Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/terraform-yacloud-modules/terraform-yandex-storage-bucket
Terraform module to manage Storage (S3) resources within the Yandex.Cloud.
https://github.com/terraform-yacloud-modules/terraform-yandex-storage-bucket
hacktoberfest iac terraform terraform-modules yandex yandex-cloud
Last synced: 3 months ago
JSON representation
Terraform module to manage Storage (S3) resources within the Yandex.Cloud.
- Host: GitHub
- URL: https://github.com/terraform-yacloud-modules/terraform-yandex-storage-bucket
- Owner: terraform-yacloud-modules
- License: apache-2.0
- Created: 2023-02-26T20:07:05.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2024-10-29T03:49:53.000Z (3 months ago)
- Last Synced: 2024-10-29T04:31:06.671Z (3 months ago)
- Topics: hacktoberfest, iac, terraform, terraform-modules, yandex, yandex-cloud
- Language: HCL
- Homepage:
- Size: 120 KB
- Stars: 9
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: .github/CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# Yandex Cloud Storage Bucket Terraform module
Terraform module which creates Yandex Cloud storage bucket resources.
## Examples
Examples codified under
the [`examples`](https://github.com/terraform-yacloud-modules/terraform-yandex-storage-bucket/tree/main/examples) are intended
to give users references for how to use the module(s) as well as testing/validating changes to the source code of the
module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow
maintainers to test your changes and to keep the examples up to date for users. Thank you!
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.3 |
| [aws](#requirement\_aws) | >= 3.0.0 |
| [random](#requirement\_random) | >= 3.1.0 |
| [yandex](#requirement\_yandex) | >= 0.72.0 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 3.0.0 |
| [random](#provider\_random) | >= 3.1.0 |
| [yandex](#provider\_yandex) | >= 0.72.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [random_string.unique_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [yandex_cm_certificate.this](https://registry.terraform.io/providers/yandex-cloud/yandex/latest/docs/resources/cm_certificate) | resource |
| [yandex_dns_recordset.this](https://registry.terraform.io/providers/yandex-cloud/yandex/latest/docs/resources/dns_recordset) | resource |
| [yandex_iam_service_account.storage_admin](https://registry.terraform.io/providers/yandex-cloud/yandex/latest/docs/resources/iam_service_account) | resource |
| [yandex_iam_service_account_static_access_key.storage_admin](https://registry.terraform.io/providers/yandex-cloud/yandex/latest/docs/resources/iam_service_account_static_access_key) | resource |
| [yandex_kms_symmetric_key.this](https://registry.terraform.io/providers/yandex-cloud/yandex/latest/docs/resources/kms_symmetric_key) | resource |
| [yandex_resourcemanager_folder_iam_member.kms_storage_admin_sa](https://registry.terraform.io/providers/yandex-cloud/yandex/latest/docs/resources/resourcemanager_folder_iam_member) | resource |
| [yandex_resourcemanager_folder_iam_member.storage_admin](https://registry.terraform.io/providers/yandex-cloud/yandex/latest/docs/resources/resourcemanager_folder_iam_member) | resource |
| [yandex_storage_bucket.this](https://registry.terraform.io/providers/yandex-cloud/yandex/latest/docs/resources/storage_bucket) | resource |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [yandex_client_config.client](https://registry.terraform.io/providers/yandex-cloud/yandex/latest/docs/data-sources/client_config) | data source |
| [yandex_iam_service_account.existing_account](https://registry.terraform.io/providers/yandex-cloud/yandex/latest/docs/data-sources/iam_service_account) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [acl](#input\_acl) | (Optional) The predefined ACL to apply. Defaults to `private`. Conflicts with `grant` object.
To change ACL after creation, service account with `storage.admin` role should be used, though this role is not necessary to create a bucket with any ACL.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/acl#predefined-acls. | `string` | `null` | no |
| [anonymous\_access\_flags](#input\_anonymous\_access\_flags) | (Optional) Object provides various access to objects.
