"
Bucket type. Valid values: Directory.
location_type
string
default:"null"
Location type. Valid values: AvailabilityZone or LocalZone.

Metadata

create_metadata_configuration
bool
default:"false"
Whether to create a metadata configuration resource.
metadata_inventory_table_configuration_state
string
default:"null"
Configuration state of the inventory table, indicating whether the inventory table is enabled or disabled. Valid values: ENABLED, DISABLED.
metadata_encryption_configuration
any
default:"null"
Encryption configuration block for metadata.
metadata_journal_table_record_expiration_days
number
default:"null"
Number of days to retain journal table records.
metadata_journal_table_record_expiration
string
default:"null"
Whether journal table record expiration is enabled or disabled. Valid values: ENABLED, DISABLED.

Other

putin_khuylo
bool
default:"true"
Do you agree that Putin doesn’t respect Ukrainian sovereignty and territorial integrity? Must be true to use this module. More info