aws::s3-bucket

Creates an S3 bucket with enabled/disabled object lock.

Example

aws::s3-bucket bucket
    name: bucket-example
    enable-object-lock: true
    tags: {
        Name: "bucket-example"
    }
    enable-accelerate-config: true
    enable-versioning: true
    policy: "policy.json"
end

Example with cors rule

aws::s3-bucket bucket
    name: bucket-example-with-cors
    enable-object-lock: true
    tags: {
        Name: "bucket-example"
    }
    enable-accelerate-config: true
    enable-versioning: true

    cors-rule
        allowed-origins: [
            "*"
        ]
        allowed-methods: [
            "PUT"
        ]
        max-age-seconds: 300
    end
end

Example with life cycle rule

aws::s3-bucket bucket
    name: bucket-example-with-lifecycle
    enable-object-lock: true
    tags: {
        Name: "bucket-example"
    }
    enable-accelerate-config: true
    enable-versioning: true

    lifecycle-rule
        id: "rule no prefix and no tag"
        status: "Disabled"

        transition
            days: 40
            storage-class: "STANDARD_IA"
        end

        noncurrent-version-transition
            days: 40
            storage-class: "STANDARD_IA"
        end

        expiration
            expired-object-delete-marker: false
        end

        noncurrent-version-expiration
            days: 403
        end

        abort-incomplete-multipart-upload
            days-after-initiation: 5
        end
    end
end

Example with replication configuration

aws::s3-bucket bucket-example
    name: "beam-sandbox-bucket-us-east-2"
    tags: {
        Name: "bucket-example",
        Name2: "something"
    }
    enable-accelerate-config: true
    enable-versioning: true

    replication-configuration
        role: $(external-query aws::iam-role { name: 's3crr_role_for_sandbox-bucket-example-logging_to_beam-sandbox-br'})
        rule
            id: "example_with_encryption"
            destination
                bucket: "beam-sandbox-ops-us-east-1a"
                encryption-configuration
                    kms-key: $(external-query aws::kms-key { key-id: '<key-id>'})
                end
            end

            source-selection-criteria
                sse-kms-encrypted-objects-status: ENABLED
            end

            filter
                prefix: "logs/"
            end
            priority: 1
            status: enabled
            delete-marker-replication-status: disabled
        end

        rule
            id: "example_with_complex_filter"
            destination
                bucket: "beam-sandbox-ops-us-east-1a"
            end
            filter
                and-operator
                    prefix: "thousand-year-door"
                    tag
                        key: "paper"
                        value: "mario"
                    end
                end
            end
            priority: 2
            status: enabled
            delete-marker-replication-status: disabled
        end

        rule
            id: "example_with_access_control"
            destination
                bucket: "beam-sandbox-ops-us-east-1a"
                account: "242040583208"
                access-control-translation
                    owner-override: destination
                end
            end
            priority: 3
            status: enabled
            delete-marker-replication-status: disabled
        end
    end
end

Example with logging enabled

aws::s3-bucket bucket-example
    name: "beam-sandbox-logging-enabled"
    enable-object-lock: false
    tags: {
        Name: "bucket-example",
        Name2: "something"
    }

    logging
        bucket: "beam-sandbox-s3-logs"
    end

    enable-accelerate-config: true
    enable-versioning: true
end

Example with encryption configuration

aws::s3-bucket bucket-example-with-encryption
    name: "example-bucket-with-encryption-config"
    enable-object-lock: true

    tags: {
        Name: "bucket-example"
    }

    encryption-configuration
        encryption-rule
            default-encryption
                key: $(external-query aws::kms-key { key-id: '<key-id>'})
                encryption-type: "aws:kms"
            end
        end
    end
end

Example with control access policy

aws::s3-bucket example-bucket-with-full-control-log-delivery-group
    name: "example-bucket-with-full-control-log-delivery-group"
    enable-object-lock: true

    access-control-policy
        grant
            permission: "FULL_CONTROL"

            grantee
                uri: "http://acs.amazonaws.com/groups/s3/LogDelivery"
                type: "Group"
            end
        end
    end
end