For more information see https://cloud.yandex.com/en/docs/storage/operations/buckets/bucket-availability.
Configuration attributes:
list - (Optional) Allows to read objects in bucket anonymously.
read - (Optional) Allows to list object in bucket anonymously.
config\_read - (Optional) Allows to list bucket configuration anonymously.
It will try to create bucket using IAM-token in provider config, not using access\_key. |
object({
list = optional(bool)
read = optional(bool)
config_read = optional(bool)
}) | `null` | no |
| [bucket\_name](#input\_bucket\_name) | (Required) The name of the bucket. | `string` | `null` | no |
| [cors\_rule](#input\_cors\_rule) | (Optional) List of objets containing rules for Cross-Origin Resource Sharing.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/cors.
Configuration attributes:
allowed\_headers - (Optional) Specifies which headers are allowed.
allowed\_methods - (Required) Specifies which methods are allowed. Can be `GET`, `PUT`, `POST`, `DELETE` or `HEAD` (case sensitive).
allowed\_origins - (Required) Specifies which origins are allowed.
expose\_headers - (Optional) Specifies expose header in the response.
max\_age\_seconds - (Optional) Specifies time in seconds that browser can cache the response for a preflight request. | list(object({
allowed_headers = optional(set(string))
allowed_methods = set(string)
allowed_origins = set(string)
expose_headers = optional(set(string))
max_age_seconds = optional(number)
})) | `[]` | no |
| [default\_storage\_class](#input\_default\_storage\_class) | (Optional) Storage class which is used for storing objects by default.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/storage-class.
Available values are: `STANDARD`, `COLD`, `ICE`. Default is `STANDARD`.
It will try to create bucket using IAM-token in provider block, not using access\_key. | `string` | `"STANDARD"` | no |
| [folder\_id](#input\_folder\_id) | (Optional) The ID of the Yandex Cloud Folder that the resources belongs to.
Allows to create bucket in different folder.
It will try to create bucket using IAM-token in provider config, not using access\_key.
If omitted, folder\_id specified in provider config and access\_key is used. | `string` | `null` | no |
| [force\_destroy](#input\_force\_destroy) | (Optional) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are NOT recoverable. | `bool` | `false` | no |
| [grant](#input\_grant) | (Optional) List of objects for an ACL policy grant. Conflicts with `acl` variable.
To manage grant argument, service account with `storage.admin` role should be used.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/acl#permissions-types.
Configuration attributes:
id - (Optional) Permission recipient ID.
type - (Required) Permission recipient type.
uri - (Optional) System group URI.
permissions - (Required) List of assigned permissions. | list(object({
id = optional(string)
type = string
uri = optional(string)
permissions = set(string)
})) | `[]` | no |
| [https](#input\_https) | (Optional) Object manages https certificate for bucket.
For more information see https://cloud.yandex.com/en/docs/storage/operations/hosting/certificate.
At least one of `certificate`, `existing_certificate_id` must be specified.
Configuration attributes:
existing\_certificate\_id - (Optional) Id of an existing certificate in Yandex Cloud Certificate Manager, that will be used for the bucket.
certificate - (Optional) Object allows to manage the parameters for generating a managed HTTPS certificate in Yandex Cloud Certificate Manager.
The `certificate` object supports the following attributes:
domains - (Required) Domains for this certificate.
public\_dns\_zone\_id - (Required) The id of the DNS zone in which record set will reside.
dns\_records\_ttl - (Optional) The time-to-live of DNS record set (seconds). Default value is `300`.
name - (Optional) Certificate name. Conflicts with `name_prefix`.
name\_prefix - (Optional) Prefix of the certificate name. A unique certificate name will be generated using the prefix. Default value is `s3-https-certificate`. Conflicts with `name`.
description - (Optional) Certificate description.
labels - (Optional) Labels to assign to certificate.
deletion\_protection - (Optional) Prevents certificate deletion. Default value is `false`.
