Bucket
Provides a S3 bucket resource.
This functionality is for managing S3 in an AWS Partition. To manage S3 on Outposts, see the
aws.s3control.Bucketresource. NOTE on S3 Bucket Accelerate Configuration: S3 Bucket Accelerate can be configured in either the standalone resourceaws.s3.BucketAccelerateConfigurationV2or with the deprecated parameteracceleration_statusin the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket canned ACL Configuration: S3 Bucket canned ACL can be configured in either the standalone resourceaws.s3.BucketAclV2or with the deprecated parameteraclin the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket ACL Grants Configuration: S3 Bucket grants can be configured in either the standalone resourceaws.s3.BucketAclV2or with the deprecated parametergrantin the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket CORS Configuration: S3 Bucket CORS can be configured in either the standalone resourceaws.s3.BucketCorsConfigurationV2or with the deprecated parametercors_rulein the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket Lifecycle Configuration: S3 Bucket Lifecycle can be configured in either the standalone resourceaws.s3.BucketLifecycleConfigurationV2or with the deprecated parameterlifecycle_rulein the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket Logging Configuration: S3 Bucket logging can be configured in either the standalone resourceaws.s3.BucketLoggingV2or with the deprecated parameterloggingin the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket Object Lock Configuration: S3 Bucket Object Lock can be configured in either the standalone resourceaws.s3.BucketObjectLockConfigurationV2or with the deprecated parameterobject_lock_configurationin the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket Policy Configuration: S3 Bucket Policy can be configured in either the standalone resourceaws.s3.BucketPolicyor with the deprecated parameterpolicyin the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket Replication Configuration: S3 Bucket Replication can be configured in either the standalone resourceaws.s3.BucketReplicationConfigor with the deprecated parameterreplication_configurationin the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket Request Payment Configuration: S3 Bucket Request Payment can be configured in either the standalone resourceaws.s3.BucketRequestPaymentConfigurationV2or with the deprecated parameterrequest_payerin the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket Server Side Encryption Configuration: S3 Bucket Server Side Encryption can be configured in either the standalone resourceaws.s3.BucketServerSideEncryptionConfigurationV2or with the deprecated parameterserver_side_encryption_configurationin the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket Versioning Configuration: S3 Bucket versioning can be configured in either the standalone resourceaws.s3.BucketVersioningV2or with the deprecated parameterversioningin the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration. NOTE on S3 Bucket Website Configuration: S3 Bucket Website can be configured in either the standalone resourceaws.s3.BucketWebsiteConfigurationV2or with the deprecated parameterwebsitein the resourceaws.s3.BucketV2. Configuring with both will cause inconsistencies and may overwrite configuration.
Example Usage
Private Bucket w/ Tags
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.BucketAclV2;
import com.pulumi.aws.s3.BucketAclV2Args;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var bucketV2 = new BucketV2("bucketV2", BucketV2Args.builder()
.tags(Map.ofEntries(
Map.entry("Name", "My bucket"),
Map.entry("Environment", "Dev")
))
.build());
var example = new BucketAclV2("example", BucketAclV2Args.builder()
.bucket(bucketV2.id())
.acl("private")
.build());
}
}Static Website Hosting
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.inputs.BucketV2WebsiteArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var bucketV2 = new BucketV2("bucketV2", BucketV2Args.builder()
.acl("public-read")
.policy(Files.readString(Paths.get("policy.json")))
.websites(BucketV2WebsiteArgs.builder()
.indexDocument("index.html")
.errorDocument("error.html")
.routingRules("""
[{
"Condition": {
"KeyPrefixEquals": "docs/"
},
"Redirect": {
"ReplaceKeyPrefixWith": "documents/"
}
}]
""")
.build())
.build());
}
}Using CORS
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.inputs.BucketV2CorsRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var bucketV2 = new BucketV2("bucketV2", BucketV2Args.builder()
.acl("public-read")
.corsRules(BucketV2CorsRuleArgs.builder()
.allowedHeaders("*")
.allowedMethods(
"PUT",
"POST")
.allowedOrigins("https://s3-website-test.domain.example")
.exposeHeaders("ETag")
.maxAgeSeconds(3000)
.build())
.build());
}
}Using versioning
