- CORS configuration has been added, configured via the
cors_rulesvariable.
- S3 Object Lock support has been added, configured via the
enable_object_lockandobject_lock_configurationvariables.
- The
include_deny_unencrypted_inflight_operations_statementvariable, defaulting totrue, has been added allowing the corresponding statement to be excluded from the resulting bucket policy if required. - The
include_deny_encryption_using_incorrect_algorithm_statementvariable, defaulting totrue, has been added allowing the corresponding statement to be excluded from the resulting bucket policy if required. - The
include_deny_encryption_using_incorrect_key_statementvariable, which only applies when using SSE-KMS encryption, defaulting totrue, has been added allowing the corresponding statement to be excluded from the resulting bucket policy if required.
- The minimum supported AWS provider version is now 4.0.
- The
source_policy_jsonvariable is now calledsource_policy_document. - All variables that previously accepted
"yes"or"no"have now been converted to typeboolacceptingtrueorfalse.
- The deprecated variable
mfa_deletehas now been removed andenable_mfa_deleteshould be used instead. - The deprecated variable
bucket_policy_templatehas now been removed in favour of the newly addedinclude_*_statementvariables.
- Access logging can now be enabled by passing
"yes"for theenable_access_loggingvariable, along with the name of the access log bucket inaccess_log_bucket_nameand the object key prefix for log objects inaccess_log_object_key_prefix. By default, access logging is disabled. - When using SSE-KMS encryption for the bucket, by passing
kms_key_arn, an S3 bucket key can be enabled by passing"yes"for theenable_bucket_keyvariable. By default, the bucket key is disabled. - Versioning can now be disabled by passing
"no"for theenable_versioningvariable. By default, versioning is enabled. - MFA delete should now be enabled by passing
"yes"for theenable_mfa_deletevariable. By default, MFA delete is disabled. - The bucket policy added to the bucket now enforces that the
"s3:x-amz-server-side-encryption"header is present as well as set to the correct SSE algorithm for the bucket. When thekms_key_arnvariable is provided, such that SSE-KMS is used, the bucket policy additionally enforces that the correct KMS key ARN is passed in the"s3:x-amz-server-side-encryption-aws-kms-key-id"header. If thebucket_policy_templatevariable is provided, the template should interpolate the fragments as shown inpolicies/bucket-policy.json.tpl.
- A regression was introduced that meant the
bucket_policy_templatevariable no longer had any effect. This was resolved by re-introducing thehashicorp/templateprovider so that a template provided as a string could be correctly populated.
- The
mfa_deletevariable has been superseded by theenable_mfa_deletevariable. - The
deny_unencrypted_object_upload_fragmentinterpolation variable previously available in thebucket_policy_templatehas been superseded by thedeny_encryption_using_incorrect_algorithm_fragmentanddeny_encryption_using_incorrect_key_fragmentinterpolation variables.
- Public access block settings for the bucket can now be configured with
var.public_access_block. See the inputs section in the README or Terraform registry entry for more details. The extra permissions required are specified in required permissions.
- Removed
hashicorp/templateprovider. This allows the module to be used with terraform on arm64 architectures. kms_key_arnis now an empty string by default, which is converted to null when being passed toserver_side_encryption_configurationto preserve module defaults.
- This module is now compatible with Terraform 0.14 and higher.