It will try to create bucket using IAM-token in provider config, not using access\_key. | object({
existing_certificate_id = optional(string)
certificate = optional(object({
domains = set(string)
public_dns_zone_id = string
dns_records_ttl = optional(number, 300)
name = optional(string)
name_prefix = optional(string)
description = optional(string, "Certificate for S3 static website.")
labels = optional(map(string))
deletion_protection = optional(bool, false)
}))
}) | `null` | no |
| [lifecycle\_rule](#input\_lifecycle\_rule) | (Optional) List of objects with configuration of object lifecycle management.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/lifecycles.
Configuration attributes:
enabled - (Required) Specifies lifecycle rule status.
id - (Optional) Unique identifier for the rule. Must be less than or equal to 255 characters in length.
prefix - (Optional) Object key prefix identifying one or more objects to which the rule applies.
abort\_incomplete\_multipart\_upload\_days - (Optional) Specifies the number of days after initiating a multipart upload when the multipart upload must be completed.
expiration - (Optional) Specifies a period in the object's expire.
transition - (Optional) Specifies a period in the object's transitions.
noncurrent\_version\_expiration - (Optional) Specifies when noncurrent object versions expire.
noncurrent\_version\_transition - (Optional) Specifies when noncurrent object versions transitions.
At least one of `abort_incomplete_multipart_upload_days`, `expiration`, `transition`, `noncurrent_version_expiration`, `noncurrent_version_transition` must be specified.
The `expiration` object supports the following attributes:
date - (Optional) Specifies the date after which you want the corresponding action to take effect.
days - (Optional) Specifies the number of days after object creation when the specific rule action takes effect.
expired\_object\_delete\_marker - (Optional) On a versioned bucket (versioning-enabled or versioning-suspended bucket), you can add this element in the lifecycle configuration to direct Object Storage to delete expired object delete markers.
The `transition` object supports the following attributes:
date - (Optional) Specifies the date after which you want the corresponding action to take effect.
days - (Optional) Specifies the number of days after object creation when the specific rule action takes effect.
storage\_class - (Required) Specifies the storage class to which you want the object to transition. Can only be `COLD` or `STANDARD_IA`.
The `noncurrent_version_expiration` object supports the following attributes:
days - (Required) Specifies the number of days noncurrent object versions expire.
The `noncurrent_version_transition` object supports the following attributes:
days - (Required) Specifies the number of days noncurrent object versions transition.
storage\_class - (Required) Specifies the storage class to which you want the noncurrent object versions to transition. Can only be `COLD` or `STANDARD_IA`. | list(object({
enabled = bool
id = optional(string)
prefix = optional(string)
abort_incomplete_multipart_upload_days = optional(number)
expiration = optional(object({
date = optional(string)
days = optional(number)
expired_object_delete_marker = optional(bool)
}))
transition = optional(object({
date = optional(string)
days = optional(number)
storage_class = string
}))
noncurrent_version_expiration = optional(object({
days = number
}))
noncurrent_version_transition = optional(object({
days = number
storage_class = string
}))
})) | `[]` | no |
| [logging](#input\_logging) | (Optional) Configuration of bucket logging.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/server-logs.
Configuration attributes:
target\_bucket - (Required) The name of the bucket that will receive the log objects.
target\_prefix - (Optional) To specify a key prefix for log objects. | object({
target_bucket = string
target_prefix = optional(string)
}) | `null` | no |
| [max\_size](#input\_max\_size) | (Optional) The size of bucket, in bytes (5 Gb by default). Set 0 if you do not want to limit bucket size.
For more information see https://cloud.yandex.com/en/docs/storage/operations/buckets/limit-max-volume.
It will try to create bucket using IAM-token in provider block, not using access\_key. | `number` | `5368709120` | no |
| [object\_lock\_configuration](#input\_object\_lock\_configuration) | (Optional) Configuration of object lock management.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/object-lock.
