sourcefuse · manikanta-sadurla · Mar 5, 2025 · Mar 5, 2025 · Mar 5, 2025
diff --git a/README.md b/README.md
@@ -158,6 +158,7 @@ No modules.
 | [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_policy.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
 | [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
@@ -169,7 +170,6 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_abort_incomplete_multipart_upload_days"></a> [abort\_incomplete\_multipart\_upload\_days](#input\_abort\_incomplete\_multipart\_upload\_days) | Specifies the number of days after initiating a multipart upload when the multipart upload must be completed. | `number` | `14` | no |
 | <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for SSE-KMS. | `bool` | `false` | no |
 | <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name of the bucket. | `string` | n/a | yes |
 | <a name="input_cors_rules"></a> [cors\_rules](#input\_cors\_rules) | List of maps containing rules for Cross-Origin Resource Sharing. | `list(any)` | `[]` | no |
@@ -183,18 +183,15 @@ No modules.
 | <a name="input_enable_dynamodb_point_in_time_recovery"></a> [enable\_dynamodb\_point\_in\_time\_recovery](#input\_enable\_dynamodb\_point\_in\_time\_recovery) | Whether to enable point-in-time recovery - note that it can take up to 10 minutes to enable for new tables. | `bool` | `true` | no |
 | <a name="input_enable_s3_public_access_block"></a> [enable\_s3\_public\_access\_block](#input\_enable\_s3\_public\_access\_block) | Bool for toggling whether the s3 public access block resource should be enabled. | `bool` | `true` | no |
 | <a name="input_enable_versioning"></a> [enable\_versioning](#input\_enable\_versioning) | Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. | `bool` | `true` | no |
-| <a name="input_expiration"></a> [expiration](#input\_expiration) | Specifies a period in the object's expire. | `list(any)` | <pre>[<br>  {<br>    "expired_object_delete_marker": true<br>  }<br>]</pre> | no |
 | <a name="input_inventory_bucket_format"></a> [inventory\_bucket\_format](#input\_inventory\_bucket\_format) | The format for the inventory file. Default is ORC. Options are ORC or CSV. | `string` | `"ORC"` | no |
 | <a name="input_kms_master_key_id"></a> [kms\_master\_key\_id](#input\_kms\_master\_key\_id) | The AWS KMS master key ID used for the SSE-KMS encryption. | `string` | `""` | no |
+| <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | List of lifecycle rules for the S3 bucket | <pre>list(object({<br>    id      = string<br>    status  = string<br>    filter  = optional(object({<br>      prefix = optional(string, null)<br>      tags   = optional(map(string), {})<br>    }), {})<br><br>    transitions = optional(list(object({<br>      days          = number<br>      storage_class = string<br>    })), [<br>      {<br>        days          = 30<br>        storage_class = "STANDARD_IA"<br>      },<br>      {<br>        days          = 90<br>        storage_class = "GLACIER"<br>      }<br>    ])<br><br>    expiration = optional(object({<br>      days                         = optional(number, 365)<br>      expired_object_delete_marker = optional(bool, true)<br>    }), {})<br><br>    noncurrent_version_transitions = optional(list(object({<br>      noncurrent_days = number<br>      storage_class   = string<br>    })), [<br>      {<br>        noncurrent_days = 30<br>        storage_class   = "STANDARD_IA"<br>      },<br>      {<br>        noncurrent_days = 90<br>        storage_class   = "GLACIER"<br>      }<br>    ])<br><br>    noncurrent_version_expiration = optional(object({<br>      noncurrent_days = number<br>    }), {<br>      noncurrent_days = 365<br>    })<br>  }))</pre> | <pre>[<br>  {<br>    "expiration": {<br>      "days": 365,<br>      "expired_object_delete_marker": true<br>    },<br>    "filter": {},<br>    "id": "default-rule",<br>    "noncurrent_version_expiration": {<br>      "noncurrent_days": 365<br>    },<br>    "noncurrent_version_transitions": [<br>      {<br>        "noncurrent_days": 30,<br>        "storage_class": "STANDARD_IA"<br>      },<br>      {<br>        "noncurrent_days": 90,<br>        "storage_class": "GLACIER"<br>      }<br>    ],<br>    "status": "Enabled",<br>    "transitions": [<br>      {<br>        "days": 30,<br>        "storage_class": "STANDARD_IA"<br>      },<br>      {<br>        "days": 90,<br>        "storage_class": "GLACIER"<br>      }<br>    ]<br>  }<br>]</pre> | no |
 | <a name="input_logging_bucket_name"></a> [logging\_bucket\_name](#input\_logging\_bucket\_name) | The S3 bucket to send S3 access logs. | `string` | `""` | no |
 | <a name="input_logging_bucket_target_prefix"></a> [logging\_bucket\_target\_prefix](#input\_logging\_bucket\_target\_prefix) | To specify a key prefix for log objects. | `string` | `""` | no |
 | <a name="input_mfa_delete"></a> [mfa\_delete](#input\_mfa\_delete) | mfa\_delete is disabled | `bool` | `false` | no |
-| <a name="input_noncurrent_version_expiration"></a> [noncurrent\_version\_expiration](#input\_noncurrent\_version\_expiration) | Number of days until non-current version of object expires | `number` | `365` | no |
-| <a name="input_noncurrent_version_transitions"></a> [noncurrent\_version\_transitions](#input\_noncurrent\_version\_transitions) | Non-current version transition blocks | `list(any)` | <pre>[<br>  {<br>    "days": 30,<br>    "storage_class": "STANDARD_IA"<br>  }<br>]</pre> | no |
 | <a name="input_schedule_frequency"></a> [schedule\_frequency](#input\_schedule\_frequency) | The S3 bucket inventory frequency. Defaults to Weekly. Options are 'Weekly' or 'Daily'. | `string` | `"Weekly"` | no |
 | <a name="input_sse_algorithm"></a> [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are AES256 and aws:kms | `string` | `"AES256"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to the bucket. | `map(string)` | <pre>{<br>  "Module": "terraform-aws-arc-bootstrap",<br>  "TerraformManaged": "true"<br>}</pre> | no |
-| <a name="input_transitions"></a> [transitions](#input\_transitions) | Current version transition blocks | `list(any)` | `[]` | no |
 
