AWS S3 bucket Terraform module

May 29, 2026 · View on GitHub

Terraform module which creates S3 bucket on AWS with all (or almost all) features provided by Terraform AWS provider.

These features of S3 bucket configurations are supported:

static web-site hosting
access logging
versioning
CORS
lifecycle rules
server-side encryption
object locking
Cross-Region Replication (CRR)
ELB log delivery bucket policy
ALB/NLB log delivery bucket policy
WAF log delivery bucket policy
Account-level Public Access Block
S3 Directory Bucket
S3 Table Bucket
S3 Vectors

Usage

Private bucket with versioning enabled

module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket"
  acl    = "private"

  control_object_ownership = true
  object_ownership         = "ObjectWriter"

  versioning = {
    enabled = true
  }
}

Bucket with ELB access log delivery policy attached

module "s3_bucket_for_logs" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket-for-logs"
  acl    = "log-delivery-write"

  # Allow deletion of non-empty bucket
  force_destroy = true

  control_object_ownership = true
  object_ownership         = "ObjectWriter"

  attach_elb_log_delivery_policy = true
}

Bucket with ALB/NLB access log delivery policy attached

module "s3_bucket_for_logs" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket-for-logs"

  # Allow deletion of non-empty bucket
  force_destroy = true

  control_object_ownership = true
  object_ownership         = "ObjectWriter"

  attach_elb_log_delivery_policy = true  # Required for ALB logs
  attach_lb_log_delivery_policy  = true  # Required for ALB/NLB logs
}

Bucket with WAF log delivery policy attached

module "s3_bucket_for_waf_logs" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket-for-waf-logs"

  # Allow deletion of non-empty bucket
  force_destroy = true

  control_object_ownership = true
  object_ownership         = "ObjectWriter"

  attach_waf_log_delivery_policy = true  # Required for WAF logs
}

Bucket with a custom policy attached

When you need to attach a custom policy to the bucket, you can use the policy argument. To keep bucket policy with correct S3 bucket and AWS account properties, you can use the placeholders _S3_BUCKET_ID_, _S3_BUCKET_ARN_, and _AWS_ACCOUNT_ID_ in the policy document. Those values will be replaced with the actual values during the policy attachment. This is especially useful when using bucket prefixes.

Conditional creation

Sometimes you need to have a way to create S3 resources conditionally but Terraform does not allow to use count inside module block, so the solution is to specify argument create_bucket.

# This S3 bucket will not be created
module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  create_bucket = false
  # ... omitted
}

Terragrunt and `variable "..." { type = any }`

There is a bug #1211 in Terragrunt related to the way how the variables of type any are passed to Terraform.

This module solves this issue by supporting jsonencode()-string in addition to the expected type (list or map).

In terragrunt.hcl you can write:

inputs = {
  bucket    = "foobar"            # `bucket` has type `string`, no need to jsonencode()
  cors_rule = jsonencode([...])   # `cors_rule` has type `any`, so `jsonencode()` is required
}

Module wrappers

Users of this Terraform module can create multiple similar resources by using for_each meta-argument within module block which became available in Terraform 0.13.

Users of Terragrunt can achieve similar results by using modules provided in the wrappers directory, if they prefer to reduce amount of configuration files.

Examples:

Complete - Complete S3 bucket with most of supported features enabled
Cross-Region Replication - S3 bucket with Cross-Region Replication (CRR) enabled
S3 Notifications - S3 bucket notifications to Lambda functions, SQS queues, and SNS topics.
S3 Object - Manage S3 bucket objects.
S3 Analytics - S3 bucket Analytics Configurations.
S3 Inventory - S3 bucket Inventory configuration.
S3 Account-level Public Access Block - Manage S3 account-level Public Access Block.
S3 Directory Bucket - S3 Directory Bucket configuration.
S3 Table Bucket - S3 Table Bucket configuration.
S3 Vectors - S3 Vectors vector bucket with indexes configuration.

Requirements

Name	Version
terraform	>= 1.5.7
aws	>= 6.42

Providers

Name	Version
aws	>= 6.42

Modules

No modules.

