feat: Support S3 Directory Bucket

README.md

@@ -123,6 +123,7 @@ Users of Terragrunt can achieve similar results by using modules provided in the
 - [S3 Analytics](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/s3-analytics) - S3 bucket Analytics Configurations.
 - [S3 Inventory](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/s3-inventory) - S3 bucket Inventory configuration.
 - [S3 Account-level Public Access Block](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/account-public-access) - Manage S3 account-level Public Access Block.
+- [S3 Directory Bucket](https://github.com/terraform-aws-modules/terraform-aws-s3-bucket/tree/master/examples/directory-bucket) - S3 Directory Bucket configuration.
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements

examples/directory-bucket/README.md

@@ -0,0 +1,57 @@
+# S3 directory bucket
+
+Configuration in this directory creates S3 directory bucket and related resources.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.83 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.83 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_directory_bucket"></a> [directory\_bucket](#module\_directory\_bucket) | ../../modules/directory-bucket | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_key.objects](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_directory_bucket_arn"></a> [directory\_bucket\_arn](#output\_directory\_bucket\_arn) | ARN of the directory bucket. |
+| <a name="output_directory_bucket_name"></a> [directory\_bucket\_name](#output\_directory\_bucket\_name) | Name of the directory bucket. |
+<!-- END_TF_DOCS -->

examples/directory-bucket/main.tf

@@ -0,0 +1,111 @@
+locals {
+  region  = "eu-west-1"
+  zone_id = "euw1-az1"
+}
+
+provider "aws" {
+  region = local.region
+
+  # Make it faster by skipping something
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+}
+
+data "aws_caller_identity" "current" {}
+
+module "directory_bucket" {
+  source = "../../modules/directory-bucket"
+
+  bucket_name_prefix   = random_pet.this.id
+  availability_zone_id = local.zone_id
+
+  server_side_encryption_configuration = {
+    sse_algorithm     = "aws:kms"
+    kms_master_key_id = aws_kms_key.objects.id
+  }
+
+  lifecycle_rules = {
+    all = {
+      id     = "test"
+      status = "Enabled"
+      abort_incomplete_multipart_upload = {
+        days_after_initiation = 7
+      }
+      expiration = {
+        days = 7
+      }
+    },
+    logs = {
+      status = "Enabled"
+      expiration = {
+        days = 5
+      }
+      filter = {
+        prefix                = "logs/"
+        object_size_less_than = 10
+      }
+    },
+    other = {
+      id     = "other"
+      status = "Enabled"
+      expiration = {
+        days = 2
+      }
+      filter = {
+        prefix = "other/"
+      }
+    }
+  }
+
+  create_bucket_policy = true
+  policy_statements = {
+    write = {
+      sid    = "ReadWriteAccess"
+      effect = "Allow"
+
+      actions = [
+        "s3express:CreateSession",
+      ]
+
+      principals = [
+        {
+          type        = "AWS"
+          identifiers = [data.aws_caller_identity.current.account_id]
+        }
+      ]
+    }
+    readonly = {
+      sid    = "ReadOnlyAccess"
+      effect = "Allow"
+
+      actions = [
+        "s3express:CreateSession",
+      ]
+
+      principals = [
+        {
+          type        = "AWS"
+          identifiers = [data.aws_caller_identity.current.account_id]
+        }
+      ]
+
+      conditions = [
+        {
+          test     = "StringEquals"
+          values   = ["ReadOnly"]
+          variable = "s3express:SessionMode"
+        }
+      ]
+    }
+  }
+}
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+resource "aws_kms_key" "objects" {
+  description             = "KMS key is used to encrypt bucket objects"
+  deletion_window_in_days = 7
+}

examples/directory-bucket/outputs.tf

@@ -0,0 +1,9 @@
+output "directory_bucket_name" {
+  description = "Name of the directory bucket."
+  value       = module.directory_bucket.directory_bucket_name
+}
+
+output "directory_bucket_arn" {
+  description = "ARN of the directory bucket."
+  value       = module.directory_bucket.directory_bucket_arn
+}

examples/directory-bucket/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.83"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}

modules/directory-bucket/README.md

@@ -0,0 +1,57 @@
+# S3 directory bucket
+
+Creates S3 directory bucket and configurations.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.83 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.83 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket_lifecycle_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_directory_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_directory_bucket) | resource |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_availability_zone_id"></a> [availability\_zone\_id](#input\_availability\_zone\_id) | Availability Zone ID or Local Zone ID | `string` | `null` | no |
+| <a name="input_bucket_name_prefix"></a> [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | Bucket name prefix | `string` | `null` | no |
+| <a name="input_create"></a> [create](#input\_create) | Whether to create directory bucket resources | `bool` | `true` | no |
+| <a name="input_create_bucket_policy"></a> [create\_bucket\_policy](#input\_create\_bucket\_policy) | Whether to create a directory bucket policy. | `bool` | `false` | no |
+| <a name="input_data_redundancy"></a> [data\_redundancy](#input\_data\_redundancy) | Data redundancy. Valid values: `SingleAvailabilityZone` | `string` | `null` | no |
+| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Boolean that indicates all objects should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. These objects are not recoverable | `bool` | `null` | no |
+| <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | List of maps containing configuration of object lifecycle management. | `any` | `{}` | no |
+| <a name="input_location_type"></a> [location\_type](#input\_location\_type) | Location type. Valid values: `AvailabilityZone` or `LocalZone` | `string` | `null` | no |
+| <a name="input_override_policy_documents"></a> [override\_policy\_documents](#input\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
+| <a name="input_policy_statements"></a> [policy\_statements](#input\_policy\_statements) | A map of IAM policy statements for custom permission usage | `any` | `{}` | no |
+| <a name="input_server_side_encryption_configuration"></a> [server\_side\_encryption\_configuration](#input\_server\_side\_encryption\_configuration) | Map containing server-side encryption configuration. | `any` | `{}` | no |
+| <a name="input_source_policy_documents"></a> [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
+| <a name="input_type"></a> [type](#input\_type) | Bucket type. Valid values: `Directory` | `string` | `"Directory"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_directory_bucket_arn"></a> [directory\_bucket\_arn](#output\_directory\_bucket\_arn) | ARN of the directory bucket. |
+| <a name="output_directory_bucket_name"></a> [directory\_bucket\_name](#output\_directory\_bucket\_name) | Name of the directory bucket. |
+<!-- END_TF_DOCS -->