From 60a4ac03c43bce55388466fa46c039230205f183 Mon Sep 17 00:00:00 2001
From: Leonid Bogdanov <>
Date: Sat, 16 Nov 2024 12:52:32 -0600
Subject: [PATCH] feat: Add filter_prefix, filter_suffix config options for
queues and topics
Closes #260
Signed-off-by: Leonid Bogdanov <>
---
README.md | 2 +-
docs/terraform.md | 4 +++-
main.tf | 12 ++++++++----
variables.tf | 16 ++++++++++------
4 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/README.md b/README.md
index 9783d1c..4ca5a14 100644
--- a/README.md
+++ b/README.md
@@ -285,7 +285,7 @@ Available targets:
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | object({
enabled = bool
eventbridge = optional(bool, false)
lambda_list = optional(list(object({
lambda_function_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
filter_prefix = string
filter_suffix = string
})), [])
queue_list = optional(list(object({
queue_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
})), [])
topic_list = optional(list(object({
topic_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
})), [])
}) | {
"enabled": false
} | no |
+| [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | object({
enabled = bool
eventbridge = optional(bool, false)
lambda_list = optional(list(object({
lambda_function_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
filter_prefix = optional(string)
filter_suffix = optional(string)
})), [])
queue_list = optional(list(object({
queue_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
filter_prefix = optional(string)
filter_suffix = optional(string)
})), [])
topic_list = optional(list(object({
topic_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
filter_prefix = optional(string)
filter_suffix = optional(string)
})), [])
}) | {
"enabled": false
} | no |
| [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner.
More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
| [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.
THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
| [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.
Conflicts with `acl`. Set `acl` to `null` to use this.
Deprecated by AWS in favor of bucket policies.
Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | list(object({
id = string
type = string
permissions = list(string)
uri = string
})) | `[]` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 37e2f1c..8cd1f63 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -40,6 +40,7 @@
| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
| [aws_s3_bucket_replication_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_replication_configuration) | resource |
+| [aws_s3_bucket_request_payment_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_request_payment_configuration) | resource |
| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [aws_s3_bucket_website_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
@@ -76,7 +77,7 @@
| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | object({
enabled = bool
eventbridge = optional(bool, false)
lambda_list = optional(list(object({
lambda_function_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
filter_prefix = string
filter_suffix = string
})), [])
queue_list = optional(list(object({
queue_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
})), [])
topic_list = optional(list(object({
topic_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
})), [])
}) | {
"enabled": false
} | no |
+| [event\_notification\_details](#input\_event\_notification\_details) | S3 event notification details | object({
enabled = bool
eventbridge = optional(bool, false)
lambda_list = optional(list(object({
lambda_function_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
filter_prefix = optional(string)
filter_suffix = optional(string)
})), [])
queue_list = optional(list(object({
queue_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
filter_prefix = optional(string)
filter_suffix = optional(string)
})), [])
topic_list = optional(list(object({
topic_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
filter_prefix = optional(string)
filter_suffix = optional(string)
})), [])
}) | {
"enabled": false
} | no |
| [expected\_bucket\_owner](#input\_expected\_bucket\_owner) | Account ID of the expected bucket owner.
More information: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-owner-condition.html | `string` | `null` | no |
| [force\_destroy](#input\_force\_destroy) | When `true`, permits a non-empty S3 bucket to be deleted by first deleting all objects in the bucket.
THESE OBJECTS ARE NOT RECOVERABLE even if they were versioned and stored in Glacier. | `bool` | `false` | no |
| [grants](#input\_grants) | A list of policy grants for the bucket, taking a list of permissions.
Conflicts with `acl`. Set `acl` to `null` to use this.
Deprecated by AWS in favor of bucket policies.
Automatically disabled if `s3_object_ownership` is set to "BucketOwnerEnforced". | list(object({
id = string
type = string
permissions = list(string)
uri = string
})) | `[]` | no |
@@ -106,6 +107,7 @@
| [s3\_replication\_permissions\_boundary\_arn](#input\_s3\_replication\_permissions\_boundary\_arn) | Permissions boundary ARN for the created IAM replication role. | `string` | `null` | no |
| [s3\_replication\_rules](#input\_s3\_replication\_rules) | Specifies the replication rules for S3 bucket replication if enabled. You must also set s3\_replication\_enabled to true. | list(object({
id = optional(string)
priority = optional(number)
prefix = optional(string)
status = optional(string, "Enabled")
# delete_marker_replication { status } had been flattened for convenience
delete_marker_replication_status = optional(string, "Disabled")
# Add the configuration as it appears in the resource, for consistency
# this nested version takes precedence if both are provided.
delete_marker_replication = optional(object({
status = string
}))