Resources

Name	Type
aws_s3_bucket.this	resource
aws_s3_bucket_accelerate_configuration.this	resource
aws_s3_bucket_acl.this	resource
aws_s3_bucket_analytics_configuration.this	resource
aws_s3_bucket_cors_configuration.this	resource
aws_s3_bucket_intelligent_tiering_configuration.this	resource
aws_s3_bucket_inventory.this	resource
aws_s3_bucket_lifecycle_configuration.this	resource
aws_s3_bucket_logging.this	resource
aws_s3_bucket_metadata_configuration.this	resource
aws_s3_bucket_metric.this	resource
aws_s3_bucket_object_lock_configuration.this	resource
aws_s3_bucket_ownership_controls.this	resource
aws_s3_bucket_policy.this	resource
aws_s3_bucket_public_access_block.this	resource
aws_s3_bucket_replication_configuration.this	resource
aws_s3_bucket_request_payment_configuration.this	resource
aws_s3_bucket_server_side_encryption_configuration.this	resource
aws_s3_bucket_versioning.this	resource
aws_s3_bucket_website_configuration.this	resource
aws_s3_directory_bucket.this	resource
aws_caller_identity.current	data source
aws_canonical_user_id.this	data source
aws_iam_policy_document.access_log_delivery	data source
aws_iam_policy_document.cloudtrail_log_delivery	data source
aws_iam_policy_document.combined	data source
aws_iam_policy_document.deny_incorrect_encryption_headers	data source
aws_iam_policy_document.deny_incorrect_kms_key_sse	data source
aws_iam_policy_document.deny_insecure_transport	data source
aws_iam_policy_document.deny_ssec_encrypted_object_uploads	data source
aws_iam_policy_document.deny_unencrypted_object_uploads	data source
aws_iam_policy_document.elb_log_delivery	data source
aws_iam_policy_document.inventory_and_analytics_destination_policy	data source
aws_iam_policy_document.lb_log_delivery	data source
aws_iam_policy_document.require_latest_tls	data source
aws_iam_policy_document.waf_log_delivery	data source
aws_partition.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
acceleration_status	(Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended.	`string`	`null`	no
access_log_delivery_policy_source_accounts	(Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket.	`list(string)`	`[]`	no
access_log_delivery_policy_source_buckets	(Optional) List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket.	`list(string)`	`[]`	no
access_log_delivery_policy_source_organizations	(Optional) List of AWS Organization IDs should be allowed to deliver access logs to this bucket.	`list(string)`	`[]`	no
acl	(Optional) The canned ACL to apply. Conflicts with `grant`	`string`	`null`	no
allowed_kms_key_arn	The ARN of KMS key which should be allowed in PutObject	`string`	`null`	no
analytics_configuration	Map containing bucket analytics configuration.	`any`	`{}`	no
analytics_self_source_destination	Whether or not the analytics source bucket is also the destination bucket.	`bool`	`false`	no
analytics_source_account_id	The analytics source account id.	`string`	`null`	no
analytics_source_bucket_arn	The analytics source bucket ARN.	`string`	`null`	no
attach_access_log_delivery_policy	Controls if S3 bucket should have S3 access log delivery policy attached	`bool`	`false`	no
attach_analytics_destination_policy	Controls if S3 bucket should have bucket analytics destination policy attached.	`bool`	`false`	no
attach_cloudtrail_log_delivery_policy	Controls if S3 bucket should have CloudTrail log delivery policy attached	`bool`	`false`	no
attach_deny_incorrect_encryption_headers	Controls if S3 bucket should deny incorrect encryption headers policy attached.	`bool`	`false`	no
attach_deny_incorrect_kms_key_sse	Controls if S3 bucket policy should deny usage of incorrect KMS key SSE.	`bool`	`false`	no
attach_deny_insecure_transport_policy	Controls if S3 bucket should have deny non-SSL transport policy attached	`bool`	`false`	no
attach_deny_ssec_encrypted_object_uploads	Controls if S3 bucket should deny SSEC encrypted object uploads.	`bool`	`false`	no
attach_deny_unencrypted_object_uploads	Controls if S3 bucket should deny unencrypted object uploads policy attached.	`bool`	`false`	no
attach_elb_log_delivery_policy	Controls if S3 bucket should have ELB log delivery policy attached	`bool`	`false`	no
attach_inventory_destination_policy	Controls if S3 bucket should have bucket inventory destination policy attached.	`bool`	`false`	no
attach_lb_log_delivery_policy	Controls if S3 bucket should have ALB/NLB log delivery policy attached	`bool`	`false`	no
attach_policy	Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy)	`bool`	`false`	no
attach_public_policy	Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket)	`bool`	`true`	no
attach_require_latest_tls_policy	Controls if S3 bucket should require the latest version of TLS	`bool`	`false`	no
attach_waf_log_delivery_policy	Controls if S3 bucket should have WAF log delivery policy attached	`bool`	`false`	no
availability_zone_id	Availability Zone ID or Local Zone ID	`string`	`null`	no
block_public_acls	Whether Amazon S3 should block public ACLs for this bucket.	`bool`	`true`	no
block_public_policy	Whether Amazon S3 should block public bucket policies for this bucket.	`bool`	`true`	no
bucket	(Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name.	`string`	`null`	no
bucket_namespace	Namespace for the bucket. Determines bucket naming scope. Valid values: account-regional, global. Defaults to global (AWS)	`string`	`null`	no
bucket_prefix	(Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket.	`string`	`null`	no
control_object_ownership	Whether to manage S3 Bucket Ownership Controls on this bucket.	`bool`	`false`	no
cors_rule	List of maps containing rules for Cross-Origin Resource Sharing.	`any`	`[]`	no
create_bucket	Controls if S3 bucket should be created	`bool`	`true`	no
create_metadata_configuration	Whether to create metadata configuration resource	`bool`	`false`	no
data_redundancy	Data redundancy. Valid values: `SingleAvailabilityZone`	`string`	`null`	no
expected_bucket_owner	The account ID of the expected bucket owner	`string`	`null`	no
force_destroy	(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable.	`bool`	`false`	no
grant	An ACL policy grant. Conflicts with `acl`	`any`	`[]`	no
ignore_public_acls	Whether Amazon S3 should ignore public ACLs for this bucket.	`bool`	`true`	no
intelligent_tiering	Map containing intelligent tiering configuration.	`any`	`{}`	no
inventory_configuration	Map containing S3 inventory configuration.	`any`	`{}`	no
inventory_self_source_destination	Whether or not the inventory source bucket is also the destination bucket.	`bool`	`false`	no
inventory_source_account_id	The inventory source account id.	`string`	`null`	no
inventory_source_bucket_arn	The inventory source bucket ARN.	`string`	`null`	no
is_directory_bucket	If the s3 bucket created is a directory bucket	`bool`	`false`	no
lb_log_delivery_policy_source_organizations	(Optional) List of AWS Organization IDs should be allowed to deliver ALB/NLB logs to this bucket.	`list(string)`	`[]`	no
lifecycle_rule	List of maps containing configuration of object lifecycle management.	`any`	`[]`	no
location_type	Location type. Valid values: `AvailabilityZone` or `LocalZone`	`string`	`null`	no
logging	Map containing access bucket logging configuration.	`any`	`{}`	no
metadata_encryption_configuration	Encryption configuration block	`any`	`null`	no
metadata_inventory_table_configuration_state	Configuration state of the inventory table, indicating whether the inventory table is enabled or disabled. Valid values: ENABLED, DISABLED	`string`	`null`	no
metadata_journal_table_record_expiration	Whether journal table record expiration is enabled or disabled. Valid values: ENABLED, DISABLED	`string`	`null`	no
metadata_journal_table_record_expiration_days	Number of days to retain journal table records	`number`	`null`	no
metric_configuration	Map containing bucket metric configuration.	`any`	`[]`	no
object_lock_configuration	Map containing S3 object locking configuration.	`any`	`{}`	no
object_lock_enabled	Whether S3 bucket should have an Object Lock configuration enabled.	`bool`	`false`	no
object_ownership	Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL.	`string`	`"BucketOwnerEnforced"`	no
owner	Bucket owner's display name and ID. Conflicts with `acl`	`map(string)`	`{}`	no
policy	(Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.	`string`	`null`	no
putin_khuylo	Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!	`bool`	`true`	no
region	Region where the resource(s) will be managed. Defaults to the region set in the provider configuration	`string`	`null`	no
replication_configuration	Map containing cross-region replication configuration.	`any`	`{}`	no
request_payer	(Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information.	`string`	`null`	no
restrict_public_buckets	Whether Amazon S3 should restrict public bucket policies for this bucket.	`bool`	`true`	no
server_side_encryption_configuration	Map containing server-side encryption configuration.	`any`	`{}`	no
skip_destroy_public_access_block	Whether to skip destroying the S3 Bucket Public Access Block configuration when destroying the bucket. Only used if `public_access_block` is set to true.	`bool`	`true`	no
tags	(Optional) A mapping of tags to assign to the bucket.	`map(string)`	`{}`	no
transition_default_minimum_object_size	The default minimum object size behavior applied to the lifecycle configuration. Valid values: all_storage_classes_128K (default), varies_by_storage_class	`string`	`null`	no
type	Bucket type. Valid values: `Directory`	`string`	`"Directory"`	no
versioning	Map containing versioning configuration.	`map(string)`	`{}`	no
website	Map containing static web-site hosting or redirect configuration.	`any`	`{}`	no

