add variables for including account, region, and compacting region name

CHANGELOG.md

@@ -56,4 +56,9 @@ Provides standard and t26 S3 bucket construction.
   - pin aws provider to < 4.0
   - add bucket_key_enabled (for S3 bucket keys; https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)
 
-
+* 2.4.2 -- 2022-02-24
+  - add variables for controlling region, account, and compacting region if name > 63
+    - name_include_region
+    - name_include_account
+    - name_include_region_compact
+    - name_enforce_region_compact

common/resources.tf

@@ -1,7 +1,15 @@
 locals {
+  region_short           = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
   base_name              = var.bucket_name
-  name                   = replace(var.bucket_name, local._prefixes["s3"], "")
-  bucket_name            = format("%s%s", local._prefixes["s3"], local.name)
+  b_name                 = replace(var.bucket_name, local._prefixes["s3"], "")
+  b_account              = var.name_include_account ? format("-%v", local.account_id) : ""
+  b_region               = var.name_include_region ? format("-%v", local.region) : ""
+  b_region_short         = format("-%v", local.region_short)
+  c_name                 = format("%v%v%v", local.b_name, local.b_account, local.b_region)
+  b_bucket_name          = format("%v%v", local._prefixes["s3"], local.c_name)
+  too_long               = length(local.b_bucket_name) > 63 && var.name_include_region && var.name_include_region_compact ? true : false
+  name                   = local.too_long || var.name_enforce_region_compact ? format("%v%v%v", local.b_name, local.b_account, local.b_region_short) : local.c_name
+  bucket_name            = format("%v%v", local._prefixes["s3"], local.name)
   bucket_policy_document = length(var.bucket_policy_document) > 0 ? var.bucket_policy_document : data.aws_iam_policy_document.empty.json
 
   #  kms_key_arn  = aws_kms_key.key.arn
@@ -215,3 +223,10 @@ resource "aws_s3_bucket_ownership_controls" "this" {
     object_ownership = var.bucket_owner
   }
 }
+
+resource "null_resource" "name_too_long" {
+  count = local.too_long ? 1 : 0
+  provisioner "local-exec" {
+    command = "echo 'The resultant name ${local.b_bucket_name} > 63, shortening to ${local.bucket_name}'"
+  }
+}

common/variables.s3.tf

@@ -72,3 +72,27 @@ variable "bucket_key_enabled" {
   type        = bool
   default     = false
 }
+
+variable "name_include_region" {
+  description = "Flag to determine if we include the full region name in the resulting bucket name"
+  type        = bool
+  default     = false
+}
+
+variable "name_include_account" {
+  description = "Flag to determine if we include the AWS Account id in the resulting bucket name"
+  type        = bool
+  default     = false
+}
+
+variable "name_include_region_compact" {
+  description = "Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters.  Only usable with name_include_region."
+  type        = bool
+  default     = true
+}
+
+variable "name_enforce_region_compact" {
+  description = "Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name_include_region."
+  type        = bool
+  default     = false
+}

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.3.1"
+  _module_version = "2.4.2"
 }

standard/README.md

@@ -19,6 +19,10 @@ module "my-bucket" {
   ## optional
   # kms_policy_document = data.aws_iam_policy_document.my-policy.json
   # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+  # name_include_account   = true
+  # name_include_region    = true
+  # name_include_region_compact = true
+  # name_enforce_region_compact = false
 }
 
 output "my-bucket-info" {
@@ -91,6 +95,25 @@ This will be merged with the default bucket policy which requires TLS and, via o
 optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
 and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
 
+# Options
+## Options :: name\_include\_account
+Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID).  Default
+is false.
+
+## Options :: name\_include\_region
+Use of this flag as true will include current region after the bucket name (name-REGION).  Default
+is false.  If used in conjunction with `name_include_account`, the region will be at the end.
+
+## Options :: name\_include\_region\_compact
+This flag determines if we compact the region to a shorter name, and use it if the name with the full
+region is longer than the maximum of 63 characters.  It takes the first character of the full region
+name and uses that. For example, `us-gov-west-1` becomes `ugw1`.  The default value is true.
+It is still possible to construct a name that is longer than 63 characters and get a failure, even with
+this shorter region value.
+
+## Options :: name\_enforce\_region\_compact
+This flag always compacts the region, no mater whehter the name is longer than 63 characters or not.
+
 ## Requirements
 
 No requirements.
@@ -117,6 +140,7 @@ No modules.
 | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [null_resource.name_too_long](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -149,6 +173,10 @@ No modules.
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket).  This is currently ignored (and deprecated). | `string` | `null` | no |
 | <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
 | <a name="input_metadata_tags"></a> [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
+| <a name="input_name_enforce_region_compact"></a> [name\_enforce\_region\_compact](#input\_name\_enforce\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name\_include\_region. | `bool` | `false` | no |
+| <a name="input_name_include_account"></a> [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no |
+| <a name="input_name_include_region"></a> [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no |
+| <a name="input_name_include_region_compact"></a> [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters.  Only usable with name\_include\_region. | `bool` | `true` | no |
 | <a name="input_require_explicit_encryption"></a> [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header.  Should not normally be needed. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 

