aws::s3-bucket¶

Creates an S3 bucket with enabled/disabled object lock.

Example¶

aws::s3-bucket bucket
    name: bucket-example
    enable-object-lock: true
    tags: {
        Name: "bucket-example"
    }
    enable-accelerate-config: true
    enable-versioning: true
    policy: "policy.json"
end

Example with cors rule¶

aws::s3-bucket bucket
    name: bucket-example-with-cors
    enable-object-lock: true
    tags: {
        Name: "bucket-example"
    }
    enable-accelerate-config: true
    enable-versioning: true

    cors-rule
        allowed-origins: [
            "*"
        ]
        allowed-methods: [
            "PUT"
        ]
        max-age-seconds: 300
    end
end

Example with life cycle rule¶

aws::s3-bucket bucket
    name: bucket-example-with-lifecycle
    enable-object-lock: true
    tags: {
        Name: "bucket-example"
    }
    enable-accelerate-config: true
    enable-versioning: true

    lifecycle-rule
        id: "rule no prefix and no tag"
        status: "Disabled"

        transition
            days: 40
            storage-class: "STANDARD_IA"
        end

        noncurrent-version-transition
            days: 40
            storage-class: "STANDARD_IA"
        end

        expiration
            expired-object-delete-marker: false
        end

        noncurrent-version-expiration
            days: 403
        end

        abort-incomplete-multipart-upload
            days-after-initiation: 5
        end
    end
end

Example with replication configuration¶

aws::s3-bucket bucket-example
    name: "beam-sandbox-bucket-us-east-2"
    tags: {
        Name: "bucket-example",
        Name2: "something"
    }
    enable-accelerate-config: true
    enable-versioning: true

    replication-configuration
        role: $(external-query aws::iam-role { name: 's3crr_role_for_sandbox-bucket-example-logging_to_beam-sandbox-br'})
        rule
            id: "example_with_encryption"
            destination
                bucket: "beam-sandbox-ops-us-east-1a"
                encryption-configuration
                    kms-key: $(external-query aws::kms-key { key-id: '<key-id>'})
                end
            end

            source-selection-criteria
                sse-kms-encrypted-objects-status: ENABLED
            end

            filter
                prefix: "logs/"
            end
            priority: 1
            status: enabled
            delete-marker-replication-status: disabled
        end

        rule
            id: "example_with_complex_filter"
            destination
                bucket: "beam-sandbox-ops-us-east-1a"
            end
            filter
                and-operator
                    prefix: "thousand-year-door"
                    tag
                        key: "paper"
                        value: "mario"
                    end
                end
            end
            priority: 2
            status: enabled
            delete-marker-replication-status: disabled
        end

        rule
            id: "example_with_access_control"
            destination
                bucket: "beam-sandbox-ops-us-east-1a"
                account: "242040583208"
                access-control-translation
                    owner-override: destination
                end
            end
            priority: 3
            status: enabled
            delete-marker-replication-status: disabled
        end
    end
end

Example with logging enabled¶

aws::s3-bucket bucket-example
    name: "beam-sandbox-logging-enabled"
    enable-object-lock: false
    tags: {
        Name: "bucket-example",
        Name2: "something"
    }

    logging
        bucket: "beam-sandbox-s3-logs"
    end

    enable-accelerate-config: true
    enable-versioning: true
end

Example with encryption configuration¶

aws::s3-bucket bucket-example-with-encryption
    name: "example-bucket-with-encryption-config"
    enable-object-lock: true

    tags: {
        Name: "bucket-example"
    }

    encryption-configuration
        encryption-rule
            default-encryption
                key: $(external-query aws::kms-key { key-id: '<key-id>'})
                encryption-type: "aws:kms"
            end
        end
    end
end

Example with control access policy¶

aws::s3-bucket example-bucket-with-full-control-log-delivery-group
    name: "example-bucket-with-full-control-log-delivery-group"
    enable-object-lock: true

    access-control-policy
        grant
            permission: "FULL_CONTROL"

            grantee
                uri: "http://acs.amazonaws.com/groups/s3/LogDelivery"
                type: "Group"
            end
        end
    end
end

Example with intelligent tiering¶

aws::s3-bucket bucket-example-with-intelligent-tiering
    name: "example-bucket-with-intelligent-tiering"
    enable-object-lock: true

    intelligent-tiering-configuration
       id: test-config

       tiering
            days: 90
            access-tier: "ARCHIVE_ACCESS"
       end

       tiering
            days: 182
            access-tier: "DEEP_ARCHIVE_ACCESS"
       end

       filter
            prefix: "something"

            tag
                key: "name1"
                value: "value1"
            end

            tag
                key: "name2"
                value: "value2"
            end
       end

       status: "Disabled"
    end

    tags: {
        Name: "bucket-example--with-intelligent-tiering"
    }
end

Example with Public Access Blocks¶

aws::s3-bucket bucket-example
    name: "bucket-example"
    enable-object-lock: true

    tags: {
        Name: "bucket-example",
        Name2: "something"
    }

    public-access-block-configuration
        block-public-acls: true
        ignore-public-acls: true
        block-public-policy: false
        restrict-public-buckets: true
    end

    enable-accelerate-config: true
    enable-versioning: true
    policy: "policy.json"
end

