第 7 章:S3 儲存貯體設定
Reference Link
S3 Bucket
S3 Bucket
resource "aws_s3_bucket" "example" {
bucket = "my-tf-test-bucket"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
S3 Bucket Accleration
S3 Bucket Accleration
resource "aws_s3_bucket" "mybucket" {
bucket = "mybucket"
}
resource "aws_s3_bucket_accelerate_configuration" "example" {
bucket = aws_s3_bucket.mybucket.id
status = "Enabled"
}
S3 Bucket ACL
S3 Bucket ACL
resource "aws_s3_bucket" "example" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_ownership_controls" "example" {
bucket = aws_s3_bucket.example.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}
resource "aws_s3_bucket_acl" "example" {
depends_on = [aws_s3_bucket_ownership_controls.example]
bucket = aws_s3_bucket.example.id
acl = "private"
}
S3 Bucket cors_configuration
S3 Bucket cors_configuration
resource "aws_s3_bucket" "example" {
bucket = "mybucket"
}
resource "aws_s3_bucket_cors_configuration" "example" {
bucket = aws_s3_bucket.example.id
cors_rule {
allowed_headers = ["*"]
allowed_methods = ["PUT", "POST"]
allowed_origins = ["https://s3-website-test.hashicorp.com"]
expose_headers = ["ETag"]
max_age_seconds = 3000
}
cors_rule {
allowed_methods = ["GET"]
allowed_origins = ["*"]
}
}
Intelligent tiering configuration
Intelligent tiering configuration
resource "aws_s3_bucket_intelligent_tiering_configuration" "example-entire-bucket" {
bucket = aws_s3_bucket.example.id
name = "EntireBucket"
tiering {
access_tier = "DEEP_ARCHIVE_ACCESS"
days = 180
}
tiering {
access_tier = "ARCHIVE_ACCESS"
days = 125
}
}
resource "aws_s3_bucket" "example" {
bucket = "example"
}
S3 Bucket Inventory
S3 Bucket Inventory
resource "aws_s3_bucket" "test" {
bucket = "my-tf-test-bucket"
}
resource "aws_s3_bucket" "inventory" {
bucket = "my-tf-inventory-bucket"
}
resource "aws_s3_bucket_inventory" "test" {
bucket = aws_s3_bucket.test.id
name = "EntireBucketDaily"
included_object_versions = "All"
schedule {
frequency = "Daily"
}
destination {
bucket {
format = "ORC"
bucket_arn = aws_s3_bucket.inventory.arn
}
}
}
S3 Life cycle
S3 Life cycle
resource "aws_s3_bucket_lifecycle_configuration" "example" {
bucket = aws_s3_bucket.bucket.id
rule {
id = "rule-1"
# ... other transition/expiration actions ...
status = "Enabled"
}
}
Lifecycle with specifying an empty filter
resource "aws_s3_bucket_lifecycle_configuration" "example" {
bucket = aws_s3_bucket.bucket.id
rule {
id = "rule-1"
filter {}
# ... other transition/expiration actions ...
status = "Enabled"
}
}
Lifecycle rule applies to a subset of objects
resource "aws_s3_bucket_lifecycle_configuration" "example" {
bucket = aws_s3_bucket.bucket.id
rule {
id = "rule-1"
filter {
prefix = "logs/"
}
# ... other transition/expiration actions ...
status = "Enabled"
}
}
Lifecycle action to a subset of objects
resource "aws_s3_bucket_lifecycle_configuration" "example" {
bucket = aws_s3_bucket.bucket.id
rule {
id = "rule-1"
filter {
prefix = "logs/"
}
# ... other transition/expiration actions ...
status = "Enabled"
}
rule {
id = "rule-2"
filter {
prefix = "tmp/"