Outputs

Name	Description
aws_s3_bucket_versioning_status	The versioning status of the bucket. Will be 'Enabled', 'Suspended', or 'Disabled'.
s3_bucket_arn	The ARN of the bucket. Will be of format arn:aws:s3:::bucketname.
s3_bucket_bucket_domain_name	The bucket domain name. Will be of format bucketname.s3.amazonaws.com.
s3_bucket_bucket_regional_domain_name	The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.
s3_bucket_hosted_zone_id	The Route 53 Hosted Zone ID for this bucket's region.
s3_bucket_id	The name of the bucket.
s3_bucket_lifecycle_configuration_rules	The lifecycle rules of the bucket, if the bucket is configured with lifecycle rules. If not, this will be an empty string.
s3_bucket_policy	The policy of the bucket, if the bucket is configured with a policy. If not, this will be an empty string.
s3_bucket_region	The AWS region this bucket resides in.
s3_bucket_tags	Tags of the bucket.
s3_bucket_website_domain	The domain of the website endpoint, if the bucket is configured with a website. If not, this will be an empty string. This is used to create Route 53 alias records.
s3_bucket_website_endpoint	The website endpoint, if the bucket is configured with a website. If not, this will be an empty string.
s3_directory_bucket_arn	ARN of the directory bucket.
s3_directory_bucket_name	Name of the directory bucket.

Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
Putin khuylo!