Add expired object delete marker support to S3 bucket module (#2476)

Tian-2017 · web-flow · commit 03d48c5c23c7 · 2025-10-03T14:53:06.000+01:00
diff --git a/terraform/core/10-aws-s3-buckets.tf b/terraform/core/10-aws-s3-buckets.tf
@@ -44,7 +44,8 @@ module "landing_zone" {
     local.share_kms_key_with_housing_reporting_role,
     local.share_kms_key_with_academy_account
   ]
-  include_backup_policy_tags = false
+  include_backup_policy_tags   = false
+  expired_object_delete_marker = true
 }
 
 module "raw_zone" {
diff --git a/terraform/modules/s3-bucket/02-inputs-optional.tf b/terraform/modules/s3-bucket/02-inputs-optional.tf
@@ -156,3 +156,9 @@ variable "include_backup_policy_tags" {
   type        = bool
   default     = true
 }
+
+variable "expired_object_delete_marker" {
+  description = "Whether to delete expired object delete markers. Only applies to versioned buckets."
+  type        = bool
+  default     = false
+}
diff --git a/terraform/modules/s3-bucket/10-s3-bucket.tf b/terraform/modules/s3-bucket/10-s3-bucket.tf
@@ -167,27 +167,45 @@ resource "aws_s3_bucket_versioning" "bucket" {
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "bucket" {
-  count  = var.expire_objects_days != null ? 1 : 0
+  count  = (var.expire_objects_days != null || var.expired_object_delete_marker) ? 1 : 0
   bucket = aws_s3_bucket.bucket.id
 
-  rule {
-    id     = "expire-older-objects"
-    status = "Enabled"
+  # Rule for expiring objects by days
+  dynamic "rule" {
+    for_each = var.expire_objects_days != null ? [1] : []
+    content {
+      id     = "expire-older-objects"
+      status = "Enabled"
 
-    filter {}
+      filter {}
 
-    expiration {
-      days = var.expire_objects_days
-    }
+      expiration {
+        days = var.expire_objects_days
+      }
 
-    noncurrent_version_expiration {
-      noncurrent_days = var.expire_noncurrent_objects_days
-    }
+      noncurrent_version_expiration {
+        noncurrent_days = var.expire_noncurrent_objects_days
+      }
 
-    abort_incomplete_multipart_upload {
-      days_after_initiation = var.abort_multipart_days
+      abort_incomplete_multipart_upload {
+        days_after_initiation = var.abort_multipart_days
+      }
     }
+  }
+
+  # Rule for deleting expired object delete markers
+  dynamic "rule" {
+    for_each = var.expired_object_delete_marker ? [1] : []
+    content {
+      id     = "delete-expired-delete-markers"
+      status = "Enabled"
 
+      filter {}
+
+      expiration {
+        expired_object_delete_marker = true
+      }
+    }
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,8 @@ module "landing_zone" {`
`44`	`44`	`local.share_kms_key_with_housing_reporting_role,`
`45`	`45`	`local.share_kms_key_with_academy_account`
`46`	`46`	`]`
`47`		`- include_backup_policy_tags = false`
	`47`	`+ include_backup_policy_tags = false`
	`48`	`+ expired_object_delete_marker = true`
`48`	`49`	`}`
`49`	`50`
`50`	`51`	`module "raw_zone" {`