Provides an S3 bucket Object Lock configuration resource. For more information about Object Locking, go to Using S3 Object Lock in the Amazon S3 User Guide.
resource "aws_s3_bucket" "example" {
bucket = "mybucket"
}
resource "aws_s3_bucket_versioning" "example" {
bucket = aws_s3_bucket.example.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_object_lock_configuration" "example" {
bucket = aws_s3_bucket.example.id
rule {
default_retention {
mode = "COMPLIANCE"
days = 5
}
}
}
This resource supports the following arguments:
bucket
- (Required, Forces new resource) Name of the bucket.expected_bucket_owner
- (Optional, Forces new resource) Account ID of the expected bucket owner.object_lock_enabled
- (Optional, Forces new resource) Indicates whether this bucket has an Object Lock configuration enabled. Defaults to Enabled
. Valid values: Enabled
.rule
- (Optional) Configuration block for specifying the Object Lock rule for the specified object. See below.token
- (Optional) Token to allow Object Lock to be enabled for an existing bucket. You must contact AWS support for the bucket's "Object Lock token".
The token is generated in the back-end when versioning is enabled on a bucket. For more details on versioning, see the aws_s3_bucket_versioning
resource.The rule
configuration block supports the following arguments:
default_retention
- (Required) Configuration block for specifying the default Object Lock retention settings for new objects placed in the specified bucket. See below.The default_retention
configuration block supports the following arguments:
days
- (Optional, Required if years
is not specified) Number of days that you want to specify for the default retention period.mode
- (Required) Default Object Lock retention mode you want to apply to new objects placed in the specified bucket. Valid values: COMPLIANCE
, GOVERNANCE
.years
- (Optional, Required if days
is not specified) Number of years that you want to specify for the default retention period.This resource exports the following attributes in addition to the arguments above:
id
- The bucket
or bucket
and expected_bucket_owner
separated by a comma (,
) if the latter is provided.In Terraform v1.5.0 and later, use an import
block to import S3 bucket Object Lock configuration using the bucket
or using the bucket
and expected_bucket_owner
separated by a comma (,
). For example:
If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, import using the bucket
:
import {
to = aws_s3_bucket_object_lock_configuration.example
id = "bucket-name"
}
If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, import using the bucket
and expected_bucket_owner
separated by a comma (,
):
import { to = aws_s3_bucket_object_lock_configuration.example id = "bucket-name,123456789012" }
Using terraform import
to import S3 bucket Object Lock configuration using the bucket
or using the bucket
and expected_bucket_owner
separated by a comma (,
). For example:
If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, import using the bucket
:
% terraform import aws_s3_bucket_object_lock_configuration.example bucket-name
If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, import using the bucket
and expected_bucket_owner
separated by a comma (,
):
% terraform import aws_s3_bucket_object_lock_configuration.example bucket-name,123456789012