}
# ... other transition/expiration actions ...
status = "Enabled"
}
}
Lifecycle with filter based on an object tag
resource "aws_s3_bucket_lifecycle_configuration" "example" {
bucket = aws_s3_bucket.bucket.id
rule {
id = "rule-1"
filter {
tag {
key = "Name"
value = "Staging"
}
}
# ... other transition/expiration actions ...
status = "Enabled"
}
}
Lifecycle on objects with two tags
resource "aws_s3_bucket_lifecycle_configuration" "example" {
bucket = aws_s3_bucket.bucket.id
rule {
id = "rule-1"
filter {
and {
tags = {
Key1 = "Value1"
Key2 = "Value2"
}
}
}
# ... other transition/expiration actions ...
status = "Enabled"
}
}
Lifecycle on objects with the specified prefix and two tags
resource "aws_s3_bucket_lifecycle_configuration" "example" {
bucket = aws_s3_bucket.bucket.id
rule {
id = "rule-1"
filter {
and {
prefix = "logs/"
tags = {
Key1 = "Value1"
Key2 = "Value2"
}
}
}
# ... other transition/expiration actions ...
status = "Enabled"
}
}
Lifecycle with specifying a filter based on object size
resource "aws_s3_bucket_lifecycle_configuration" "example" {
bucket = aws_s3_bucket.bucket.id
rule {
id = "rule-1"
filter {
object_size_greater_than = 500
}
# ... other transition/expiration actions ...
status = "Enabled"
}
}
Lifecycle with filter on object size range and prefix
resource "aws_s3_bucket_lifecycle_configuration" "example" {
bucket = aws_s3_bucket.bucket.id
rule {
id = "rule-1"
filter {
and {
prefix = "logs/"
object_size_greater_than = 500
object_size_less_than = 64000
}
}
# ... other transition/expiration actions ...
status = "Enabled"
}
}
Lifecycle with versioning
resource "aws_s3_bucket" "bucket" {
bucket = "my-bucket"
}
resource "aws_s3_bucket_acl" "bucket_acl" {
bucket = aws_s3_bucket.bucket.id
acl = "private"
}
resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
bucket = aws_s3_bucket.bucket.id
rule {
id = "log"
expiration {
days = 90
}
filter {
and {
prefix = "log/"
tags = {
rule = "log"
autoclean = "true"
}
}
}
status = "Enabled"
transition {
days = 30
storage_class = "STANDARD_IA"
}
transition {
days = 60
storage_class = "GLACIER"
}
}
rule {
id = "tmp"
filter {
prefix = "tmp/"
}
expiration {
date = "2023-01-13T00:00:00Z"
}
status = "Enabled"
}
}
resource "aws_s3_bucket" "versioning_bucket" {
bucket = "my-versioning-bucket"
}
resource "aws_s3_bucket_acl" "versioning_bucket_acl" {
bucket = aws_s3_bucket.versioning_bucket.id
acl = "private"
}
resource "aws_s3_bucket_versioning" "versioning" {
bucket = aws_s3_bucket.versioning_bucket.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_lifecycle_configuration" "versioning-bucket-config" {
# Must have bucket versioning enabled first
depends_on = [aws_s3_bucket_versioning.versioning]
bucket = aws_s3_bucket.versioning_bucket.id
rule {
id = "config"
filter {
prefix = "config/"
}
noncurrent_version_expiration {
noncurrent_days = 90
}
noncurrent_version_transition {
noncurrent_days = 30
storage_class = "STANDARD_IA"
}
noncurrent_version_transition {
noncurrent_days = 60
storage_class = "GLACIER"
}
status = "Enabled"
}
}
S3 Bucket Policy
S3 bucket policy
resource "aws_s3_bucket" "example" {
bucket = "my-tf-test-bucket"
}
resource "aws_s3_bucket_policy" "allow_access_from_another_account" {
bucket = aws_s3_bucket.example.id
policy = data.aws_iam_policy_document.allow_access_from_another_account.json
}
data "aws_iam_policy_document" "allow_access_from_another_account" {
statement {
principals {
type = "AWS"
identifiers = ["123456789012"]
}
actions = [
"s3:GetObject",
"s3:ListBucket",
]
resources = [
aws_s3_bucket.example.arn,
"${aws_s3_bucket.example.arn}/*",
]
}
}
S3 Bucket public access
S3 bucket public access
