feat: Add filter_prefix, filter_suffix config options for queues and …

…topics Closes cloudposse#260 Signed-off-by: Leonid Bogdanov <>
vonZeppelin · Nov 16, 2024 · 60a4ac0 · 60a4ac0
1 parent f780005
commit 60a4ac0
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -285,7 +285,7 @@ Available targets:
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br/>Map of maps. Keys are names of descriptors. Values are maps of the form<br/>`{<br/>   format = string<br/>   labels = list(string)<br/>}`<br/>(Type is `any` so the map values can later be enhanced to provide additional options.)<br/>`format` is a Terraform format string to be passed to the `format()` function.<br/>`labels` is a list of labels, in order, to pass to `format()` function.<br/>Label values will be normalized before being passed to `format()` so they will be<br/>identical to how they appear in `id`.<br/>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| <a name="input_event_notification_details"></a> [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | <pre>object({<br/>    enabled     = bool<br/>    eventbridge = optional(bool, false)<br/>    lambda_list = optional(list(object({<br/>      lambda_function_arn = string<br/>      events              = optional(list(string), ["s3:ObjectCreated:*"])<br/>      filter_prefix       = string<br/>      filter_suffix       = string<br/>    })), [])<br/><br/>    queue_list = optional(list(object({<br/>      queue_arn = string<br/>      events    = optional(list(string), ["s3:ObjectCreated:*"])<br/>    })), [])<br/><br/>    topic_list = optional(list(object({<br/>      topic_arn = string<br/>      events    = optional(list(string), ["s3:ObjectCreated:*"])<br/>    })), [])<br/>  })</pre> | <pre>{<br/>  "enabled": false<br/>}</pre> | no |
+| <a name="input_event_notification_details"></a> [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | <pre>object({<br/>    enabled     = bool<br/>    eventbridge = optional(bool, false)<br/>    lambda_list = optional(list(object({<br/>      lambda_function_arn = string<br/>      events              = optional(list(string), ["s3:ObjectCreated:*"])<br/>      filter_prefix       = optional(string)<br/>      filter_suffix       = optional(string)<br/>    })), [])<br/><br/>    queue_list = optional(list(object({<br/>      queue_arn     = string<br/>      events        = optional(list(string), ["s3:ObjectCreated:*"])<br/>      filter_prefix = optional(string)<br/>      filter_suffix = optional(string)<br/>    })), [])<br/><br/>    topic_list = optional(list(object({<br/>      topic_arn     = string<br/>      events        = optional(list(string), ["s3:ObjectCreated:*"])<br/>      filter_prefix = optional(string)<br/>      filter_suffix = optional(string)<br/>    })), [])<br/>  })</pre> | <pre>{<br/>  "enabled": false<br/>}</pre> | no |
 | <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner. <br/>More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.<br/>THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
 | <a name="input_grants"></a> [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.<br/>Conflicts with `acl`. Set `acl` to `null` to use this.<br/>Deprecated by AWS in favor of bucket policies.<br/>Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | <pre>list(object({<br/>    id          = string<br/>    type        = string<br/>    permissions = list(string)<br/>    uri         = string<br/>  }))</pre> | `[]` | no |