 ## Outputs
 

diff --git a/example/dev.tfvars b/example/dev.tfvars
@@ -1,3 +1,3 @@
-bucket_name              = "aws-arc-bootstrap"
-dynamodb_name            = "aws-arc-bootstrap"
+bucket_name              = "aws-arc-bootstrap-test-policy"
+dynamodb_name            = "aws-arc-bootstrap-test-policy"
 dynamo_kms_master_key_id = "" // if you want to give your own CMK key then speify the arn else it will use default aws managed dynamo kms key
diff --git a/main.tf b/main.tf
@@ -81,14 +81,18 @@ data "aws_iam_policy_document" "policy" {
 ################################################
 resource "aws_s3_bucket" "private" {
   bucket        = var.bucket_name
-  policy        = data.aws_iam_policy_document.policy.json
   force_destroy = var.enable_bucket_force_destroy
 
   tags = merge(var.tags, tomap({
     Name = var.bucket_name,
   }))
 }
 
+resource "aws_s3_bucket_policy" "private" {
+  bucket = aws_s3_bucket.private.id
+  policy = data.aws_iam_policy_document.policy.json
+}
+
 resource "aws_s3_bucket_versioning" "this" {
   bucket = aws_s3_bucket.private.id
   versioning_configuration {
@@ -166,81 +170,66 @@ resource "aws_s3_bucket_inventory" "inventory" {
   ]
 }
 
-
 resource "aws_s3_bucket_lifecycle_configuration" "this" {
-  bucket = aws_s3_bucket.private.id
-
-  rule {
-    id     = "rule-1"
-    status = "Enabled"
-
-    abort_incomplete_multipart_upload {
-      days_after_initiation = var.abort_incomplete_multipart_upload_days
-    }
-
-    dynamic "expiration" {
-      for_each = var.expiration
+  bucket =  aws_s3_bucket.private.id
 
