diff --git a/CHANGELOG.md b/CHANGELOG.md
index ad2f24e..c403655 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -61,3 +61,4 @@ Provides standard and t26 S3 bucket construction.
- name_include_region
- name_include_account
- name_include_region_compact
+ - name_enforce_region_compact
diff --git a/common/resources.tf b/common/resources.tf
index 731ddea..e13ce93 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -7,8 +7,8 @@ locals {
b_region_short = format("-%v", local.region_short)
c_name = format("%v%v%v", local.b_name, local.b_account, local.b_region)
b_bucket_name = format("%v%v", local._prefixes["s3"], local.c_name)
- too_long = length(local.b_bucket_name) > 63 && var.name_include_region_compact ? true : false
- name = local.too_long ? format("%v%v%v", local.b_name, local.b_account, local.b_region_short) : local.c_name
+ too_long = length(local.b_bucket_name) > 63 && var.name_include_region && var.name_include_region_compact ? true : false
+ name = local.too_long || var.name_enforce_region_compact ? format("%v%v%v", local.b_name, local.b_account, local.b_region_short) : local.c_name
bucket_name = format("%v%v", local._prefixes["s3"], local.name)
bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json
diff --git a/common/variables.s3.tf b/common/variables.s3.tf
index 2c7901a..6e243ad 100644
--- a/common/variables.s3.tf
+++ b/common/variables.s3.tf
@@ -86,7 +86,13 @@ variable "name_include_account" {
}
variable "name_include_region_compact" {
- description = "Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters"
+ description = "Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name_include_region."
type = bool
default = true
}
+
+variable "name_enforce_region_compact" {
+ description = "Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name_include_region."
+ type = bool
+ default = false
+}
diff --git a/standard/README.md b/standard/README.md
index 46d341e..d9df85e 100644
--- a/standard/README.md
+++ b/standard/README.md
@@ -19,6 +19,10 @@ module "my-bucket" {
## optional
# kms_policy_document = data.aws_iam_policy_document.my-policy.json
# bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+ # name_include_account = true
+ # name_include_region = true
+ # name_include_region_compact = true
+ # name_enforce_region_compact = false
}
output "my-bucket-info" {
@@ -91,6 +95,25 @@ This will be merged with the default bucket policy which requires TLS and, via o
optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
+# Options
+## Options :: name\_include\_account
+Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default
+is false.
+
+## Options :: name\_include\_region
+Use of this flag as true will include current region after the bucket name (name-REGION). Default
+is false. If used in conjunction with `name_include_account`, the region will be at the end.
+
+## Options :: name\_include\_region\_compact
+This flag determines if we compact the region to a shorter name, and use it if the name with the full
+region is longer than the maximum of 63 characters. It takes the first character of the full region
+name and uses that. For example, `us-gov-west-1` becomes `ugw1`. The default value is true.
+It is still possible to construct a name that is longer than 63 characters and get a failure, even with
+this shorter region value.
+
+## Options :: name\_enforce\_region\_compact
+This flag always compacts the region, no mater whehter the name is longer than 63 characters or not.
+
## Requirements
No requirements.
@@ -150,9 +173,10 @@ No modules.
| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no |
| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
| [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
+| [name\_enforce\_region\_compact](#input\_name\_enforce\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name\_include\_region. | `bool` | `false` | no |
| [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no |
| [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no |
-| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters | `bool` | `true` | no |
+| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name\_include\_region. | `bool` | `true` | no |
| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/standard/main.tf b/standard/main.tf
index 2de9d6c..aa99d04 100644
--- a/standard/main.tf
+++ b/standard/main.tf
@@ -20,6 +20,10 @@
* ## optional
* # kms_policy_document = data.aws_iam_policy_document.my-policy.json
* # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+* # name_include_account = true
+* # name_include_region = true
+* # name_include_region_compact = true
+* # name_enforce_region_compact = false
* }
*
* output "my-bucket-info" {
@@ -91,6 +95,26 @@
* This will be merged with the default bucket policy which requires TLS and, via other settings,
* optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
* and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
+*
+* # Options
+* ## Options :: name_include_account
+* Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default
+* is false.
