Provides an S3 object resource.
resource "aws_s3_object" "object" {
bucket = "your_bucket_name"
key = "new_object_key"
source = "path/to/file"
# The filemd5() function is available in Terraform 0.11.12 and later
# For Terraform 0.11.11 and earlier, use the md5() function and the file() function:
# etag = "${md5(file("path/to/file"))}"
etag = filemd5("path/to/file")
}
resource "aws_kms_key" "examplekms" {
description = "KMS key 1"
deletion_window_in_days = 7
}
resource "aws_s3_bucket" "examplebucket" {
bucket = "examplebuckettftest"
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.examplebucket.id
acl = "private"
}
resource "aws_s3_object" "example" {
key = "someobject"
bucket = aws_s3_bucket.examplebucket.id
source = "index.html"
kms_key_id = aws_kms_key.examplekms.arn
}
resource "aws_s3_bucket" "examplebucket" {
bucket = "examplebuckettftest"
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.examplebucket.id
acl = "private"
}
resource "aws_s3_object" "example" {
key = "someobject"
bucket = aws_s3_bucket.examplebucket.id
source = "index.html"
server_side_encryption = "aws:kms"
}
resource "aws_s3_bucket" "examplebucket" {
bucket = "examplebuckettftest"
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.examplebucket.id
acl = "private"
}
resource "aws_s3_object" "example" {
key = "someobject"
bucket = aws_s3_bucket.examplebucket.id
source = "index.html"
server_side_encryption = "AES256"
}
resource "aws_s3_bucket" "examplebucket" {
bucket = "examplebuckettftest"
object_lock_enabled = true
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.examplebucket.id
acl = "private"
}
resource "aws_s3_bucket_versioning" "example" {
bucket = aws_s3_bucket.examplebucket.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_object" "examplebucket_object" {
# Must have bucket versioning enabled first
depends_on = [aws_s3_bucket_versioning.example]
key = "someobject"
bucket = aws_s3_bucket.examplebucket.id
source = "important.txt"
object_lock_legal_hold_status = "ON"
object_lock_mode = "GOVERNANCE"
object_lock_retain_until_date = "2021-12-31T23:59:60Z"
force_destroy = true
}
default_tags
S3 objects support a maximum of 10 tags.
If the resource's own tags
and the provider-level default_tags
would together lead to more than 10 tags on an S3 object, use the override_provider
configuration block to suppress any provider-level default_tags
.
resource "aws_s3_bucket" "examplebucket" {
bucket = "examplebuckettftest"
}
resource "aws_s3_object" "examplebucket_object" {
key = "someobject"
bucket = aws_s3_bucket.examplebucket.id
source = "important.txt"
tags = {
Env = "test"
}
override_provider {
default_tags {
tags = {}
}
}
}
The following arguments are required:
bucket
- (Required) Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified.key
- (Required) Name of the object once it is in the bucket.The following arguments are optional:
acl
- (Optional) Canned ACL to apply. Valid values are private
, public-read
, public-read-write
, aws-exec-read
, authenticated-read
, bucket-owner-read
, and bucket-owner-full-control
.bucket_key_enabled
- (Optional) Whether or not to use Amazon S3 Bucket Keys for SSE-KMS.cache_control
- (Optional) Caching behavior along the request/reply chain Read w3c cache_control for further details.checksum_algorithm
- (Optional) Indicates the algorithm used to create the checksum for the object. If a value is specified and the object is encrypted with KMS, you must have permission to use the kms:Decrypt
action. Valid values: CRC32
, CRC32C
, SHA1
, SHA256
.content_base64
- (Optional, conflicts with source
and content
) Base64-encoded data that will be decoded and uploaded as raw bytes for the object content. This allows safely uploading non-UTF8 binary data, but is recommended only for small content such as the result of the gzipbase64
function with small text strings. For larger objects, use source
to stream the content from a disk file.content_disposition
- (Optional) Presentational information for the object. Read w3c content_disposition for further information.content_encoding
- (Optional) Content encodings that have been applied to the object and thus what decoding mechanisms must be applied to obtain the media-type referenced by the Content-Type header field. Read w3c content encoding for further information.content_language
- (Optional) Language the content is in e.g., en-US or en-GB.content_type
- (Optional) Standard MIME type describing the format of the object data, e.g., application/octet-stream. All Valid MIME Types are valid for this input.content
- (Optional, conflicts with source
and content_base64
) Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text.etag
- (Optional) Triggers updates when the value changes. The only meaningful value is filemd5("path/to/file")
(Terraform 0.11.12 or later) or ${md5(file("path/to/file"))}
(Terraform 0.11.11 or earlier). This attribute is not compatible with KMS encryption, kms_key_id
or server_side_encryption = "aws:kms"
, also if an object is larger than 16 MB, the AWS Management Console will upload or copy that object as a Multipart Upload, and therefore the ETag will not be an MD5 digest (see source_hash
instead).force_destroy
- (Optional) Whether to allow the object to be deleted by removing any legal hold on any object version. Default is false
. This value should be set to true
only if the bucket has S3 object lock enabled.kms_key_id
- (Optional) ARN of the KMS Key to use for object encryption. If the S3 Bucket has server-side encryption enabled, that value will automatically be used. If referencing the aws_kms_key
resource, use the arn
attribute. If referencing the aws_kms_alias
data source or resource, use the target_key_arn
attribute. Terraform will only perform drift detection if a configuration value is provided.metadata
- (Optional) Map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-
, note that only lowercase label are currently supported by the AWS Go API).object_lock_legal_hold_status
- (Optional) Legal hold status that you want to apply to the specified object. Valid values are ON
and OFF
.object_lock_mode
- (Optional) Object lock retention mode that you want to apply to this object. Valid values are GOVERNANCE
and COMPLIANCE
.object_lock_retain_until_date
- (Optional) Date and time, in RFC3339 format, when this object's object lock will expire.override_provider
- (Optional) Override provider-level configuration options. See Override Provider below for more details.server_side_encryption
- (Optional) Server-side encryption of the object in S3. Valid values are "AES256
" and "aws:kms
".source_hash
- (Optional) Triggers updates like etag
but useful to address etag
encryption limitations. Set using filemd5("path/to/source")
(Terraform 0.11.12 or later). (The value is only stored in state and not saved by AWS.)source
- (Optional, conflicts with content
and content_base64
) Path to a file that will be read and uploaded as raw bytes for the object content.storage_class
- (Optional) Storage Class for the object. Defaults to "STANDARD
".tags
- (Optional) Map of tags to assign to the object. If configured with a provider default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.website_redirect
- (Optional) Target URL for website redirect.If no content is provided through source
, content
or content_base64
, then the object will be empty.
The override_provider
block supports the following:
default_tags
- (Optional) Override the provider default_tags
configuration block.This resource exports the following attributes in addition to the arguments above:
arn
- ARN of the object.checksum_crc32
- The base64-encoded, 32-bit CRC32 checksum of the object.checksum_crc32c
- The base64-encoded, 32-bit CRC32C checksum of the object.checksum_sha1
- The base64-encoded, 160-bit SHA-1 digest of the object.checksum_sha256
- The base64-encoded, 256-bit SHA-256 digest of the object.etag
- ETag generated for the object (an MD5 sum of the object content). For plaintext objects or objects encrypted with an AWS-managed key, the hash is an MD5 digest of the object data. For objects encrypted with a KMS key or objects created by either the Multipart Upload or Part Copy operation, the hash is not an MD5 digest, regardless of the method of encryption. More information on possible values can be found on Common Response Headers.tags_all
- Map of tags assigned to the resource, including those inherited from the provider default_tags
configuration block.version_id
- Unique version ID value for the object, if bucket versioning is enabled.In Terraform v1.5.0 and later, use an import
block to import objects using the id
or S3 URL. For example:
Import using the id
, which is the bucket name and the key together:
import {
to = aws_s3_object.example
id = "some-bucket-name/some/key.txt"
}
Import using S3 URL syntax:
import {
to = aws_s3_object.example
id = "s3://some-bucket-name/some/key.txt"
}
Using terraform import
to import objects using the id
or S3 URL. For example:
Import using the id
, which is the bucket name and the key together:
% terraform import aws_s3_object.example some-bucket-name/some/key.txt
Import using S3 URL syntax:
% terraform import aws_s3_object.example s3://some-bucket-name/some/key.txt