Why are versioning and encryption separate resources?

Since AWS provider v4, the monolithic aws_s3_bucket was split into focused resources like aws_s3_bucket_versioning and aws_s3_bucket_server_side_encryption_configuration. This builder uses the modern split layout.

What encryption options are supported?

AES256 uses S3-managed keys (SSE-S3). aws:kms uses AWS KMS keys (SSE-KMS) and lets you supply a KMS key id for tighter control and audit logging.

What does the public access block do?

It sets four flags that prevent the bucket from ever becoming public via ACLs or policies. Enabling it is the recommended default for private data.

How do lifecycle rules work?

A lifecycle rule can expire objects after a set number of days, automatically deleting old data to control storage cost. You set the expiration days in the builder.

Do I need a unique bucket name?

Yes. S3 bucket names are globally unique across all AWS accounts, so pick something namespaced like mycompany-app-prod-assets to avoid conflicts.

Terraform AWS S3 Bucket Config Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Terraform AWS S3 Bucket Config Builder

Terraform lets you define cloud infrastructure as version-controlled code. This builder generates HCL for an AWS S3 bucket using the modern resource layout, where versioning, encryption, public access, and lifecycle are separate resources that all reference the core bucket. It produces a secure-by-default configuration you can drop into a Terraform module.

How it works

The output defines an aws_s3_bucket resource, then attaches companion resources by referencing its id:

aws_s3_bucket_versioning toggles object versioning.
aws_s3_bucket_server_side_encryption_configuration sets the SSE algorithm (AES256 or aws:kms).
aws_s3_bucket_public_access_block sets all four block flags to true.
aws_s3_bucket_lifecycle_configuration expires objects after N days when enabled.

This split layout is required by AWS provider v4 and later, where the single all-in-one aws_s3_bucket block was deprecated.

Tips and example

Run the standard workflow after copying the HCL:

terraform init
terraform plan
terraform apply

Always keep public access blocking on unless you are intentionally hosting a public website. For compliance workloads, prefer aws:kms with a dedicated KMS key so access is logged in CloudTrail. Use lifecycle expiration on log or temp buckets to keep storage costs predictable.