-      content {
-        date = lookup(expiration.value, "date", null)
-        days = lookup(expiration.value, "days", 0)
-
-        expired_object_delete_marker = lookup(expiration.value, "expired_object_delete_marker", false)
+  dynamic "rule" {
+    for_each = var.lifecycle_rules
+    content {
+      id      = rule.value.id
+      status  = rule.value.status
+
+      dynamic "filter" {
+        for_each = (rule.value.filter != null && (lookup(rule.value.filter, "prefix", null) != null || length(lookup(rule.value.filter, "tags", {})) > 0)) ? [rule.value.filter] : []
+        content {
+          prefix = lookup(filter.value, "prefix", null)
+
+          dynamic "tag" {
+            for_each = lookup(filter.value, "tags", {})
+            content {
+              key   = tag.key
+              value = tag.value
+            }
+          }
+        }
       }
-    }
-
-    dynamic "transition" {
-      for_each = var.transitions
 
-      content {
-        days          = transition.value.days
-        storage_class = transition.value.storage_class
+      dynamic "transition" {
+        for_each = lookup(rule.value, "transitions", [])
+        content {
+          days          = lookup(transition.value, "days", null)
+          storage_class = transition.value.storage_class
+        }
       }
-    }
-
-    dynamic "noncurrent_version_transition" {
-      for_each = var.noncurrent_version_transitions
 
-      content {
-        noncurrent_days = noncurrent_version_transition.value.days
-        storage_class   = noncurrent_version_transition.value.storage_class
+      dynamic "expiration" {
+        for_each = rule.value.expiration != null ? [rule.value.expiration] : []
+        content {
+          days                         = lookup(expiration.value, "days", null)
+          expired_object_delete_marker = lookup(expiration.value, "expired_object_delete_marker", null)
+        }
       }
-    }
 
-    noncurrent_version_expiration {
-      noncurrent_days = var.noncurrent_version_expiration
-    }
-  }
-
-  rule {
-    id     = "rule-2"
-    status = "Enabled"
-
-    filter {
-      prefix = "_AWSBucketInventory/"
-    }
-
-    expiration {
-      days = 14
-    }
-  }
-
-  rule {
-    id     = "rule-3"
-    status = "Enabled"
-
-
-    filter {
-      prefix = "_AWSBucketAnalytics/"
-    }
+      dynamic "noncurrent_version_transition" {
+        for_each = lookup(rule.value, "noncurrent_version_transitions", [])
+        content {
+          noncurrent_days = noncurrent_version_transition.value.noncurrent_days
+          storage_class   = noncurrent_version_transition.value.storage_class
+        }
+      }
 
-    expiration {
-      days = 30
+      dynamic "noncurrent_version_expiration" {
+        for_each = rule.value.noncurrent_version_expiration != null ? [rule.value.noncurrent_version_expiration] : []
+        content {
+          noncurrent_days = noncurrent_version_expiration.value.noncurrent_days
+        }
+      }
     }
   }
 }
 
 
+
 ################################################
 ## dynamodb
 ################################################

diff --git a/variables.tf b/variables.tf
@@ -28,11 +28,11 @@ variable "dynamo_kms_master_key_id" {
 ## s3
 ################################################
 ## bucket
-variable "abort_incomplete_multipart_upload_days" {
-  description = "Specifies the number of days after initiating a multipart upload when the multipart upload must be completed."
-  type        = number
-  default     = 14
-}
+# variable "abort_incomplete_multipart_upload_days" {
+#   description = "Specifies the number of days after initiating a multipart upload when the multipart upload must be completed."
+#   type        = number
+#   default     = 14
+# }
 
 variable "bucket_key_enabled" {
   description = "Whether or not to use Amazon S3 Bucket Keys for SSE-KMS."
@@ -75,16 +75,16 @@ variable "mfa_delete" {
   default     = false
 }
 
