rvn-s3 · Latest version: 0.3.1
Dependencies and consumers
Every dependency input can be specified manually to reference existing external infrastructure rather than a Ravion module.Readme
S3 bucket with public access blocking, encryption, versioning, CORS, lifecycle rules, and configurable bucket policies.Overview
Use this module to create an Amazon S3 bucket with secure defaults and common operational controls exposed in Ravion. The module blocks public access by default, enables server-side encryption, and can manage versioning, CORS rules, lifecycle rules, and bucket policy statements.Use cases
Security defaults
Public access block settings are enabled by default: Block public ACLs, Block public policies, Ignore public ACLs, and Restrict public buckets. Leave these enabled for private application buckets and log buckets unless you have a specific public bucket design. The bucket uses SSE-S3 AES256 encryption by default and blocks SSE-C uploads. Set KMS key ID to use SSE-KMS. Bucket key remains enabled by default for SSE-KMS to reduce KMS request volume.Lifecycle rules
Lifecycle rules can expire current objects, expire noncurrent versions, transition current or noncurrent versions to colder storage classes, and abort incomplete multipart uploads. The lifecycle rule form covers the common one-transition-per-rule cases. Advanced lifecycle rules accept the Terraform lifecycle rule shape, including id, enabled, prefix, tags, expiration, noncurrent_version_expiration, transitions, noncurrent_version_transitions, and abort_incomplete_multipart_upload_days.CORS
CORS rules allow browser-based applications on approved origins to make cross-origin requests to bucket objects. Each rule includes allowed origins and methods, with optional allowed request headers, exposed response headers, and browser preflight cache duration.Bucket policies
Policy templates add statements for common AWS service integrations:
Custom policy JSON can be provided for additional statements. When templates and custom policy are both set, the module merges their statements into one bucket policy.
For private buckets served through rvn-cloudfront, apply the CloudFront module first, then add the CloudFront OAC read template here with the CloudFront distribution ARN. The bucket remains private because access is granted only to the CloudFront service principal for that distribution.
Configuration
Design decisions
The module defaults to private, encrypted buckets. Public access settings are exposed because some AWS integrations need carefully scoped policies, but the secure defaults should remain enabled for most buckets. Bucket policy creation is inferred from selected policy templates or Custom policy JSON. Internal Terraform callers can override that inference for policies whose value is known only during apply, but that escape hatch is not part of the normal Ravion form. Ravion adds standard tags for ownership and traceability. User-provided Tags are merged on top for team, cost, or environment metadata.Learn more
- Amazon S3 bucket naming rules
- Blocking public access to your Amazon S3 storage
- Protecting data with server-side encryption
- Managing your storage lifecycle
- Source module
Inputs reference
All inputs forrvn-s3 version 0.3.1. Use the name shown for each field as the input key in module config.
AWS account & region
AWS account.
- Immutable after creation
Region.
- Immutable after creation
Bucket
Bucket name. Globally unique S3 bucket name.
- Default:
<<project.given_id>>-<<environment.given_id>>-<<module.given_id>> - Immutable after creation
- Pattern:
^.{3,63}$— Bucket names must be 3-63 characters long. - Pattern:
^[a-z0-9][a-z0-9.-]*[a-z0-9]$— Use a valid S3 bucket name: lowercase letters, numbers, hyphens, and periods; start and end with a letter or number. - Pattern:
^(?!.*\.\.).*$— Bucket names must not contain consecutive periods. - Pattern:
^(?!.*(\.-|-\.)).*$— Bucket names must not contain periods next to hyphens. - Pattern:
^(?!\d+\.\d+\.\d+\.\d+$).*$— Bucket names must not be formatted as an IPv4 address. - Pattern:
^(?!xn--)(?!.*-s3alias$).*$— Bucket names must not start with xn— or end with -s3alias.
Force destroy. Delete the bucket even when it contains objects. Use with caution.
- Default:
false
Public access block
Block public ACLs. Block public ACLs for this bucket.
- Default:
true
Block public policies. Block public bucket policies for this bucket.
- Default:
true
Ignore public ACLs. Ignore public ACLs on this bucket and its objects.
- Default:
true
Restrict public buckets. Restrict public bucket policies to AWS service principals and authorized users in this account.
- Default:
true
Encryption
KMS key ID. Optional AWS KMS key ID or ARN for SSE-KMS. Leave empty to use SSE-S3 AES256 encryption.
Bucket key. Enable S3 Bucket Keys for SSE-KMS to reduce KMS request costs. Applies only when KMS key ID is set.
- Default:
true
Versioning
Versioning. Keep multiple versions of objects in the bucket.
- Default:
false
Lifecycle rules
Lifecycle rules. Configure common lifecycle rules with form fields. Use advanced lifecycle rules below for multiple transitions, tag filters, or less common combinations.
- Default:
[]
Advanced lifecycle rules. Advanced lifecycle rules in the Terraform lifecycle rule shape. Use this for tag filters, multiple transitions, or other combinations not covered by the form above.
- Default:
[]
Bucket policy
Policy templates. Prebuilt bucket policy statements to add.
- Default:
[] - Allowed values:
deny_insecure_transport(Deny insecure transport),alb_access_logs(ALB access logs),nlb_access_logs(NLB access logs),vpc_flow_logs(VPC Flow Logs),cloudfront_oac_read(CloudFront OAC read)
CloudFront distribution ARNs. CloudFront distribution ARNs allowed to read objects when the CloudFront OAC read policy template is selected.
- Default:
[] - Pattern:
^arn:aws:cloudfront::[0-9]{12}:distribution/[A-Z0-9]+$— Invalid CloudFront distribution ARN.
Custom policy JSON. Custom bucket policy JSON document. If policy templates are also selected, statements are merged.
CORS
CORS rules. Configure Cross-Origin Resource Sharing rules for browser access to bucket objects.
- Default:
[]
Terraform settings
OpenTofu version override. Override the environment’s default version for this module
Ravion Terraform workspace name. Override Terraform state backend workspace name. Defaults to project + environment + module given ids.
- Immutable after creation
Advanced Terraform variables. Optional raw Terraform variable overrides for advanced module inputs or one-off overrides. Values here override the generated variables above.
- Default:
{}
Terraform execution environment. Override the execution environment for Terraform runners. Must use the same AWS account as selected above.
Tags. A map of tags to assign to all resources. Default tags are
Owner, ProjectGivenId, EnvironmentGivenId, ModuleGivenId, ModuleId