feat: Add bucket metrics support (#190)

Co-authored-by: magreenbaum <magreenbaum>
Co-authored-by: Anton Babenko <[email protected]>

Author: magreenbaum

README.md

@@ -141,6 +141,7 @@ No modules.
 | [aws_s3_bucket_intelligent_tiering_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_intelligent_tiering_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
+| [aws_s3_bucket_metric.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_metric) | resource |
 | [aws_s3_bucket_object_lock_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object_lock_configuration) | resource |
 | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
@@ -184,6 +185,7 @@ No modules.
 | <a name="input_intelligent_tiering"></a> [intelligent\_tiering](#input\_intelligent\_tiering) | Map containing intelligent tiering configuration. | `any` | `{}` | no |
 | <a name="input_lifecycle_rule"></a> [lifecycle\_rule](#input\_lifecycle\_rule) | List of maps containing configuration of object lifecycle management. | `any` | `[]` | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Map containing access bucket logging configuration. | `map(string)` | `{}` | no |
+| <a name="input_metric_configuration"></a> [metric\_configuration](#input\_metric\_configuration) | Map containing bucket metric configuration. | `any` | `[]` | no |
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | Map containing S3 object locking configuration. | `any` | `{}` | no |
 | <a name="input_object_lock_enabled"></a> [object\_lock\_enabled](#input\_object\_lock\_enabled) | Whether S3 bucket should have an Object Lock configuration enabled. | `bool` | `false` | no |
 | <a name="input_object_ownership"></a> [object\_ownership](#input\_object\_ownership) | Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. | `string` | `"ObjectWriter"` | no |

examples/complete/main.tf

@@ -324,4 +324,28 @@ module "s3_bucket" {
       }
     }
   }
+
+  metric_configuration = [
+    {
+      name = "documents"
+      filter = {
+        prefix = "documents/"
+        tags = {
+          priority = "high"
+        }
+      }
+    },
+    {
+      name = "other"
+      filter = {
+        tags = {
+          production = "true"
+        }
+      }
+    },
+    {
+      name = "all"
+    }
+  ]
+
 }

main.tf

@@ -6,10 +6,11 @@ locals {
   attach_policy = var.attach_require_latest_tls_policy || var.attach_elb_log_delivery_policy || var.attach_lb_log_delivery_policy || var.attach_deny_insecure_transport_policy || var.attach_policy
 
   # Variables with type `any` should be jsonencode()'d when value is coming from Terragrunt
-  grants              = try(jsondecode(var.grant), var.grant)
-  cors_rules          = try(jsondecode(var.cors_rule), var.cors_rule)
-  lifecycle_rules     = try(jsondecode(var.lifecycle_rule), var.lifecycle_rule)
-  intelligent_tiering = try(jsondecode(var.intelligent_tiering), var.intelligent_tiering)
+  grants               = try(jsondecode(var.grant), var.grant)
+  cors_rules           = try(jsondecode(var.cors_rule), var.cors_rule)
+  lifecycle_rules      = try(jsondecode(var.lifecycle_rule), var.lifecycle_rule)
+  intelligent_tiering  = try(jsondecode(var.intelligent_tiering), var.intelligent_tiering)
+  metric_configuration = try(jsondecode(var.metric_configuration), var.metric_configuration)
 }
 
 resource "aws_s3_bucket" "this" {
@@ -719,3 +720,18 @@ resource "aws_s3_bucket_intelligent_tiering_configuration" "this" {
   }
 
 }
+
+resource "aws_s3_bucket_metric" "this" {
+  for_each = { for k, v in local.metric_configuration : k => v if local.create_bucket }
+
+  name   = each.value.name
+  bucket = aws_s3_bucket.this[0].id
+
+  dynamic "filter" {
+    for_each = length(try(flatten([each.value.filter]), [])) == 0 ? [] : [true]
+    content {
+      prefix = try(each.value.filter.prefix, null)
+      tags   = try(each.value.filter.tags, null)
+    }
+  }
+}

variables.tf

@@ -160,6 +160,12 @@ variable "object_lock_configuration" {
   default     = {}
 }
 
+variable "metric_configuration" {
+  description = "Map containing bucket metric configuration."
+  type        = any
+  default     = []
+}
+
 variable "object_lock_enabled" {
   description = "Whether S3 bucket should have an Object Lock configuration enabled."
   type        = bool

wrappers/main.tf

@@ -30,6 +30,7 @@ module "wrapper" {
   server_side_encryption_configuration  = try(each.value.server_side_encryption_configuration, var.defaults.server_side_encryption_configuration, {})
   intelligent_tiering                   = try(each.value.intelligent_tiering, var.defaults.intelligent_tiering, {})
   object_lock_configuration             = try(each.value.object_lock_configuration, var.defaults.object_lock_configuration, {})
+  metric_configuration                  = try(each.value.metric_configuration, var.defaults.metric_configuration, [])
   object_lock_enabled                   = try(each.value.object_lock_enabled, var.defaults.object_lock_enabled, false)
   block_public_acls                     = try(each.value.block_public_acls, var.defaults.block_public_acls, false)
   block_public_policy                   = try(each.value.block_public_policy, var.defaults.block_public_policy, false)