Configuration attributes:
object\_lock\_enabled - (Optional) Enable object locking in a bucket. Require versioning to be enabled.
rule - (Optional) Specifies a default locking configuration for added objects. Require object\_lock\_enabled to be enabled.
The `rule` object consists of a nested `default_retention` object, which in turn supports the following attributes:
mode - (Required) Specifies a type of object lock. One of `GOVERNANCE` or `COMPLIANCE` (case sensitive).
days - (Optional) Specifies a retention period in days after uploading an object version. It must be a positive integer. You can't set it simultaneously with years.
years - (Optional) Specifies a retention period in years after uploading an object version. It must be a positive integer. You can't set it simultaneously with days. | object({
object_lock_enabled = optional(string, "Enabled")
rule = optional(object({
default_retention = object({
mode = string
days = optional(number)
years = optional(number)
})
}))
}) | `null` | no |
| [policy](#input\_policy) | (Optional) Object storage policy.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/policy.
NOTE: Bucket policy for Yandex Cloud Console is defined in a separate `policy_console` variable.
Configuration attributes:
enabled - (Required) Enable policy.
id - (Optional) General information about the policy. Some Yandex Cloud services require the uniqueness of this value.
version - (Optional) Access policy description version. Possible values is `2012-10-17`.
statements - (Optional) List of bucket policy rules.
Objects in the `statements` supports the following attributes:
sid - (Optional) Rule ID.
effect - (Optional) Specifies whether the requested action is denied or allowed. Possible values: `Allow`, `Deny`. Defaults to `Allow`.
actions - (Required) Determines the action to be executed when the policy is triggered.
resources - (Required) Specifies the list of the resources that the action will be performed on. Prefix `arn:aws:s3:::` can be omitted from resource names.
principal - (Optional) ID of the recipient of the requested permission.
not\_principal - (Optional) ID of the entity that will not receive the requested permission.
condition - (Optional) Condition that will be checked.
The `principal` object supports the following attributes:
type - (Required) Type of the entity. Possible values: `*`, `CanonicalUser`.
identifiers - (Required) List of IDs.
The `not_principal` object supports the following attributes:
type - (Required) Type of the entity. Possible value is `CanonicalUser`.
identifiers - (Required) List of IDs.
The `condition` object supports the following attributes:
type - (Required) Condition type.
key - (Required) Specifies the condition whose value will be checked.
values - (Required) List of values. | object({
enabled = bool
statements = optional(list(object({
sid = optional(string)
effect = optional(string)
actions = list(string)
resources = list(string)
principal = optional(object({
type = string
identifiers = list(string)
}))
not_principal = optional(object({
type = string
identifiers = list(string)
}))
condition = optional(object({
type = string
key = string
values = list(any)
}))
})))
}) | {
"enabled": false
} | no |
| [policy\_console](#input\_policy\_console) | (Optional) Object storage policy for Yandex Cloud Console (Web UI).
For more information see https://cloud.yandex.com/en/docs/storage/concepts/policy#console-access.
Configuration attributes:
enabled - (Required) Enable policy for Yandex Cloud Console.
sid - (Optional) Rule ID.
effect - (Optional) Specifies whether the requested action is denied or allowed. Possible values: `Allow`, `Deny`. Defaults to `Allow`.
principal - (Optional) ID of the recipient of the requested permission.
not\_principal - (Optional) ID of the entity that will not receive the requested permission.
The `principal` object supports the following attributes:
type - (Required) Type of the entity. Possible values: `*`, `CanonicalUser`.
identifiers - (Required) List of IDs.
The `not_principal` object supports the following attributes:
type - (Required) Type of the entity. Possible value is `CanonicalUser`.
identifiers - (Required) List of IDs. | object({
enabled = bool
sid = optional(string)
effect = optional(string)
principal = optional(object({
type = string
identifiers = list(string)
}))
not_principal = optional(object({
type = string
identifiers = list(string)
}))
}) | {
"enabled": false
} | no |
| [server\_side\_encryption\_configuration](#input\_server\_side\_encryption\_configuration) | (Optional) Object with configuration of server-side encryption for the bucket.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/encryption.