Attributes¶

Attribute	Description
name	The name of the bucket. (Required)
enable-object-lock	Enable object lock property for the bucket which prevents objects from being deleted. Can only be set during creation. See S3 Object Lock.
tags map	Tags for the bucket.
enable-accelerate-config	Enable fast easy and secure transfers of files to and from the bucket. See S3 Transfer Acceleration.
enable-versioning	Enable keeping multiple versions of an object in the same bucket. Updatable only when object lock is disabled. See S3 Versioning.
request-payer	Does the requester pay for requests to the bucket or the owner. Defaults to `BUCKET_OWNER`. Valid values are `BUCKET_OWNER` or `REQUESTER`. See S3 Requester Pays Bucket.
cors-rule list subresource	Configure the cross origin request policy for the bucket. allowed-headers list List of allowed headers for the rule. allowed-methods list Allowed HTTP methods for the rule. Valid values are `GET`, `PUT`, `POST`, `DELETE` and `HEAD`. allowed-origins list Allowed origins for the rule that requires bucket access. expose-headers list Expose headers for the rule. max-age-seconds Max age in seconds that specifies the cache duration of the response.
lifecycle-rule list subresource	Configure the cross origin request policy for the bucket. id Name of the life cycle rule. (Required) expiration subresource Expiration setting for the life cycle rule. days The lifetime, in days, of the objects that are subject to the rule. expired-object-delete-marker Indicates whether Amazon S3 will remove a delete marker with no noncurrent versions. If set to true, the delete marker will be expired. Cannot be set with ‘days’ or lifecyclerule ‘tags’. abort-incomplete-multipart-upload subresource Incomplete multi part upload setting for the life cycle rule. days-after-initiation Number of days after which incomplete multipart upload data be deleted. noncurrent-version-expiration subresource Non current version expiration settings for the life cycle rule. days Non current version expiration days. Depends on the values set in non current version transition. status State of the lifecycle policy. Valid values are `Enabled` or `Disabled`. (Required) prefix Apply the rule to objects having this prefix. tags map Apply the rule to objects having these tags. noncurrent-version-transition list subresource Configure the non current transition rules to this lifecycle rule. days Days after creation that versioning would start. Min value 30. (Required) storage-class Type of transition. Valid values are `GLACIER`, `STANDARD_IA`, `ONEZONE_IA` or `INTELLIGENT_TIERING`. (Required) transition list subresource Configure the transition rules to this lifecycle rule. days Days after creation that versioning would start. Min value 30. (Required) storage-class Type of transition. Valid values are `GLACIER`, `STANDARD_IA`, `ONEZONE_IA` or `INTELLIGENT_TIERING`. (Required)
logging subresource	Configure where access logs are sent. bucket The target destination bucket for the logs. (Required) prefix The destination prefix on the bucket to place logs.
replication-configuration subresource	Configure the replication rules for the bucket. role The ARN for an IAM Role that the s3 bucket assumes when replicating objects. (Required) rule list subresource Configure cross region replication rules. (Required) destination The destination bucket and config for this rule. priority Priority of this rule. Defaults to `1` prefix Object prefix that this rule applies to. id Unique name for this rule. status The state of this replication rule. delete-marker-replication-status State of the delete marker replication. filter Rule for selecting a subset of objects to replicate based on tags or prefix or both. source-selection-criteria subresource Describes additional filters for the objects which should be replicated. Currently only supports encrypted objects. sse-kms-encrypted-objects-status Status of Server Side Encryption. Valid values are `ENABLED` or `DISABLED`
encryption-configuration subresource	Configure the server side encryption for the bucket. encryption-rule subresource The server-side encryption configuration rule. (Required) default-encryption subresource The default server-side encryption to apply to new objects in the bucket. (Required) key The KMS master key to use for the default encryption. encryption-type The server-side encryption algorithm to use for the default encryption. Valid values are `AES256` or `aws:kms`. (Required)
policy	The bucket policy as a JSON document.
access-control-policy subresource	Configure the access control policy of the bucket. grant list subresource The list of grants for the bucket. (Required) grantee subresource The object being granted the permission. (Required) display-name The display name of the grantee. Cannot be set if any of `id`, `uri` or `email` is set. id The canonical user ID of the grantee. Cannot be set if any of `display-name`, `uri` or `email` is set. uri The URI of the grantee group. Cannot be set if any of `display-name`, `id` or `email` is set. email The email address of the grantee. Cannot be set if any of `display-name`, `id` or `uri` is set. type The type of the grantee. Valid values are `CanonicalUser`, `AmazonCustomerByEmail` or `Group`. (Required) permission The permission to be granted. Valid values are `FULL_CONTROL`, `WRITE`, `WRITE_ACP`, `READ` or `READ_ACP`. (Required)
intelligent-tiering-configuration list subresource	Configure intelligent tiering on the bucket. id The name for the tiering. (Required) filter subresource Configure intelligent tiering filter. prefix Filter prefix. tag list A list of tags to filter upon. tiering list subresource Configure intelligent tiering. days The days untill archive/deep archive based on selected value of `access-tier`. (Required) access-tier The archive tier. Valid values are `ARCHIVE_ACCESS` or `DEEP_ARCHIVE_ACCESS`. (Required) status Status of the tiering. Valid values are `Enabled` or `Disabled`.
public-access-block-configuration subresource	The PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. block-public-acls When set to `true`, Amazon S3 will block public access control lists (ACLs) for this bucket and objects in this bucket. ignore-public-acls When set to `true`, Amazon S3 will ignore all public ACLs on this bucket and objects in this bucket. block-public-policy When set to `true`, Amazon S3 will reject calls to PUT Bucket policy if the specified bucket policy allows public access. restrict-public-buckets When set to `true`, Amazon S3 will restrict access to this bucket to only Amazon Web Service principals and authorized users within this account if the bucket has a public policy.
object-ownership	The bucket’s ownership controls. Valid values are `BucketOwnerPreferred`, `ObjectWriter` or `BucketOwnerEnforced`.