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -40,6 +40,7 @@
 | [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_replication_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource |
+| [aws_s3_bucket_request_payment_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_request_payment_configuration) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_s3_bucket_website_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
@@ -76,7 +77,7 @@
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br/>Map of maps. Keys are names of descriptors. Values are maps of the form<br/>`{<br/>   format = string<br/>   labels = list(string)<br/>}`<br/>(Type is `any` so the map values can later be enhanced to provide additional options.)<br/>`format` is a Terraform format string to be passed to the `format()` function.<br/>`labels` is a list of labels, in order, to pass to `format()` function.<br/>Label values will be normalized before being passed to `format()` so they will be<br/>identical to how they appear in `id`.<br/>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| <a name="input_event_notification_details"></a> [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | <pre>object({<br/>    enabled     = bool<br/>    eventbridge = optional(bool, false)<br/>    lambda_list = optional(list(object({<br/>      lambda_function_arn = string<br/>      events              = optional(list(string), ["s3:ObjectCreated:*"])<br/>      filter_prefix       = string<br/>      filter_suffix       = string<br/>    })), [])<br/><br/>    queue_list = optional(list(object({<br/>      queue_arn = string<br/>      events    = optional(list(string), ["s3:ObjectCreated:*"])<br/>    })), [])<br/><br/>    topic_list = optional(list(object({<br/>      topic_arn = string<br/>      events    = optional(list(string), ["s3:ObjectCreated:*"])<br/>    })), [])<br/>  })</pre> | <pre>{<br/>  "enabled": false<br/>}</pre> | no |
+| <a name="input_event_notification_details"></a> [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | <pre>object({<br/>    enabled     = bool<br/>    eventbridge = optional(bool, false)<br/>    lambda_list = optional(list(object({<br/>      lambda_function_arn = string<br/>      events              = optional(list(string), ["s3:ObjectCreated:*"])<br/>      filter_prefix       = optional(string)<br/>      filter_suffix       = optional(string)<br/>    })), [])<br/><br/>    queue_list = optional(list(object({<br/>      queue_arn     = string<br/>      events        = optional(list(string), ["s3:ObjectCreated:*"])<br/>      filter_prefix = optional(string)<br/>      filter_suffix = optional(string)<br/>    })), [])<br/><br/>    topic_list = optional(list(object({<br/>      topic_arn     = string<br/>      events        = optional(list(string), ["s3:ObjectCreated:*"])<br/>      filter_prefix = optional(string)<br/>      filter_suffix = optional(string)<br/>    })), [])<br/>  })</pre> | <pre>{<br/>  "enabled": false<br/>}</pre> | no |
 | <a name="input_expected_bucket_owner"></a> [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner. <br/>More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.<br/>THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
 | <a name="input_grants"></a> [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.<br/>Conflicts with `acl`. Set `acl` to `null` to use this.<br/>Deprecated by AWS in favor of bucket policies.<br/>Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | <pre>list(object({<br/>    id          = string<br/>    type        = string<br/>    permissions = list(string)<br/>    uri         = string<br/>  }))</pre> | `[]` | no |
@@ -106,6 +107,7 @@
 | <a name="input_s3_replication_permissions_boundary_arn"></a> [s3\_replication\_permissions\_boundary\_arn](#input\_s3\_replication\_permissions\_boundary\_arn) | Permissions boundary ARN for the created IAM replication role. | `string` | `null` | no |
 | <a name="input_s3_replication_rules"></a> [s3\_replication\_rules](#input\_s3\_replication\_rules) | Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | <pre>list(object({<br/>    id       = optional(string)<br/>    priority = optional(number)<br/>    prefix   = optional(string)<br/>    status   = optional(string, "Enabled")<br/>    # delete_marker_replication { status } had been flattened for convenience<br/>    delete_marker_replication_status = optional(string, "Disabled")<br/>    # Add the configuration as it appears in the resource, for consistency<br/>    # this nested version takes precedence if both are provided.<br/>    delete_marker_replication = optional(object({<br/>      status = string<br/>    }))<br/><br/>    # destination_bucket is specified here rather than inside the destination object because before optional<br/>    # attributes, it made it easier to work with the Terraform type system and create a list of consistent type.<br/>    # It is preserved for backward compatibility, but the nested version takes priority if both are provided.<br/>    destination_bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/><br/>    destination = object({<br/>      bucket        = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn<br/>      storage_class = optional(string, "STANDARD")<br/>      # replica_kms_key_id at this level is for backward compatibility, and is overridden by the one in `encryption_configuration`<br/>      replica_kms_key_id = optional(string, "")<br/>      encryption_configuration = optional(object({<br/>        replica_kms_key_id = string<br/>      }))<br/>      access_control_translation = optional(object({<br/>        owner = string<br/>      }))<br/>      # account_id is for backward compatibility, overridden by account<br/>      account_id = optional(string)<br/>      account    = optional(string)<br/>      # For convenience, specifying either metrics or replication_time enables both<br/>      metrics = optional(object({<br/>        event_threshold = optional(object({<br/>          minutes = optional(number, 15) # Currently 15 is the only valid number<br/>        }), { minutes = 15 })<br/>        status = optional(string, "Enabled")<br/>      }), { status = "Disabled" })<br/>      # To preserve backward compatibility, Replication Time Control (RTC) is automatically enabled<br/>      # when metrics are enabled. To enable metrics without RTC, you must explicitly configure<br/>      # replication_time.status = "Disabled".<br/>      replication_time = optional(object({<br/>        time = optional(object({<br/>          minutes = optional(number, 15) # Currently 15 is the only valid number<br/>        }), { minutes = 15 })<br/>        status = optional(string)<br/>      }))<br/>    })<br/><br/>    source_selection_criteria = optional(object({<br/>      replica_modifications = optional(object({<br/>        status = string # Either Enabled or Disabled<br/>      }))<br/>      sse_kms_encrypted_objects = optional(object({<br/>        status = optional(string)<br/>      }))<br/>    }))<br/>    # filter.prefix overrides top level prefix<br/>    filter = optional(object({<br/>      prefix = optional(string)<br/>      tags   = optional(map(string), {})<br/>    }))<br/>  }))</pre> | `null` | no |
 | <a name="input_s3_replication_source_roles"></a> [s3\_replication\_source\_roles](#input\_s3\_replication\_source\_roles) | Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy). | `list(string)` | `[]` | no |
+| <a name="input_s3_request_payment_configuration"></a> [s3\_request\_payment\_configuration](#input\_s3\_request\_payment\_configuration) | S3 request payment configuration | <pre>object({<br/>    enabled               = bool<br/>    expected_bucket_owner = optional(string)<br/>    payer                 = string<br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "payer": "BucketOwner"<br/>}</pre> | no |
 | <a name="input_source_ip_allow_list"></a> [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket | `list(string)` | `[]` | no |
 | <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON) that are merged together into the exported document.<br/>Statements defined in source\_policy\_documents must have unique SIDs.<br/>Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no |
 | <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no |