Configuration attributes:
enabled - (Required) Enable server-side encryption for the bucket.
sse\_algorithm - (Required) The server-side encryption algorithm to use. Single valid value is `aws:kms`.
kms\_master\_key\_id - (Optional) The KMS master key ID used for the server-side encryption. Allows to specify an existing KMS key for the server-side encryption. If omitted, the KMS key will be generated with parameters in the `sse_kms_key_configuration` variable. | object({
enabled = bool
sse_algorithm = optional(string, "aws:kms")
kms_master_key_id = optional(string)
}) | {
"enabled": false
} | no |
| [sse\_kms\_key\_configuration](#input\_sse\_kms\_key\_configuration) | (Optional) Object with a KMS key configuration.
For more information see https://cloud.yandex.com/en/docs/kms/concepts.
Only used for an auto-generated KMS key.
Will be ignored, if attribute `kms_master_key_id` is set in variable `server_side_encryption_configuration`.
Configuration attributes:
name - (Optional) Name of the key. If omitted, Terraform will assign a random, unique name. Conflicts with `name_prefix`.
name\_prefix - (Optional) Prefix of the key name. A unique KMS key name will be generated using the prefix. Conflicts with `name`.
description - (Optional) Description of the key.
default\_algorithm - (Optional) Encryption algorithm to be used with a new key version, generated with the next rotation. Default value is `AES_256`.
rotation\_period - (Optional) Interval between automatic rotations. To disable automatic rotation, omit this parameter. Default value is `8760h` (1 year).
deletion\_protection - (Optional) Prevents key deletion. Default value is `false`. | object({
name = optional(string)
name_prefix = optional(string)
description = optional(string, "KMS key for Object storage server-side encryption.")
default_algorithm = optional(string, "AES_256")
rotation_period = optional(string, "8760h")
deletion_protection = optional(bool, false)
}) | `{}` | no |
| [storage\_admin\_service\_account](#input\_storage\_admin\_service\_account) | (Optional) Allows to manage storage admin service account for the bucket.
Configuration attributes:
name - (Optional) The name of the service account to be generated. Conflicts with `name_prefix` and `existing_account_id`.
name\_prefix - (Optional) Prefix of the service account name. A unique service account name will be generated using the prefix. Conflicts with `name` and `existing_account_id`.
description - (Optional) Description of the service account to be generated.
existing\_account\_id - (Optional) Allows to specify an existing service account ID to manage the bucket. The service account must have `storage.admin` permissions in the folder. Conflicts with `name` and `name_prefix`.
existing\_account\_access\_key - (Optional) The access key of an existing service account to use when applying changes. If omitted, `storage_access_key` specified in provider config is used.
existing\_account\_secret\_key - (Optional) The secret key of an existing service account to use when applying changes. If omitted, `storage_secret_key` specified in provider config is used.
By default, if the object is not set in the input variables of the module, a service account will be automatically generated with the name prefix `storage-admin`,
an access key will be automatically generated with random name, and the role of `storage.admin` will be assigned to the generated service account. | object({
name = optional(string)
name_prefix = optional(string)
description = optional(string, "Service account for Object storage admin.")
existing_account_id = optional(string)
existing_account_access_key = optional(string)
existing_account_secret_key = optional(string)
}) | `{}` | no |
| [tags](#input\_tags) | (Optional) Object for setting tags (or labels) for bucket.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/tags. | `map(string)` | `{}` | no |
| [versioning](#input\_versioning) | (Optional) Enable versioning.
Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket. Disabled by default.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/versioning.
Configuration attributes:
enabled - (Required) Enable versioning. | object({
enabled = bool
}) | `null` | no |
| [website](#input\_website) | (Optional) Object for static web-site hosting or redirect configuration.