-variable "expiration" {
-  description = "Specifies a period in the object's expire."
-  type        = list(any)
+# variable "expiration" {
+#   description = "Specifies a period in the object's expire."
+#   type        = list(any)
 
-  default = [
-    {
-      expired_object_delete_marker = true
-    }
-  ]
-}
+#   default = [
+#     {
+#       expired_object_delete_marker = true
+#     }
+#   ]
+# }
 
 variable "inventory_bucket_format" {
   description = "The format for the inventory file. Default is ORC. Options are ORC or CSV."
@@ -112,35 +112,35 @@ variable "logging_bucket_target_prefix" {
 }
 
 
-variable "noncurrent_version_expiration" {
-  description = "Number of days until non-current version of object expires"
-  type        = number
-  default     = 365
-}
+# variable "noncurrent_version_expiration" {
+#   description = "Number of days until non-current version of object expires"
+#   type        = number
+#   default     = 365
+# }
 
-variable "noncurrent_version_transitions" {
-  description = "Non-current version transition blocks"
-  type        = list(any)
+# variable "noncurrent_version_transitions" {
+#   description = "Non-current version transition blocks"
+#   type        = list(any)
 
-  default = [
-    {
-      days          = 30
-      storage_class = "STANDARD_IA"
-    }
-  ]
-}
+#   default = [
+#     {
+#       days          = 30
+#       storage_class = "STANDARD_IA"
+#     }
+#   ]
+# }
 
 variable "sse_algorithm" {
   description = "The server-side encryption algorithm to use. Valid values are AES256 and aws:kms"
   type        = string
   default     = "AES256"
 }
 
-variable "transitions" {
-  description = "Current version transition blocks"
-  type        = list(any)
-  default     = []
-}
+# variable "transitions" {
+#   description = "Current version transition blocks"
+#   type        = list(any)
+#   default     = []
+# }
 
 ## analytics configuration
 variable "enable_analytics" {
@@ -179,3 +179,74 @@ variable "tags" {
     TerraformManaged = "true"
   }
 }
+
+variable "lifecycle_rules" {
+  description = "List of lifecycle rules for the S3 bucket"
+  type        = list(object({
+    id      = string
+    status  = string
+    filter  = optional(object({
+      prefix = optional(string, null)
+      tags   = optional(map(string), {})
+    }), {})
+
+    transitions = optional(list(object({
+      days          = number
+      storage_class = string
+    })), [
+      {
+        days          = 30
+        storage_class = "STANDARD_IA"
+      },
+      {
+        days          = 90
+        storage_class = "GLACIER"
+      }
+    ])
+
+    expiration = optional(object({
+      days                         = optional(number, 365)
+      expired_object_delete_marker = optional(bool, true)
+    }), {})
+
+    noncurrent_version_transitions = optional(list(object({
+      noncurrent_days = number
+      storage_class   = string
+    })), [
+      {
+        noncurrent_days = 30
+        storage_class   = "STANDARD_IA"
+      },
+      {
+        noncurrent_days = 90
+        storage_class   = "GLACIER"
+      }
+    ])
+
+    noncurrent_version_expiration = optional(object({
+      noncurrent_days = number
+    }), {
+      noncurrent_days = 365
+    })
+  }))
+  default = [{
+    id      = "default-rule"
+    status  = "Enabled"
+    filter  = {}
+    transitions = [
+      { days = 30, storage_class = "STANDARD_IA" },
+      { days = 90, storage_class = "GLACIER" }
+    ]
+    expiration = {
+      days                         = 365
+      expired_object_delete_marker = true
+    }
+    noncurrent_version_transitions = [
+      { noncurrent_days = 30, storage_class = "STANDARD_IA" },
+      { noncurrent_days = 90, storage_class = "GLACIER" }
+    ]
+    noncurrent_version_expiration = {
+      noncurrent_days = 365
+    }
+  }]
+}