resource "aws_s3_bucket" "example" {
bucket = "example"
}
resource "aws_s3_bucket_public_access_block" "example" {
bucket = aws_s3_bucket.example.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
S3 Bucket replication
S3 Bucket replication
provider "aws" {
region = "eu-west-1"
}
provider "aws" {
alias = "central"
region = "eu-central-1"
}
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["s3.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "replication" {
name = "tf-iam-role-replication-12345"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
data "aws_iam_policy_document" "replication" {
statement {
effect = "Allow"
actions = [
"s3:GetReplicationConfiguration",
"s3:ListBucket",
]
resources = [aws_s3_bucket.source.arn]
}
statement {
effect = "Allow"
actions = [
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging",
]
resources = ["${aws_s3_bucket.source.arn}/*"]
}
statement {
effect = "Allow"
actions = [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags",
]
resources = ["${aws_s3_bucket.destination.arn}/*"]
}
}
resource "aws_iam_policy" "replication" {
name = "tf-iam-role-policy-replication-12345"
policy = data.aws_iam_policy_document.replication.json
}
resource "aws_iam_role_policy_attachment" "replication" {
role = aws_iam_role.replication.name
policy_arn = aws_iam_policy.replication.arn
}
resource "aws_s3_bucket" "destination" {
bucket = "tf-test-bucket-destination-12345"
}
resource "aws_s3_bucket_versioning" "destination" {
bucket = aws_s3_bucket.destination.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket" "source" {
provider = aws.central
bucket = "tf-test-bucket-source-12345"
}
resource "aws_s3_bucket_acl" "source_bucket_acl" {
provider = aws.central
bucket = aws_s3_bucket.source.id
acl = "private"
}
resource "aws_s3_bucket_versioning" "source" {
provider = aws.central
bucket = aws_s3_bucket.source.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_replication_configuration" "replication" {
provider = aws.central
# Must have bucket versioning enabled first
depends_on = [aws_s3_bucket_versioning.source]
role = aws_iam_role.replication.arn
bucket = aws_s3_bucket.source.id
rule {
id = "foobar"
filter {
prefix = "foo"
}
status = "Enabled"
destination {
bucket = aws_s3_bucket.destination.arn
storage_class = "STANDARD"
}
}
}
S3 Bucket versioning
With Versioning Enabled
resource "aws_s3_bucket" "example" {
bucket = "example-bucket"
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.example.id
acl = "private"
}
resource "aws_s3_bucket_versioning" "versioning_example" {
bucket = aws_s3_bucket.example.id
versioning_configuration {
status = "Enabled"
}
}
With Versioning Disabled
resource "aws_s3_bucket" "example" {
bucket = "example-bucket"
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.example.id
acl = "private"
}
resource "aws_s3_bucket_versioning" "versioning_example" {
bucket = aws_s3_bucket.example.id
versioning_configuration {
status = "Disabled"
}
}
S3 bucket website configuration
S3 bucket website configuration
resource "aws_s3_bucket_website_configuration" "example" {
bucket = aws_s3_bucket.example.id
index_document {
suffix = "index.html"
}
error_document {
key = "error.html"
}
routing_rule {
condition {
key_prefix_equals = "docs/"
}
redirect {
replace_key_prefix_with = "documents/"
}
}
}
S3 bucket website configuration with routing_rules configured
resource "aws_s3_bucket_website_configuration" "example" {
bucket = aws_s3_bucket.example.id
index_document {
suffix = "index.html"
}
error_document {
key = "error.html"
}
routing_rules = <<EOF
[{
"Condition": {
"KeyPrefixEquals": "docs/"
},
"Redirect": {
"ReplaceKeyPrefixWith": ""
}
}]
EOF
}