Attributes

Attribute Description
name The name of the bucket. (Required)
enable-object-lock Enable object lock property for the bucket which prevents objects from being deleted. Can only be set during creation. See S3 Object Lock.
tags map Tags for the bucket.
enable-accelerate-config Enable fast easy and secure transfers of files to and from the bucket. See S3 Transfer Acceleration.
enable-versioning Enable keeping multiple versions of an object in the same bucket. Updatable only when object lock is disabled. See S3 Versioning.
request-payer Does the requester pay for requests to the bucket or the owner. Defaults to BUCKET_OWNER. Valid values are BUCKET_OWNER or REQUESTER. See S3 Requester Pays Bucket.
cors-rule list subresource

Configure the cross origin request policy for the bucket.

allowed-headers list
List of allowed headers for the rule.
allowed-methods list
Allowed HTTP methods for the rule. Valid values are GET, PUT, POST, DELETE and HEAD.
allowed-origins list
Allowed origins for the rule that requires bucket access.
expose-headers list
Expose headers for the rule.
max-age-seconds
Max age in seconds that specifies the cache duration of the response.
lifecycle-rule list subresource

Configure the cross origin request policy for the bucket.

id
Name of the life cycle rule. (Required)
expiration subresource

Expiration setting for the life cycle rule.

days
The lifetime, in days, of the objects that are subject to the rule.
expired-object-delete-marker
Indicates whether Amazon S3 will remove a delete marker with no noncurrent versions. If set to true, the delete marker will be expired. Cannot be set with ‘days’ or lifecyclerule ‘tags’.
abort-incomplete-multipart-upload subresource

Incomplete multi part upload setting for the life cycle rule.

days-after-initiation
Number of days after which incomplete multipart upload data be deleted.
noncurrent-version-expiration subresource

Non current version expiration settings for the life cycle rule.

days
Non current version expiration days. Depends on the values set in non current version transition.
status
State of the lifecycle policy. Valid values are Enabled or Disabled. (Required)
prefix
Apply the rule to objects having this prefix.
tags map
Apply the rule to objects having these tags.
noncurrent-version-transition list subresource

Configure the non current transition rules to this lifecycle rule.

days
Days after creation that versioning would start. Min value 30. (Required)
storage-class
Type of transition. Valid values are GLACIER, STANDARD_IA, ONEZONE_IA or INTELLIGENT_TIERING. (Required)
transition list subresource

Configure the transition rules to this lifecycle rule.

days
Days after creation that versioning would start. Min value 30. (Required)
storage-class
Type of transition. Valid values are GLACIER, STANDARD_IA, ONEZONE_IA or INTELLIGENT_TIERING. (Required)
logging subresource

Configure where access logs are sent.

bucket
The target destination bucket for the logs. (Required)
prefix
The destination prefix on the bucket to place logs.
replication-configuration subresource

Configure the replication rules for the bucket.

role
The ARN for an IAM Role that the s3 bucket assumes when replicating objects. (Required)
rule list subresource
Configure cross region replication rules. (Required)
encryption-configuration subresource

Configure the server side encryption for the bucket.

encryption-rule subresource

The server-side encryption configuration rule. (Required)

default-encryption subresource

The default server-side encryption to apply to new objects in the bucket. (Required)

key
The KMS master key to use for the default encryption.
encryption-type
The server-side encryption algorithm to use for the default encryption. Valid values are AES256 or aws:kms. (Required)
policy The bucket policy as a JSON document.
access-control-policy subresource

Configure the access control policy of the bucket.

grant list subresource

The list of grants for the bucket. (Required)

grantee subresource

The object being granted the permission. (Required)

display-name
The display name of the grantee. Cannot be set if any of id, uri or email is set.
id
The canonical user ID of the grantee. Cannot be set if any of display-name, uri or email is set.
uri
The URI of the grantee group. Cannot be set if any of display-name, id or email is set.
email
The email address of the grantee. Cannot be set if any of display-name, id or uri is set.
type
The type of the grantee. Valid values are CanonicalUser, AmazonCustomerByEmail or Group. (Required)
permission
The permission to be granted. Valid values are FULL_CONTROL, WRITE, WRITE_ACP, READ or READ_ACP. (Required)