+*
+* ## Options :: name_include_region
+* Use of this flag as true will include current region after the bucket name (name-REGION). Default
+* is false. If used in conjunction with `name_include_account`, the region will be at the end.
+*
+* ## Options :: name_include_region_compact
+* This flag determines if we compact the region to a shorter name, and use it if the name with the full
+* region is longer than the maximum of 63 characters. It takes the first character of the full region
+* name and uses that. For example, `us-gov-west-1` becomes `ugw1`. The default value is true.
+* It is still possible to construct a name that is longer than 63 characters and get a failure, even with
+* this shorter region value.
+*
+* ## Options :: name_enforce_region_compact
+* This flag always compacts the region, no mater whehter the name is longer than 63 characters or not.
+*
*/
locals {
diff --git a/title26/README.md b/title26/README.md
index 2568987..b14b132 100644
--- a/title26/README.md
+++ b/title26/README.md
@@ -20,6 +20,10 @@ module "mybucket" {
## optional
# kms_policy_document = data.aws_iam_policy_document.mypolicy.json
# bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+ # name_include_account = true
+ # name_include_region = true
+ # name_include_region_compact = true
+ # name_enforce_region_compact = false
}
```
@@ -88,6 +92,25 @@ This will be merged with the default bucket policy which requires TLS and, via o
optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
+# Options
+## Options :: name\_include\_account
+Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default
+is false.
+
+## Options :: name\_include\_region
+Use of this flag as true will include current region after the bucket name (name-REGION). Default
+is false. If used in conjunction with `name_include_account`, the region will be at the end.
+
+## Options :: name\_include\_region\_compact
+This flag determines if we compact the region to a shorter name, and use it if the name with the full
+region is longer than the maximum of 63 characters. It takes the first character of the full region
+name and uses that. For example, `us-gov-west-1` becomes `ugw1`. The default value is true.
+It is still possible to construct a name that is longer than 63 characters and get a failure, even with
+this shorter region value.
+
+## Options :: name\_enforce\_region\_compact
+This flag always compacts the region, no mater whehter the name is longer than 63 characters or not.
+
## Requirements
No requirements.
@@ -147,9 +170,10 @@ No modules.
| [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket). This is currently ignored (and deprecated). | `string` | `null` | no |
| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
| [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here). If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
+| [name\_enforce\_region\_compact](#input\_name\_enforce\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name\_include\_region. | `bool` | `false` | no |
| [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no |
| [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no |
-| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters | `bool` | `true` | no |
+| [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters. Only usable with name\_include\_region. | `bool` | `true` | no |
| [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header. Should not normally be needed. | `bool` | `false` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/title26/main.tf b/title26/main.tf
index c734d51..2840f7c 100644
--- a/title26/main.tf
+++ b/title26/main.tf
@@ -21,6 +21,10 @@
* ## optional
* # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
* # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+* # name_include_account = true
+* # name_include_region = true
+* # name_include_region_compact = true
+* # name_enforce_region_compact = false
* }
* ```
*
@@ -88,6 +92,25 @@
* This will be merged with the default bucket policy which requires TLS and, via other settings,
* optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
* and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
+*
+* # Options
+* ## Options :: name_include_account
+* Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID). Default
+* is false.
+*
+* ## Options :: name_include_region
+* Use of this flag as true will include current region after the bucket name (name-REGION). Default
+* is false. If used in conjunction with `name_include_account`, the region will be at the end.
+*
+* ## Options :: name_include_region_compact
+* This flag determines if we compact the region to a shorter name, and use it if the name with the full
+* region is longer than the maximum of 63 characters. It takes the first character of the full region
+* name and uses that. For example, `us-gov-west-1` becomes `ugw1`. The default value is true.
+* It is still possible to construct a name that is longer than 63 characters and get a failure, even with
+* this shorter region value.
+*
+* ## Options :: name_enforce_region_compact
+* This flag always compacts the region, no mater whehter the name is longer than 63 characters or not.
*/
locals {