# destination_bucket is specified here rather than inside the destination object because before optional
# attributes, it made it easier to work with the Terraform type system and create a list of consistent type.
# It is preserved for backward compatibility, but the nested version takes priority if both are provided.
destination_bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn
destination = object({
bucket = optional(string) # destination bucket ARN, overrides s3_replica_bucket_arn
storage_class = optional(string, "STANDARD")
# replica_kms_key_id at this level is for backward compatibility, and is overridden by the one in `encryption_configuration`
replica_kms_key_id = optional(string, "")
encryption_configuration = optional(object({
replica_kms_key_id = string
}))
access_control_translation = optional(object({
owner = string
}))
# account_id is for backward compatibility, overridden by account
account_id = optional(string)
account = optional(string)
# For convenience, specifying either metrics or replication_time enables both
metrics = optional(object({
event_threshold = optional(object({
minutes = optional(number, 15) # Currently 15 is the only valid number
}), { minutes = 15 })
status = optional(string, "Enabled")
}), { status = "Disabled" })
# To preserve backward compatibility, Replication Time Control (RTC) is automatically enabled
# when metrics are enabled. To enable metrics without RTC, you must explicitly configure
# replication_time.status = "Disabled".
replication_time = optional(object({
time = optional(object({
minutes = optional(number, 15) # Currently 15 is the only valid number
}), { minutes = 15 })
status = optional(string)
}))
})
source_selection_criteria = optional(object({
replica_modifications = optional(object({
status = string # Either Enabled or Disabled
}))
sse_kms_encrypted_objects = optional(object({
status = optional(string)
}))
}))
# filter.prefix overrides top level prefix
filter = optional(object({
prefix = optional(string)
tags = optional(map(string), {})
}))
})) | `null` | no |
| [s3\_replication\_source\_roles](#input\_s3\_replication\_source\_roles) | Cross-account IAM Role ARNs that will be allowed to perform S3 replication to this bucket (for replication within the same AWS account, it's not necessary to adjust the bucket policy). | `list(string)` | `[]` | no |
+| [s3\_request\_payment\_configuration](#input\_s3\_request\_payment\_configuration) | S3 request payment configuration | object({
enabled = bool
expected_bucket_owner = optional(string)
payer = string
}) | {
"enabled": false,
"payer": "BucketOwner"
} | no |
| [source\_ip\_allow\_list](#input\_source\_ip\_allow\_list) | List of IP addresses to allow to perform all actions to the bucket | `list(string)` | `[]` | no |
| [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents (in JSON) that are merged together into the exported document.
Statements defined in source\_policy\_documents must have unique SIDs.
Statement having SIDs that match policy SIDs generated by this module will override them. | `list(string)` | `[]` | no |
| [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"AES256"` | no |
diff --git a/main.tf b/main.tf
index 9c46183..8d0f22b 100644
--- a/main.tf
+++ b/main.tf
@@ -601,16 +601,20 @@ resource "aws_s3_bucket_notification" "bucket_notification" {
dynamic "queue" {
for_each = var.event_notification_details.queue_list
content {
- queue_arn = queue.value.queue_arn
- events = queue.value.events
+ queue_arn = queue.value.queue_arn
+ events = queue.value.events
+ filter_prefix = queue.value.filter_prefix
+ filter_suffix = queue.value.filter_suffix
}
}
dynamic "topic" {
for_each = var.event_notification_details.topic_list
content {
- topic_arn = topic.value.topic_arn
- events = topic.value.events
+ topic_arn = topic.value.topic_arn
+ events = topic.value.events
+ filter_prefix = topic.value.filter_prefix
+ filter_suffix = topic.value.filter_suffix
}
}
}
diff --git a/variables.tf b/variables.tf
index c06ddde..e8d4171 100644
--- a/variables.tf
+++ b/variables.tf
@@ -474,18 +474,22 @@ variable "event_notification_details" {
lambda_list = optional(list(object({
lambda_function_arn = string
events = optional(list(string), ["s3:ObjectCreated:*"])
- filter_prefix = string
- filter_suffix = string
+ filter_prefix = optional(string)
+ filter_suffix = optional(string)
})), [])
queue_list = optional(list(object({
- queue_arn = string
- events = optional(list(string), ["s3:ObjectCreated:*"])
+ queue_arn = string
+ events = optional(list(string), ["s3:ObjectCreated:*"])
+ filter_prefix = optional(string)
+ filter_suffix = optional(string)
})), [])
topic_list = optional(list(object({
- topic_arn = string
- events = optional(list(string), ["s3:ObjectCreated:*"])
+ topic_arn = string
+ events = optional(list(string), ["s3:ObjectCreated:*"])
+ filter_prefix = optional(string)
+ filter_suffix = optional(string)
})), [])
})
description = "S3 event notification details"