feat: Add the intelligent tiering configuration (#167)

Author: antonbabenko

README.md

@@ -138,6 +138,7 @@ No modules.
 | [aws_s3_bucket_accelerate_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_accelerate_configuration) | resource |
 | [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
 | [aws_s3_bucket_cors_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
+| [aws_s3_bucket_intelligent_tiering_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_intelligent_tiering_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource |
 | [aws_s3_bucket_object_lock_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object_lock_configuration) | resource |
@@ -180,6 +181,7 @@ No modules.
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
 | <a name="input_grant"></a> [grant](#input\_grant) | An ACL policy grant. Conflicts with `acl` | `any` | `[]` | no |
 | <a name="input_ignore_public_acls"></a> [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | `false` | no |
+| <a name="input_intelligent_tiering"></a> [intelligent\_tiering](#input\_intelligent\_tiering) | Map containing intelligent tiering configuration. | `any` | `{}` | no |
 | <a name="input_lifecycle_rule"></a> [lifecycle\_rule](#input\_lifecycle\_rule) | List of maps containing configuration of object lifecycle management. | `any` | `[]` | no |
 | <a name="input_logging"></a> [logging](#input\_logging) | Map containing access bucket logging configuration. | `map(string)` | `{}` | no |
 | <a name="input_object_lock_configuration"></a> [object\_lock\_configuration](#input\_object\_lock\_configuration) | Map containing S3 object locking configuration. | `any` | `{}` | no |

examples/complete/main.tf

@@ -293,4 +293,35 @@ module "s3_bucket" {
       }
     },
   ]
+
+  intelligent_tiering = {
+    general = {
+      status = "Enabled"
+      filter = {
+        prefix = "/"
+        tags = {
+          Environment = "dev"
+        }
+      }
+      tiering = {
+        ARCHIVE_ACCESS = {
+          days = 180
+        }
+      }
+    },
+    documents = {
+      status = false
+      filter = {
+        prefix = "documents/"
+      }
+      tiering = {
+        ARCHIVE_ACCESS = {
+          days = 125
+        }
+        DEEP_ARCHIVE_ACCESS = {
+          days = 200
+        }
+      }
+    }
+  }
 }

main.tf

@@ -6,9 +6,10 @@ locals {
   attach_policy = var.attach_require_latest_tls_policy || var.attach_elb_log_delivery_policy || var.attach_lb_log_delivery_policy || var.attach_deny_insecure_transport_policy || var.attach_policy
 
   # Variables with type `any` should be jsonencode()'d when value is coming from Terragrunt
-  grants          = try(jsondecode(var.grant), var.grant)
-  cors_rules      = try(jsondecode(var.cors_rule), var.cors_rule)
-  lifecycle_rules = try(jsondecode(var.lifecycle_rule), var.lifecycle_rule)
+  grants              = try(jsondecode(var.grant), var.grant)
+  cors_rules          = try(jsondecode(var.cors_rule), var.cors_rule)
+  lifecycle_rules     = try(jsondecode(var.lifecycle_rule), var.lifecycle_rule)
+  intelligent_tiering = try(jsondecode(var.intelligent_tiering), var.intelligent_tiering)
 }
 
 resource "aws_s3_bucket" "this" {
@@ -707,3 +708,31 @@ resource "aws_s3_bucket_ownership_controls" "this" {
     aws_s3_bucket.this
   ]
 }
+
+resource "aws_s3_bucket_intelligent_tiering_configuration" "this" {
+  for_each = { for k, v in local.intelligent_tiering : k => v if local.create_bucket }
+
+  name   = each.key
+  bucket = aws_s3_bucket.this[0].id
+  status = try(tobool(each.value.status) ? "Enabled" : "Disabled", title(lower(each.value.status)), null)
+
+  # Max 1 block - filter
+  dynamic "filter" {
+    for_each = length(try(flatten([each.value.filter]), [])) == 0 ? [] : [true]
+
+    content {
+      prefix = try(each.value.filter.prefix, null)
+      tags   = try(each.value.filter.tags, null)
+    }
+  }
+
+  dynamic "tiering" {
+    for_each = each.value.tiering
+
+    content {
+      access_tier = tiering.key
+      days        = tiering.value.days
+    }
+  }
+
+}

variables.tf

@@ -148,6 +148,12 @@ variable "server_side_encryption_configuration" {
   default     = {}
 }
 
+variable "intelligent_tiering" {
+  description = "Map containing intelligent tiering configuration."
+  type        = any
+  default     = {}
+}
+
 variable "object_lock_configuration" {
   description = "Map containing S3 object locking configuration."
   type        = any

wrappers/main.tf

@@ -28,6 +28,7 @@ module "wrapper" {
   lifecycle_rule                        = try(each.value.lifecycle_rule, var.defaults.lifecycle_rule, [])
   replication_configuration             = try(each.value.replication_configuration, var.defaults.replication_configuration, {})
   server_side_encryption_configuration  = try(each.value.server_side_encryption_configuration, var.defaults.server_side_encryption_configuration, {})
+  intelligent_tiering                   = try(each.value.intelligent_tiering, var.defaults.intelligent_tiering, {})
   object_lock_configuration             = try(each.value.object_lock_configuration, var.defaults.object_lock_configuration, {})
   object_lock_enabled                   = try(each.value.object_lock_enabled, var.defaults.object_lock_enabled, false)
   block_public_acls                     = try(each.value.block_public_acls, var.defaults.block_public_acls, false)