Module:
sourcefuse/arc-s3/aws
Registry: https://registry.terraform.io/modules/sourcefuse/arc-s3/aws
Category: Storage / Object Storage
Tip
🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓
Creates S3 buckets with versioning, encryption, lifecycle rules, access logging, CORS, and bucket policies.
- S3 bucket with versioning and server-side encryption
- Lifecycle rules for object transitions and expiration
- Public access block configuration
- Access logging to a target bucket
- CORS configuration
- Bucket policy management
- Object lock support
- Cross-Region Replication (CRR) for automated replication of objects across AWS regions for disaster recovery and compliance requirements
module "s3" {
source = "sourcefuse/arc-s3/aws"
version = "0.0.1"
name = var.name
acl = var.acl
lifecycle_config = local.lifecycle_config
tags = module.tags.tags
}| Name | Type | Description |
|---|---|---|
name |
string |
S3 bucket name |
| Name | Description |
|---|---|
bucket_id |
S3 bucket name |
bucket_arn |
S3 bucket ARN |
bucket_domain_name |
S3 bucket domain name |
The complete inputs/outputs reference is auto-generated below.
| Name | Version |
|---|---|
| terraform | ~> 1.3, < 2.0.0 |
| aws | >= 5.0, < 7.0 |
| random | ~> 3.0 |
No providers.
| Name | Source | Version |
|---|---|---|
| bucket | ./modules/bucket | n/a |
| replication | ./modules/replication | n/a |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acl | Please node ACL is deprecated by AWS in favor of bucket policies. Defaults to "private" for backwards compatibility,recommended to set s3_object_ownership to "BucketOwnerEnforced" instead. |
string |
"private" |
no |
| availability_zone_id | The ID of the availability zone. | string |
"" |
no |
| bucket_logging_data | (optional) Bucket logging data | object({ |
{ |
no |
| bucket_policy_doc | (optional) S3 bucket Policy doc | string |
null |
no |
| cors_configuration | List of S3 bucket CORS configurations | list(object({ |
[] |
no |
| create_bucket | (optional) Whether to create bucket | bool |
true |
no |
| create_s3_directory_bucket | Control the creation of the S3 directory bucket. Set to true to create the bucket, false to skip. | bool |
false |
no |
| enable_versioning | Whether to enable versioning for the bucket | bool |
true |
no |
| event_notification_details | (optional) S3 event notification details | object({ |
{ |
no |
| force_destroy | (Optional, Default:false) Boolean that indicates all objects (including any locked objects) should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. These objects are not recoverable. This only deletes objects when the bucket is destroyed, not when setting this parameter to true. Once this parameter is set to true, there must be a successful terraform apply run before a destroy is required to update this value in the resource state. Without a successful terraform apply after this parameter is set, this flag will have no effect. If setting this field in the same operation that would require replacing the bucket or destroying the bucket, this flag will not work. Additionally when importing a bucket, a successful terraform apply is required to set this value in state before it will take effect on a destroy operation. | bool |
false |
no |
| lifecycle_config | n/a | object({ |
{ |
no |
| name | Bucket name. If provided, the bucket will be created with this name instead of generating the name from the context | string |
n/a | yes |
| object_lock_config | (optional) Object Lock configuration | object({ |
{ |
no |
| object_lock_enabled | (Optional, Forces new resource) Indicates whether this bucket has an Object Lock configuration enabled. Valid values are true or false. This argument is not supported in all regions or partitions. | string |
false |
no |
| object_ownership | (Optional) Object ownership. Valid values: BucketOwnerPreferred, ObjectWriter or BucketOwnerEnforced BucketOwnerPreferred - Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. ObjectWriter - Uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. BucketOwnerEnforced - Bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket. |
string |
"BucketOwnerPreferred" |
no |
| public_access_config | (Optional) block_public_acls - Whether Amazon S3 should block public ACLs for this bucket. Defaults to false. Enabling this setting does not affect existing policies or ACLs. When set to true causes the following behavior: PUT Bucket acl and PUT Object acl calls will fail if the specified ACL allows public access. PUT Object calls will fail if the request includes an object ACL. block_public_policy - Whether Amazon S3 should block public bucket policies for this bucket. Defaults to false. Enabling this setting does not affect the existing bucket policy. When set to true causes Amazon S3 to: Reject calls to PUT Bucket policy if the specified bucket policy allows public access. ignore_public_acls - Whether Amazon S3 should block public bucket policies for this bucket. Defaults to false. Enabling this setting does not affect the existing bucket policy. When set to true causes Amazon S3 to: Reject calls to PUT Bucket policy if the specified bucket policy allows public access. restrict_public_buckets - Whether Amazon S3 should block public bucket policies for this bucket. Defaults to false. Enabling this setting does not affect the existing bucket policy. When set to true causes Amazon S3 to: Reject calls to PUT Bucket policy if the specified bucket policy allows public access. |
object({ |
{ |
no |
| replication_config | Replication configuration for S3 bucket | object({ |
{ |
no |
| server_side_encryption_config_data | (optional) S3 encryption details | object({ |
{ |
no |
| tags | Tags to assign the resources. | map(string) |
{} |
no |
| transfer_acceleration_enabled | (optional) Whether to enable Trasfer accelaration | bool |
false |
no |
| Name | Description |
|---|---|
| bucket_arn | Bucket ARN |
| bucket_domain_name | Bucket domain Name |
| bucket_id | Bucket ID or Name |
| bucket_regional_domain_name | Bucket regional Domain Name |
| destination_buckets | n/a |
| role_arn | Role used to S3 replication |
- Configure pre-commit hooks
pre-commit install
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
git commit -m "your commit message #major"By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly
- Tests are available in
testdirectory - Configure the dependencies
cd test/ go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name> go get github.com/gruntwork-io/terratest/modules/terraform
- Now execute the test
go test -timeout 30m
The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.
What you can do with it:
- Discover — search and filter modules by keyword or AWS resource type.
- Understand — get inputs, outputs, and resources for any module without leaving your editor.
- Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
- Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
- Compare — diff modules side-by-side to make informed architectural decisions.
The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:
Claude Code CLI:
claude mcp add arc-iac --transport http https://arc-iac-mcp.sourcef.us/mcpClaude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"arc-iac": {
"url": "https://arc-iac-mcp.sourcef.us/mcp"
}
}
}Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).
- "List all ARC modules sorted by downloads"
- "What inputs does
arc-ecsrequire?" - "Scaffold a production-ready
arc-dbAurora setup with Secrets Manager" - "Compare
arc-eksandarc-ecsfor running 10 microservices" - "Scan this Terraform before I raise a PR:
<paste HCL>"
See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.
See CONTRIBUTING.md for commit conventions and development setup.
This project is authored by:
- SourceFuse ARC Team