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.inputs.BucketV2VersioningArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var bucketV2 = new BucketV2("bucketV2", BucketV2Args.builder()
.acl("private")
.versionings(BucketV2VersioningArgs.builder()
.enabled(true)
.build())
.build());
}
}Enable Logging
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.inputs.BucketV2LoggingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var logBucket = new BucketV2("logBucket", BucketV2Args.builder()
.acl("log-delivery-write")
.build());
var bucketV2 = new BucketV2("bucketV2", BucketV2Args.builder()
.acl("private")
.loggings(BucketV2LoggingArgs.builder()
.targetBucket(logBucket.id())
.targetPrefix("log/")
.build())
.build());
}
}Using object lifecycle
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.inputs.BucketV2LifecycleRuleArgs;
import com.pulumi.aws.s3.inputs.BucketV2VersioningArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var bucket = new BucketV2("bucket", BucketV2Args.builder()
.acl("private")
.lifecycleRules(
BucketV2LifecycleRuleArgs.builder()
.enabled(true)
.expirations(BucketV2LifecycleRuleExpirationArgs.builder()
.days(90)
.build())
.id("log")
.prefix("log/")
.tags(Map.ofEntries(
Map.entry("autoclean", "true"),
Map.entry("rule", "log")
))
.transitions(
BucketV2LifecycleRuleTransitionArgs.builder()
.days(30)
.storageClass("STANDARD_IA")
.build(),
BucketV2LifecycleRuleTransitionArgs.builder()
.days(60)
.storageClass("GLACIER")
.build())
.build(),
BucketV2LifecycleRuleArgs.builder()
.enabled(true)
.expirations(BucketV2LifecycleRuleExpirationArgs.builder()
.date("2016-01-12")
.build())
.id("tmp")
.prefix("tmp/")
.build())
.build());
var versioningBucket = new BucketV2("versioningBucket", BucketV2Args.builder()
.acl("private")
.lifecycleRules(BucketV2LifecycleRuleArgs.builder()
.enabled(true)
.noncurrentVersionExpirations(BucketV2LifecycleRuleNoncurrentVersionExpirationArgs.builder()
.days(90)
.build())
.noncurrentVersionTransitions(
BucketV2LifecycleRuleNoncurrentVersionTransitionArgs.builder()
.days(30)
.storageClass("STANDARD_IA")
.build(),
BucketV2LifecycleRuleNoncurrentVersionTransitionArgs.builder()
.days(60)
.storageClass("GLACIER")
.build())
.prefix("config/")
.build())
.versionings(BucketV2VersioningArgs.builder()
.enabled(true)
.build())
.build());
}
}Using object lock configuration
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.inputs.BucketV2ObjectLockConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BucketV2("example", BucketV2Args.builder()
.objectLockConfiguration(BucketV2ObjectLockConfigurationArgs.builder()
.objectLockEnabled("Enabled")
.rule(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.build())
.build());
}
}Using replication configuration
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.Provider;
import com.pulumi.aws.ProviderArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.inputs.BucketV2VersioningArgs;
import com.pulumi.aws.s3.inputs.BucketV2ReplicationConfigurationArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var central = new Provider("central", ProviderArgs.builder()
.region("eu-central-1")
.build());
var replicationRole = new Role("replicationRole", RoleArgs.builder()
.assumeRolePolicy("""
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
""")
.build());
var destination = new BucketV2("destination", BucketV2Args.builder()
.versionings(BucketV2VersioningArgs.builder()
.enabled(true)
.build())
.build());
var source = new BucketV2("source", BucketV2Args.builder()
.acl("private")
.versionings(BucketV2VersioningArgs.builder()
.enabled(true)
.build())
.replicationConfigurations(BucketV2ReplicationConfigurationArgs.builder()
.role(replicationRole.arn())
.rules(BucketV2ReplicationConfigurationRuleArgs.builder()
.id("foobar")
.status("Enabled")
.filters(BucketV2ReplicationConfigurationRuleFilterArgs.builder()
.tags()
.build())
.destinations(BucketV2ReplicationConfigurationRuleDestinationArgs.builder()
.bucket(destination.arn())
.storageClass("STANDARD")
.replicationTimes(BucketV2ReplicationConfigurationRuleDestinationReplicationTimeArgs.builder()
.status("Enabled")
.minutes(15)
.build())
.metrics(BucketV2ReplicationConfigurationRuleDestinationMetricArgs.builder()
.status("Enabled")
.minutes(15)
.build())
.build())
.build())
.build())
.build(), CustomResourceOptions.builder()
.provider(aws.central())
.build());
var replicationPolicy = new Policy("replicationPolicy", PolicyArgs.builder()
.policy(Output.tuple(source.arn(), source.arn(), destination.arn()).applyValue(values -> {
var sourceArn = values.t1;
var sourceArn1 = values.t2;
var destinationArn = values.t3;
return """
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetReplicationConfiguration",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"%s"
]
},
{
"Action": [
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionTagging"
],
"Effect": "Allow",
"Resource": [
"%s/*"
]
},
{
"Action": [
"s3:ReplicateObject",
"s3:ReplicateDelete",
"s3:ReplicateTags"
],
"Effect": "Allow",
