Open in app

Sign in

Write

Sign in

S3 deployment using Terraform

Venkat teja Ravi
3 min readMay 25, 2020

--

AWS Simple Storage Service(S3) provides secure, durable and highly scalable object storage.

The resource type “aws_s3_bucket” is used to create S3 buckets.

Rules to follow to create S3 bucket

  • Every s3 bucket name must be unique across all existing bucket names in amazon S3.
  • Buckets names should start with a lower case letter or a number
  • Bucket names must be at least 3 characters or no more than 63 characters long.
  • Bucket name must not uppercase characters or underscores.
resource "aws_s3_bucket" "mybucket" {
  bucket = "my-test-bucket-2018"
  acl    = "private"tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

Enable Versioning:

The versioning argument is used to enable versioning feature in S3 bucket.

resource "aws_s3_bucket" "mybucket" {
  bucket = "my-test-bucket-2018"
  acl    = "private"versioning = {enabled = True
}tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

Enable Logging:

When you enable logging, Amazon S3 delivers access logs for a source bucket to a target bucket that you choose.

The target bucket must be in the same AWS region as the source bucket and must not have a default retention period configuration.

resource "aws_s3_bucket" "log_bucket" {
  bucket = "my-log-bucket-2018"
  acl    = "log-delivery-write"
}resource "aws_s3_bucket" "mybucket" {
  bucket = "my-test-bucket-2018"
  acl    = "private"logging {
    target_bucket = "${aws_s3_bucket.log_bucket.id}"
    target_prefix = "logs/"
  }
}

Enable Server Side Encryption:

Server side encryption protects data at rest. Amazon S3 encrypts each object with a unique key.

Server side encryption encrypts only the object data, not object metadata.

resource "aws_kms_key" "mykey" {
  description             = "This key is used to encrypt bucket objects"
  deletion_window_in_days = 10
}resource "aws_s3_bucket" "mybucket" {
  bucket = "my-test-bucket-2018"
  acl    = "private"server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.mykey.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

Bucket Policy:

Bucket policy is used to grant other AWS accounts or IAM users access permissions for the bucket and the objects in it.

The resource type aws_bucket_policy attaches apolicy to an S3 bucket resource.

resource "aws_s3_bucket" "mybucket" {
  bucket = "my-test-bucket-2018"
}resource "aws_s3_bucket_policy" "mybucketpolicy" {bucket = "${aws_s3_bucket.mybucket.id}"policy = << POLICY
                {
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::my-test-bucket-2018/*"]
    }
  ]
}

Block Public Access:

S3 provides block public access settings for buckets and accounts to help you manage public access to Amazon S3 resources.

The resource type aws_s3_bucket_puublic_access_block manages S3 bucket-level Public Access Block configuration.

resource "aws_s3_bucket" "mybucket" {
  bucket = "my-test-bucket-2018"
}resource "aws_s3_bucket_public_access_block" "mybucket-bpa" {
  bucket = "${aws_s3_bucket.mybucket.id}"block_public_acls   = true
  block_public_policy = true
  ignore_public_acls  = true
  restrict_public_buckets = true
}

For more information about these settings, see the AWS S3 Block Public Access documentation.

S3 Life cycle:

Through life cycle, you can manage your objects cost-effectively. A life cycle configuration is a set of rules that define actions to a group of objects.

There are two types of actions:

Transition: Define when objects transition to another storage class.

Expiration: Define when objects expire.

Add life cycle to a bucket using lifecycle_rule argument.

resource "aws_s3_bucket" "mybucket" {
  bucket = "my-test-bucket-2018"
  acl    = "private"lifecycle_rule {
    enabled = true
    prefix = "logs/"transition {
      days          = 30
      storage_class = "STANDARD_IA" # or "ONEZONE_IA"
    }
    transition {
      days          = 60
      storage_class = "GLACIER"
    }
    expiration {
      days = 90
    }
  }
}

If your bucket enabled versioning. the life cycle configurations as below.

resource "aws_s3_bucket" "versioning_bucket" {
  bucket = "my-versioning-bucket"
  acl    = "private"versioning {
    enabled = true
  }lifecycle_rule {
    enabled = truenoncurrent_version_transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }
    noncurrent_version_transition {
      days          = 60
      storage_class = "GLACIER"
    }
    noncurrent_version_expiration {
      days = 90
    }
  }
}

So far in this blog post we have discussed what is S3, What are it’s features , how to deploy using terraform and the object Life cycle.

If you need help with Terraform, DevOps practices, or AWS at your company, feel free to reach out to us at Vitwit.

Deployment
S3
Terraform

--

--

Venkat teja Ravi

Written by Venkat teja Ravi

7 Followers

Software Engineer at Vitwit Technologies. A technology company helping businesses to transform, automate and scale with AI, Blockchain and Cloud computing.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams