Terraform module to create an S3 bucket with flexible lifecycle configuration.
- ✅ Dynamic Lifecycle Rules - Flexible configuration supporting any S3 lifecycle pattern
- ✅ Multiple Rule Types - Expiration, transitions, cleanup, version management
- ✅ Flexible Filtering - Prefix and tag-based filtering
- ✅ Cost Optimization - Storage class transitions for cost savings
- ✅ Version Management - Noncurrent version expiration support
- ✅ Security - Public access blocking and encryption
- ✅ Logging - Optional S3 access logging
The module supports dynamic lifecycle rules through the lifecycle_rules variable. Here are some common patterns:
Simple Expiration:
lifecycle_rules = [
{
id = "expire-after-30-days"
status = "Enabled"
expiration = {
days = 30
}
}
]Cleanup Incomplete Uploads:
lifecycle_rules = [
{
id = "cleanup-incomplete-uploads"
status = "Enabled"
abort_incomplete_multipart_upload = {
days_after_initiation = 7
}
}
]Log Retention with Prefix Filter:
lifecycle_rules = [
{
id = "log-retention"
status = "Enabled"
filter = {
prefix = "logs/"
}
expiration = {
days = 90
}
noncurrent_version_expiration = {
noncurrent_days = 30
}
}
]Storage Class Transitions:
lifecycle_rules = [
{
id = "cost-optimization"
status = "Enabled"
filter = {
prefix = "data/"
}
transitions = [
{
days = 30
storage_class = "STANDARD_IA"
},
{
days = 90
storage_class = "GLACIER"
},
{
days = 365
storage_class = "DEEP_ARCHIVE"
}
]
}
]Tag-based Filtering:
lifecycle_rules = [
{
id = "production-data-retention"
status = "Enabled"
filter = {
tag = {
key = "Environment"
value = "production"
}
}
expiration = {
days = 2555 # 7 years
}
}
]expiration- Delete objects after specified days/datenoncurrent_version_expiration- Delete noncurrent versionsabort_incomplete_multipart_upload- Clean up failed uploadstransitions- Move objects to different storage classesfilter- Apply rules to specific objects (prefix/tag)
No requirements.
| Name | Version |
|---|---|
| aws | 6.14.1 |
No modules.
| Name | Type |
|---|---|
| aws_s3_bucket.logging | resource |
| aws_s3_bucket.this | resource |
| aws_s3_bucket_acl.this | resource |
| aws_s3_bucket_lifecycle_configuration.logging | resource |
| aws_s3_bucket_lifecycle_configuration.this | resource |
| aws_s3_bucket_logging.logging | resource |
| aws_s3_bucket_ownership_controls.logging | resource |
| aws_s3_bucket_ownership_controls.this | resource |
| aws_s3_bucket_policy.this | resource |
| aws_s3_bucket_public_access_block.this | resource |
| aws_s3_bucket_server_side_encryption_configuration.logging | resource |
| aws_s3_bucket_server_side_encryption_configuration.this | resource |
| aws_s3_bucket_versioning.this | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_principals | List of IAM principals allowed to access the S3 bucket. Use '*' for public access. | list(string) |
[ |
no |
| block_public_acls | Whether to block public ACLs on the S3 bucket. | bool |
true |
no |
| block_public_policy | Whether to block public bucket policies. | bool |
true |
no |
| bucket_acl | The ACL for the S3 bucket | string |
"private" |
no |
| bucket_name | The name of the S3 bucket (must be unique, 3-63 characters, lowercase, and DNS-compliant) | string |
n/a | yes |
| bucket_suffix | Optional suffix for the S3 bucket name. | string |
"" |
no |
| enable_versioning | Enable versioning for the bucket | bool |
true |
no |
| force_destroy | Whether to allow deletion of non-empty bucket | bool |
false |
no |
| ignore_public_acls | Whether to ignore public ACLs for this bucket. | bool |
true |
no |
| lifecycle_rules | List of lifecycle rules for the S3 bucket. Each rule is a map that will be passed directly to the aws_s3_bucket_lifecycle_configuration resource. | any |
[] |
no |
| logging_enabled | Enable logging for the S3 bucket | bool |
false |
no |
| logging_encryption_algorithm | The encryption algorithm used for S3 logging. Valid values: 'AES256', 'aws:kms'. | string |
"AES256" |
no |
| logging_encryption_enabled | Enable encryption for S3 logging. | bool |
true |
no |
| logging_lifecycle_filter_prefix | Prefix to apply S3 lifecycle rule to. Set to "" to apply to all objects. | string |
"" |
no |
| logging_log_retention_days | Number of days to retain S3 logging data before expiration. | number |
30 |
no |
| logging_s3_prefix | Prefix for S3 logging objects. | string |
"s3/" |
no |
| object_ownership | Defines who owns newly uploaded objects in the bucket. | string |
"BucketOwnerPreferred" |
no |
| restrict_public_buckets | Whether to restrict public access to the bucket. | bool |
true |
no |
| sse_algorithm | The encryption algorithm for S3 bucket | string |
"AES256" |
no |
| tags | Tags for the S3 bucket | map(string) |
{} |
no |
| Name | Description |
|---|---|
| bucket_arn | The ARN of the S3 bucket |
| bucket_bucket_domain_name | The bucket domain name (suitable for direct website hosting) |
| bucket_bucket_regional_domain_name | The bucket region-specific domain name |
| bucket_domain_name | The bucket domain name |
| bucket_encryption_configuration | The bucket's server-side encryption configuration |
| bucket_hosted_zone_id | The Route 53 hosted zone ID for this bucket |
| bucket_id | The ID of the S3 bucket |
| bucket_lifecycle_configuration | The bucket's lifecycle configuration |
| bucket_logging_target | The target bucket for logging (if logging is enabled) |
| bucket_name | The name of the S3 bucket |
| bucket_region | The AWS region where the S3 bucket is located |
| bucket_replication_configuration | The bucket's replication configuration |
| bucket_versioning | The bucket's versioning configuration |