diff --git a/main.tf b/main.tf
@@ -601,16 +601,20 @@ resource "aws_s3_bucket_notification" "bucket_notification" {
   dynamic "queue" {
     for_each = var.event_notification_details.queue_list
     content {
-      queue_arn = queue.value.queue_arn
-      events    = queue.value.events
+      queue_arn     = queue.value.queue_arn
+      events        = queue.value.events
+      filter_prefix = queue.value.filter_prefix
+      filter_suffix = queue.value.filter_suffix
     }
   }
 
   dynamic "topic" {
     for_each = var.event_notification_details.topic_list
     content {
-      topic_arn = topic.value.topic_arn
-      events    = topic.value.events
+      topic_arn     = topic.value.topic_arn
+      events        = topic.value.events
+      filter_prefix = topic.value.filter_prefix
+      filter_suffix = topic.value.filter_suffix
     }
   }
 }

diff --git a/variables.tf b/variables.tf
@@ -474,18 +474,22 @@ variable "event_notification_details" {
     lambda_list = optional(list(object({
       lambda_function_arn = string
       events              = optional(list(string), ["s3:ObjectCreated:*"])
-      filter_prefix       = string
-      filter_suffix       = string
+      filter_prefix       = optional(string)
+      filter_suffix       = optional(string)
     })), [])
 
     queue_list = optional(list(object({
-      queue_arn = string
-      events    = optional(list(string), ["s3:ObjectCreated:*"])
+      queue_arn     = string
+      events        = optional(list(string), ["s3:ObjectCreated:*"])
+      filter_prefix = optional(string)
+      filter_suffix = optional(string)
     })), [])
 
     topic_list = optional(list(object({
-      topic_arn = string
-      events    = optional(list(string), ["s3:ObjectCreated:*"])
+      topic_arn     = string
+      events        = optional(list(string), ["s3:ObjectCreated:*"])
+      filter_prefix = optional(string)
+      filter_suffix = optional(string)
     })), [])
   })
   description = "S3 event notification details"