Skip to content

Resource: awsS3BucketObjectLockConfiguration

Provides an S3 bucket Object Lock configuration resource. For more information about Object Locking, go to Using S3 Object Lock in the Amazon S3 User Guide.

\~> NOTE: This resource does not enable Object Lock for new buckets. It configures a default retention period for objects placed in the specified bucket. Thus, to enable Object Lock for a new bucket, see the Using object lock configuration section in the awsS3Bucket resource or the Object Lock configuration for a new bucket example below. If you want to enable Object Lock for an existing bucket, contact AWS Support and see the Object Lock configuration for an existing bucket example below.

Example Usage

Object Lock configuration for a new bucket

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
  bucket: "mybucket",
  objectLockEnabled: true,
});
const awsS3BucketObjectLockConfigurationExample =
  new aws.s3BucketObjectLockConfiguration.S3BucketObjectLockConfigurationA(
    this,
    "example_1",
    {
      bucket: awsS3BucketExample.id,
      rule: {
        defaultRetention: {
          days: 5,
          mode: "COMPLIANCE",
        },
      },
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketObjectLockConfigurationExample.overrideLogicalId("example");

Object Lock configuration for an existing bucket

This is a multistep process that requires AWS Support intervention.

  1. Enable versioning on your S3 bucket, if you have not already done so. Doing so will generate an "Object Lock token" in the back-end.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsS3BucketExample = new aws.s3Bucket.S3Bucket(this, "example", {
  bucket: "mybucket",
});
const awsS3BucketVersioningExample =
  new aws.s3BucketVersioning.S3BucketVersioningA(this, "example_1", {
    bucket: awsS3BucketExample.id,
    versioningConfiguration: {
      status: "Enabled",
    },
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsS3BucketVersioningExample.overrideLogicalId("example");
  1. Contact AWS Support to provide you with the "Object Lock token" for the specified bucket and use the token (or token ID) within your new awsS3BucketObjectLockConfiguration resource. Notice the objectLockEnabled argument does not need to be specified as it defaults to enabled.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.s3BucketObjectLockConfiguration.S3BucketObjectLockConfigurationA(
  this,
  "example",
  {
    bucket: "${aws_s3_bucket.example.id}",
    rule: {
      defaultRetention: {
        days: 5,
        mode: "COMPLIANCE",
      },
    },
    token:
      "NG2MKsfoLqV3A+aquXneSG4LOu/ekrlXkRXwIPFVfERT7XOPos+/k444d7RIH0E3W3p5QU6ml2exS2F/eYCFmMWHJ3hFZGk6al1sIJkmNhUMYmsv0jYVQyTTZNLM+DnfooA6SATt39mM1VW1yJh4E+XljMlWzaBwHKbss3/EjlGDjOmVhaSs4Z6427mMCaFD0RLwsYY7zX49gEc31YfOMJGxbXCXSeyNwAhhM/A8UH7gQf38RmjHjjAFbbbLtl8arsxTPW8F1IYohqwmKIr9DnotLLj8Tg44U2SPwujVaqmlKKP9s41rfgb4UbIm7khSafDBng0LGfxC4pMlT9Ny2w==",
  }
);

Argument Reference

The following arguments are supported:

  • bucket - (Required, Forces new resource) Name of the bucket.
  • expectedBucketOwner - (Optional, Forces new resource) Account ID of the expected bucket owner.
  • objectLockEnabled - (Optional, Forces new resource) Indicates whether this bucket has an Object Lock configuration enabled. Defaults to enabled. Valid values: enabled.
  • rule - (Optional) Configuration block for specifying the Object Lock rule for the specified object. See below.
  • token - (Optional) Token to allow Object Lock to be enabled for an existing bucket. You must contact AWS support for the bucket's "Object Lock token". The token is generated in the back-end when versioning is enabled on a bucket. For more details on versioning, see the awsS3BucketVersioning resource.

rule

The rule configuration block supports the following arguments:

  • defaultRetention - (Required) Configuration block for specifying the default Object Lock retention settings for new objects placed in the specified bucket. See below.

defaultRetention

The defaultRetention configuration block supports the following arguments:

  • days - (Optional, Required if years is not specified) Number of days that you want to specify for the default retention period.
  • mode - (Required) Default Object Lock retention mode you want to apply to new objects placed in the specified bucket. Valid values: compliance, governance.
  • years - (Optional, Required if days is not specified) Number of years that you want to specify for the default retention period.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The bucket or bucket and expectedBucketOwner separated by a comma (,) if the latter is provided.

Import

S3 bucket Object Lock configuration can be imported in one of two ways.

If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, the S3 bucket Object Lock configuration resource should be imported using the bucket e.g.,

$ terraform import aws_s3_bucket_object_lock_configuration.example bucket-name

If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, the S3 bucket Object Lock configuration resource should be imported using the bucket and expectedBucketOwner separated by a comma (,) e.g.,

$ terraform import aws_s3_bucket_object_lock_configuration.example bucket-name,123456789012