For more information see https://cloud.yandex.com/en/docs/storage/concepts/hosting.
Configuration attributes:
index\_document - (Required, unless using redirect\_all\_requests\_to) Storage returns this index document when requests are made to the root domain or any of the subfolders.
error\_document - (Optional) An absolute path to the document to return in case of a 4XX error.
routing\_rules - (Optional) List of json arrays containing routing rules describing redirect behavior and when redirects are applied. For more information see https://cloud.yandex.com/en/docs/storage/s3/api-ref/hosting/upload#request-scheme.
redirect\_all\_requests\_to - (Optional) A hostname to redirect all website requests for this bucket to. Hostname can optionally be prefixed with a protocol (http:// or https://) to use when redirecting requests. The default is the protocol that is used in the original request. When set, other website configuration attributes will be skiped.
The `routing_rules` object supports the following attributes:
condition - (Optional) Object used for conditions that trigger the redirect. If a routing rule doesn't contain any conditions, all the requests are redirected.
redirect - (Required) Object for configure redirect a request to a different page, different host, or change the protocol.
The `condition` object supports the following attributes:
key\_prefix\_equals - (Optional) Sets the name prefix for the request-originating object.
http\_error\_code\_returned\_equals - (Optional) Specifies the error code that triggers a redirect.
The `redirect` object supports the following attributes:
protocol - (Optional) In the Location response header, a redirect indicates the protocol scheme (http or https) to be used.
host\_name - (Optional) In the Location response header, a redirect indicates the host name to be used.
replace\_key\_prefix\_with - (Optional) Specifies the name prefix of the object key replacing `key_prefix_equals` in the redirect request. Incompatible with `replace_key_with`.
replace\_key\_with - (Optional) Specifies the object key to be used in the Location header. Incompatible with `replace_key_prefix_with`.
http\_redirect\_code - (Optional) In the Location response header, a redirect specifies the HTTP redirect code. Possible values: any 3xx code.
The default value for index\_document is used in case, when a website object is specified in the module input variables,
but the index\_document or redirect\_all\_requests\_to are not set. | object({
index_document = optional(string, "index.html")
error_document = optional(string)
routing_rules = optional(list(object({
condition = optional(object({
key_prefix_equals = optional(string)
http_error_code_returned_equals = optional(string)
}))
redirect = object({
protocol = optional(string)
host_name = optional(string)
replace_key_prefix_with = optional(string)
replace_key_with = optional(string)
http_redirect_code = optional(string)
})
})))
redirect_all_requests_to = optional(string)
}) | `null` | no |
## Outputs
| Name | Description |
|------|-------------|
| [bucket\_domain\_name](#output\_bucket\_domain\_name) | The bucket domain name. |
| [bucket\_name](#output\_bucket\_name) | The name of the bucket. |
| [cm\_certificate\_id](#output\_cm\_certificate\_id) | Certificate ID of the generated HTTPS certificate in Yandex Cloud Certificate Manager |
| [kms\_master\_key\_id](#output\_kms\_master\_key\_id) | The KMS master key ID used for the server-side encryption. |
| [storage\_admin\_access\_key](#output\_storage\_admin\_access\_key) | Static access key of the autogenerated Object storage admin service account. |
| [storage\_admin\_secret\_key](#output\_storage\_admin\_secret\_key) | Static secret key of the autogenerated Object storage admin service account. |
| [storage\_admin\_service\_account\_id](#output\_storage\_admin\_service\_account\_id) | Service account ID of the Object storage admin. |
| [website\_domain](#output\_website\_domain) | The domain of the website endpoint. |
| [website\_endpoint](#output\_website\_endpoint) | The website endpoint. |
## License
Apache-2.0 Licensed.
See [LICENSE](https://github.com/terraform-yacloud-modules/terraform-yandex-storage-bucket/blob/main/LICENSE).