-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
280 lines (245 loc) · 9.56 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
variable "create_bucket" {
type = bool
description = "(optional) Whether to create bucket"
default = true
}
variable "name" {
type = string
description = "Bucket name. If provided, the bucket will be created with this name instead of generating the name from the context"
}
variable "object_lock_enabled" {
type = string
description = "(Optional, Forces new resource) Indicates whether this bucket has an Object Lock configuration enabled. Valid values are true or false. This argument is not supported in all regions or partitions."
default = false
}
variable "object_ownership" {
type = string
description = <<-EOT
(Optional) Object ownership. Valid values: BucketOwnerPreferred, ObjectWriter or BucketOwnerEnforced
BucketOwnerPreferred - Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL.
ObjectWriter - Uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL.
BucketOwnerEnforced - Bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket.
EOT
default = "BucketOwnerPreferred"
}
variable "acl" {
type = string
default = "private"
description = <<-EOT
Please node ACL is deprecated by AWS in favor of bucket policies.
Defaults to "private" for backwards compatibility,recommended to set `s3_object_ownership` to "BucketOwnerEnforced" instead.
EOT
}
variable "public_access_config" {
type = object({
block_public_acls = optional(bool, true)
block_public_policy = optional(bool, true)
ignore_public_acls = optional(bool, true)
restrict_public_buckets = optional(bool, true)
})
default = {
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
description = <<-EOT
(Optional)
block_public_acls - Whether Amazon S3 should block public ACLs for this bucket. Defaults to false. Enabling this setting does not affect existing policies or ACLs. When set to true causes the following behavior:
PUT Bucket acl and PUT Object acl calls will fail if the specified ACL allows public access.
PUT Object calls will fail if the request includes an object ACL.
block_public_policy - Whether Amazon S3 should block public bucket policies for this bucket. Defaults to false. Enabling this setting does not affect the existing bucket policy.
When set to true causes Amazon S3 to:
Reject calls to PUT Bucket policy if the specified bucket policy allows public access.
ignore_public_acls - Whether Amazon S3 should block public bucket policies for this bucket. Defaults to false. Enabling this setting does not affect the existing bucket policy.
When set to true causes Amazon S3 to:
Reject calls to PUT Bucket policy if the specified bucket policy allows public access.
restrict_public_buckets - Whether Amazon S3 should block public bucket policies for this bucket. Defaults to false. Enabling this setting does not affect the existing bucket policy.
When set to true causes Amazon S3 to:
Reject calls to PUT Bucket policy if the specified bucket policy allows public access.
EOT
}
variable "force_destroy" {
type = bool
description = <<-EOT
(Optional, Default:false) Boolean that indicates all objects (including any locked objects) should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. These objects are not recoverable. This only deletes objects when the bucket is destroyed, not when setting this parameter to true. Once this parameter is set to true, there must be a successful terraform apply run before a destroy is required to update this value in the resource state. Without a successful terraform apply after this parameter is set, this flag will have no effect. If setting this field in the same operation that would require replacing the bucket or destroying the bucket, this flag will not work. Additionally when importing a bucket, a successful terraform apply is required to set this value in state before it will take effect on a destroy operation.
EOT
default = false
}
variable "enable_versioning" {
type = bool
default = true
description = "Whether to enable versioning for the bucket"
}
variable "bucket_logging_data" {
type = object({
enable = optional(bool, false)
target_bucket = optional(string, null)
target_prefix = optional(string, null)
})
description = "(optional) Bucket logging data"
default = {
enable = false
target_bucket = null
target_prefix = null
}
}
variable "server_side_encryption_config_data" {
type = object({
bucket_key_enabled = optional(bool, true)
sse_algorithm = optional(string, "AES256")
kms_master_key_id = optional(string, null)
})
description = "(optional) S3 encryption details"
default = {
bucket_key_enabled = true
sse_algorithm = "AES256"
kms_master_key_id = null
}
}
variable "object_lock_config" {
type = object({
mode = optional(string, "COMPLIANCE")
days = optional(number, 30)
})
description = "(optional) Object Lock configuration"
default = {
mode = "COMPLIANCE"
days = 30
}
}
variable "cors_configuration" {
type = list(object({
id = optional(string)
allowed_headers = optional(list(string))
allowed_methods = optional(list(string))
allowed_origins = optional(list(string))
expose_headers = optional(list(string))
max_age_seconds = optional(number)
}))
description = "List of S3 bucket CORS configurations"
default = []
}
variable "bucket_policy_doc" {
type = string
description = "(optional) S3 bucket Policy doc"
default = null
}
variable "event_notification_details" {
type = object({
enabled = bool
lambda_list = optional(list(object({
lambda_function_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
filter_prefix = string
filter_suffix = string
})), [])
queue_list = optional(list(object({
queue_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
})), [])
topic_list = optional(list(object({
topic_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
})), [])
})
description = "(optional) S3 event notification details"
default = {
enabled = false
}
}
variable "lifecycle_config" {
type = object({
enabled = bool
expected_bucket_owner = optional(string, null)
rules = list(object({
id = string
expiration = optional(object({
date = optional(string, null)
days = optional(string, null)
expired_object_delete_marker = optional(bool, false)
}), null)
transition = optional(object({
date = string
days = number
storage_class = string
}), null)
noncurrent_version_expiration = optional(object({
newer_noncurrent_versions = number
noncurrent_days = number
}), null)
noncurrent_version_transition = optional(object({
newer_noncurrent_versions = number
noncurrent_days = number
storage_class = string
}), null)
filter = optional(object({
object_size_greater_than = string
object_size_less_than = string
prefix = string
tags = map(string)
}), null)
}))
})
description = "(optional) S3 Lifecycle configuration"
default = {
enabled = false
rules = []
}
}
variable "tags" {
description = "Tags to assign the resources."
type = map(string)
default = {}
}
variable "transfer_acceleration_enabled" {
type = bool
description = "(optional) Whether to enable Trasfer accelaration"
default = false
}
variable "replication_config" {
type = object({
enable = bool
role_name = optional(string, null) // if null , it will create new role
rules = list(object({
id = optional(string, null) // if null "${var.source_bucket_name}-rule-index"
filter = optional(list(object({
prefix = optional(string, null)
tags = optional(map(string), {})
})), [])
delete_marker_replication = optional(string, "Enabled")
source_selection_criteria = optional(object({
replica_modifications = optional(object({
status = optional(string, "Enabled")
}))
kms_key_id = optional(string, null)
sse_kms_encrypted_objects = optional(object({
status = optional(string, "Enabled")
}))
}))
destinations = list(object({
bucket = string
storage_class = optional(string, "STANDARD")
encryption_configuration = optional(object({
replica_kms_key_id = optional(string, null)
}))
}))
}))
})
default = {
enable = false
role_name = null // if null , it will create new role
rules = []
}
description = "Replication configuration for S3 bucket"
}
variable "create_s3_directory_bucket" {
description = "Control the creation of the S3 directory bucket. Set to true to create the bucket, false to skip."
type = bool
default = false
}
variable "availability_zone_id" {
description = "The ID of the availability zone."
type = string
default = ""
}