"Resource": "%s/*"
}
]
}
", sourceArn,sourceArn1,destinationArn);
}))
.build());
var replicationRolePolicyAttachment = new RolePolicyAttachment("replicationRolePolicyAttachment", RolePolicyAttachmentArgs.builder()
.role(replicationRole.name())
.policyArn(replicationPolicy.arn())
.build());
}
}Enable SSE-KMS Server Side Encryption
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.inputs.BucketV2ServerSideEncryptionConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var mykey = new Key("mykey", KeyArgs.builder()
.description("This key is used to encrypt bucket objects")
.deletionWindowInDays(10)
.build());
var mybucket = new BucketV2("mybucket", BucketV2Args.builder()
.serverSideEncryptionConfigurations(BucketV2ServerSideEncryptionConfigurationArgs.builder()
.rules(BucketV2ServerSideEncryptionConfigurationRuleArgs.builder()
.applyServerSideEncryptionByDefaults(BucketV2ServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefaultArgs.builder()
.kmsMasterKeyId(mykey.arn())
.sseAlgorithm("aws:kms")
.build())
.build())
.build())
.build());
}
}Using ACL policy grants
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.s3.inputs.BucketV2GrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var currentUser = S3Functions.getCanonicalUserId();
var bucket = new BucketV2("bucket", BucketV2Args.builder()
.grants(
BucketV2GrantArgs.builder()
.id(currentUser.applyValue(getCanonicalUserIdResult -> getCanonicalUserIdResult.id()))
.type("CanonicalUser")
.permissions("FULL_CONTROL")
.build(),
BucketV2GrantArgs.builder()
.type("Group")
.permissions(
"READ_ACP",
"WRITE")
.uri("http://acs.amazonaws.com/groups/s3/LogDelivery")
.build())
.build());
}
}Import
S3 bucket can be imported using the bucket, e.g.,
$ pulumi import aws:s3/bucketV2:BucketV2 bucket bucket-name//
Properties
The canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, and log-delivery-write. Defaults to private. Conflicts with grant. The provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketAclV2 instead.
The name of the bucket. If omitted, this provider will assign a random, unique name. Must be lowercase and less than or equal to 63 characters in length. A full list of bucket naming rules may be found here.
Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. Must be lowercase and less than or equal to 37 characters in length. A full list of bucket naming rules may be found here.
The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL.
A rule of Cross-Origin Resource Sharing. See CORS rule below for details. This provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketCorsConfigurationV2 instead.
A boolean that indicates all objects (including any locked objects) should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. These objects are not recoverable. This only deletes objects when the bucket is destroyed, not when setting this parameter to true.
An ACL policy grant. See Grant below for details. Conflicts with acl. The provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketAclV2 instead.
A configuration of object lifecycle management. See Lifecycle Rule below for details. The provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketLifecycleConfigurationV2 instead.
A configuration of S3 bucket logging parameters. See Logging below for details. The provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketLoggingV2 instead.
A configuration of S3 object locking. See Object Lock Configuration below for details. the provider wil only perform drift detection if a configuration value is provided. Use the object_lock_enabled parameter and the resource aws.s3.BucketObjectLockConfigurationV2 instead.
A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), the provider may view the policy as constantly changing in a preview. In this case, please make sure you use the verbose/specific version of the policy. The provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketPolicy instead.
A configuration of replication configuration. See Replication Configuration below for details. The provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketReplicationConfig instead.
Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. The provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketRequestPaymentConfigurationV2 instead.
A configuration of server-side encryption configuration. See Server Side Encryption Configuration below for details. The provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketServerSideEncryptionConfigurationV2 instead.
A configuration of the S3 bucket versioning state. See Versioning below for details. This provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketVersioningV2 instead.
A configuration of the S3 bucket website. See Website below for details. The provider will only perform drift detection if a configuration value is provided. Use the resource aws.s3.BucketWebsiteConfigurationV2 instead.