standard/main.tf

@@ -20,6 +20,10 @@
 *   ## optional
 *   # kms_policy_document = data.aws_iam_policy_document.my-policy.json
 *   # bucket_policy_document = data.aws_iam_policy_document.my-bucketpolicy.json
+*   # name_include_account   = true
+*   # name_include_region    = true
+*   # name_include_region_compact = true
+*   # name_enforce_region_compact = false
 * }
 * 
 * output "my-bucket-info" {
@@ -91,6 +95,26 @@
 * This will be merged with the default bucket policy which requires TLS and, via other settings,
 * optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
 * and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
+*
+* # Options
+* ## Options :: name_include_account
+* Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID).  Default
+* is false.
+*
+* ## Options :: name_include_region
+* Use of this flag as true will include current region after the bucket name (name-REGION).  Default
+* is false.  If used in conjunction with `name_include_account`, the region will be at the end.
+*
+* ## Options :: name_include_region_compact
+* This flag determines if we compact the region to a shorter name, and use it if the name with the full
+* region is longer than the maximum of 63 characters.  It takes the first character of the full region
+* name and uses that. For example, `us-gov-west-1` becomes `ugw1`.  The default value is true.
+* It is still possible to construct a name that is longer than 63 characters and get a failure, even with
+* this shorter region value.
+*
+* ## Options :: name_enforce_region_compact
+* This flag always compacts the region, no mater whehter the name is longer than 63 characters or not.
+*
 */
 
 locals {

title26/README.md

@@ -20,6 +20,10 @@ module "mybucket" {
   ## optional
   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
   # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+  # name_include_account   = true
+  # name_include_region    = true
+  # name_include_region_compact = true
+  # name_enforce_region_compact = false
 }
 ```
 
@@ -88,6 +92,25 @@ This will be merged with the default bucket policy which requires TLS and, via o
 optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
 and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
 
+# Options
+## Options :: name\_include\_account
+Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID).  Default
+is false.
+
+## Options :: name\_include\_region
+Use of this flag as true will include current region after the bucket name (name-REGION).  Default
+is false.  If used in conjunction with `name_include_account`, the region will be at the end.
+
+## Options :: name\_include\_region\_compact
+This flag determines if we compact the region to a shorter name, and use it if the name with the full
+region is longer than the maximum of 63 characters.  It takes the first character of the full region
+name and uses that. For example, `us-gov-west-1` becomes `ugw1`.  The default value is true.
+It is still possible to construct a name that is longer than 63 characters and get a failure, even with
+this shorter region value.
+
+## Options :: name\_enforce\_region\_compact
+This flag always compacts the region, no mater whehter the name is longer than 63 characters or not.
+
 ## Requirements
 
 No requirements.
@@ -114,6 +137,7 @@ No modules.
 | [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
 | [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [null_resource.name_too_long](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -146,6 +170,10 @@ No modules.
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | AWS KMS Key ID (one per bucket).  This is currently ignored (and deprecated). | `string` | `null` | no |
 | <a name="input_kms_policy_document"></a> [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `""` | no |
 | <a name="input_metadata_tags"></a> [metadata\_tags](#input\_metadata\_tags) | AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data\_safeguard labels are applied, they will be incorporated on any bucket objects created. | `map(string)` | `{}` | no |
+| <a name="input_name_enforce_region_compact"></a> [name\_enforce\_region\_compact](#input\_name\_enforce\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name no matter the lenth of the string. Only usable with name\_include\_region. | `bool` | `false` | no |
+| <a name="input_name_include_account"></a> [name\_include\_account](#input\_name\_include\_account) | Flag to determine if we include the AWS Account id in the resulting bucket name | `bool` | `false` | no |
+| <a name="input_name_include_region"></a> [name\_include\_region](#input\_name\_include\_region) | Flag to determine if we include the full region name in the resulting bucket name | `bool` | `false` | no |
+| <a name="input_name_include_region_compact"></a> [name\_include\_region\_compact](#input\_name\_include\_region\_compact) | Flag to determine if we the rewrite the full region name to a shorter region name if the resulting name > 63 characters.  Only usable with name\_include\_region. | `bool` | `true` | no |
 | <a name="input_require_explicit_encryption"></a> [require\_explicit\_encryption](#input\_require\_explicit\_encryption) | When enabled, adds bucket policy to Deny unencrypted uploads and incorrect encryption header.  Should not normally be needed. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 

title26/main.tf

@@ -21,6 +21,10 @@
 *   ## optional
 *   # kms_policy_document = data.aws_iam_policy_document.mypolicy.json
 *   # bucket_policy_document = data.aws_iam_policy_document.mybucketpolicy.json
+*   # name_include_account   = true
+*   # name_include_region    = true
+*   # name_include_region_compact = true
+*   # name_enforce_region_compact = false
 * }
 * ```
 *
@@ -88,6 +92,25 @@
 * This will be merged with the default bucket policy which requires TLS and, via other settings,
 * optionally requires explicit encryption (`require_explicit_encryption` flag, default false)
 * and address restrictions (lists `allowed_cidr` and `allowed_endpoints`).
+*
+* # Options
+* ## Options :: name_include_account
+* Use of this flag as true will include AWS account ID after the bucket name (name-ACCOUNTID).  Default
+* is false.
+*
+* ## Options :: name_include_region
+* Use of this flag as true will include current region after the bucket name (name-REGION).  Default
+* is false.  If used in conjunction with `name_include_account`, the region will be at the end.
+*
+* ## Options :: name_include_region_compact
+* This flag determines if we compact the region to a shorter name, and use it if the name with the full
+* region is longer than the maximum of 63 characters.  It takes the first character of the full region
+* name and uses that. For example, `us-gov-west-1` becomes `ugw1`.  The default value is true.
+* It is still possible to construct a name that is longer than 63 characters and get a failure, even with
+* this shorter region value.
+*
+* ## Options :: name_enforce_region_compact
+* This flag always compacts the region, no mater whehter the name is longer than 63 characters or not.
 */
 
 locals {