diff --git a/README.md b/README.md
index 447198c3..51df8a7c 100644
--- a/README.md
+++ b/README.md
@@ -433,9 +433,13 @@ Available targets:
| [aws_cloudfront_distribution.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
| [aws_cloudfront_origin_access_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
| [aws_s3_bucket.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_cors_configuration.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
| [aws_s3_bucket_ownership_controls.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [random_password.referer](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -461,6 +465,7 @@ Available targets:
| [allowed\_methods](#input\_allowed\_methods) | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) for AWS CloudFront | `list(string)` | [
"DELETE",
"GET",
"HEAD",
"OPTIONS",
"PATCH",
"POST",
"PUT"
]
| no |
| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
| [block\_origin\_public\_access\_enabled](#input\_block\_origin\_public\_access\_enabled) | When set to 'true' the s3 origin bucket will have public access block enabled | `bool` | `false` | no |
+| [bucket\_versioning](#input\_bucket\_versioning) | State of bucket versioning option | `string` | `"Disabled"` | no |
| [cache\_policy\_id](#input\_cache\_policy\_id) | The unique identifier of the existing cache policy to attach to the default cache behavior.
If not provided, this module will add a default cache policy using other provided inputs. | `string` | `null` | no |
| [cached\_methods](#input\_cached\_methods) | List of cached methods (e.g. GET, PUT, POST, DELETE, HEAD) | `list(string)` | [
"GET",
"HEAD"
]
| no |
| [cloudfront\_access\_log\_bucket\_name](#input\_cloudfront\_access\_log\_bucket\_name) | When `cloudfront_access_log_create_bucket` is `false`, this is the name of the existing S3 Bucket where
Cloudfront Access Logs are to be delivered and is required. IGNORED when `cloudfront_access_log_create_bucket` is `true`. | `string` | `""` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index ff4cf8a0..d4f2f718 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -32,9 +32,13 @@
| [aws_cloudfront_distribution.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
| [aws_cloudfront_origin_access_identity.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource |
| [aws_s3_bucket.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_cors_configuration.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
| [aws_s3_bucket_ownership_controls.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
| [aws_s3_bucket_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
| [aws_s3_bucket_public_access_block.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.origin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
| [random_password.referer](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [time_sleep.wait_for_aws_s3_bucket_settings](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [aws_iam_policy_document.combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -60,6 +64,7 @@
| [allowed\_methods](#input\_allowed\_methods) | List of allowed methods (e.g. GET, PUT, POST, DELETE, HEAD) for AWS CloudFront | `list(string)` | [
"DELETE",
"GET",
"HEAD",
"OPTIONS",
"PATCH",
"POST",
"PUT"
]
| no |
| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
| [block\_origin\_public\_access\_enabled](#input\_block\_origin\_public\_access\_enabled) | When set to 'true' the s3 origin bucket will have public access block enabled | `bool` | `false` | no |
+| [bucket\_versioning](#input\_bucket\_versioning) | State of bucket versioning option | `string` | `"Disabled"` | no |
| [cache\_policy\_id](#input\_cache\_policy\_id) | The unique identifier of the existing cache policy to attach to the default cache behavior.
If not provided, this module will add a default cache policy using other provided inputs. | `string` | `null` | no |
| [cached\_methods](#input\_cached\_methods) | List of cached methods (e.g. GET, PUT, POST, DELETE, HEAD) | `list(string)` | [
"GET",
"HEAD"
]
| no |
| [cloudfront\_access\_log\_bucket\_name](#input\_cloudfront\_access\_log\_bucket\_name) | When `cloudfront_access_log_create_bucket` is `false`, this is the name of the existing S3 Bucket where
Cloudfront Access Logs are to be delivered and is required. IGNORED when `cloudfront_access_log_create_bucket` is `true`. | `string` | `""` | no |
diff --git a/main.tf b/main.tf
index 7ba9c1e3..a658b492 100644
--- a/main.tf
+++ b/main.tf
@@ -254,26 +254,9 @@ resource "aws_s3_bucket" "origin" {
count = local.create_s3_origin_bucket ? 1 : 0
bucket = module.origin_label.id
- acl = "private"
tags = module.origin_label.tags
force_destroy = var.origin_force_destroy
- dynamic "server_side_encryption_configuration" {
- for_each = var.encryption_enabled ? ["true"] : []
-
- content {
- rule {
- apply_server_side_encryption_by_default {
- sse_algorithm = "AES256"
- }
- }
- }
- }
-
- versioning {
- enabled = var.versioning_enabled
- }
-
dynamic "logging" {
for_each = local.s3_access_logging_enabled ? [1] : []
content {
@@ -291,6 +274,35 @@ resource "aws_s3_bucket" "origin" {
routing_rules = lookup(website.value, "routing_rules", null)
}
}
+}
+
+
+resource "aws_s3_bucket_versioning" "origin" {
+ count = local.create_s3_origin_bucket ? 1 : 0
+
+ bucket = one(aws_s3_bucket.origin).id
+
+ versioning_configuration {
+ status = var.bucket_versioning
+ }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "origin" {
+ count = var.encryption_enabled && local.create_s3_origin_bucket ? 1 : 0
+
+ bucket = one(aws_s3_bucket.origin).id
+
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
+ }
+ }
+}
+
+resource "aws_s3_bucket_cors_configuration" "origin" {
+ count = local.create_s3_origin_bucket ? 1 : 0
+
+ bucket = one(aws_s3_bucket.origin).id
dynamic "cors_rule" {
for_each = distinct(compact(concat(var.cors_allowed_origins, var.aliases, var.external_aliases)))
@@ -304,6 +316,15 @@ resource "aws_s3_bucket" "origin" {
}
}
+resource "aws_s3_bucket_acl" "origin" {
+ depends_on = [aws_s3_bucket_ownership_controls.origin]
+ count = local.create_s3_origin_bucket ? 1 : 0
+
+ bucket = one(aws_s3_bucket.origin).id
+ acl = "private"
+}
+
+
resource "aws_s3_bucket_public_access_block" "origin" {
count = (local.create_s3_origin_bucket || local.override_origin_bucket_policy) ? 1 : 0
diff --git a/variables.tf b/variables.tf
index 256a445b..8eb42800 100644
--- a/variables.tf
+++ b/variables.tf
@@ -679,4 +679,15 @@ variable "http_version" {
type = string
default = "http2"
description = "The maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3 and http3"
-}
\ No newline at end of file
+}
+
+variable "bucket_versioning" {
+ type = string
+ default = "Disabled"
+ description = "State of bucket versioning option"
+
+ validation {
+ condition = contains(["Enabled", "Disabled", "Suspended"], var.bucket_versioning)
+ error_message = "Please choose one of 'Enabled', 'Disabled', or 'Suspended'"
+ }
+}