diff --git a/README.md b/README.md
index bffb9a7..0c97727 100644
--- a/README.md
+++ b/README.md
@@ -186,6 +186,7 @@ Available targets:
| context | Default context to use for passing state between label invocations | object({
namespace = string
environment = string
stage = string
name = string
enabled = bool
delimiter = string
attributes = list(string)
label_order = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
}) | {
"additional_tag_map": {},
"attributes": [],
"delimiter": "",
"enabled": true,
"environment": "",
"label_order": [],
"name": "",
"namespace": "",
"regex_replace_chars": "",
"stage": "",
"tags": {}
} | no |
| delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | `string` | `"-"` | no |
| enable\_point\_in\_time\_recovery | Enable DynamoDB point-in-time recovery | `bool` | `false` | no |
+| enable\_public\_access\_block | Enable Bucket Public Access Block | `bool` | `true` | no |
| enable\_server\_side\_encryption | Enable DynamoDB server-side encryption | `bool` | `true` | no |
| environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | `string` | `""` | no |
| force\_destroy | A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable | `bool` | `false` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index cffc31c..3b1a418 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -30,6 +30,7 @@
| context | Default context to use for passing state between label invocations | object({
namespace = string
environment = string
stage = string
name = string
enabled = bool
delimiter = string
attributes = list(string)
label_order = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
}) | {
"additional_tag_map": {},
"attributes": [],
"delimiter": "",
"enabled": true,
"environment": "",
"label_order": [],
"name": "",
"namespace": "",
"regex_replace_chars": "",
"stage": "",
"tags": {}
} | no |
| delimiter | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes` | `string` | `"-"` | no |
| enable\_point\_in\_time\_recovery | Enable DynamoDB point-in-time recovery | `bool` | `false` | no |
+| enable\_public\_access\_block | Enable Bucket Public Access Block | `bool` | `true` | no |
| enable\_server\_side\_encryption | Enable DynamoDB server-side encryption | `bool` | `true` | no |
| environment | Environment, e.g. 'prod', 'staging', 'dev', 'pre-prod', 'UAT' | `string` | `""` | no |
| force\_destroy | A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable | `bool` | `false` | no |
diff --git a/main.tf b/main.tf
index 8213327..186b151 100644
--- a/main.tf
+++ b/main.tf
@@ -145,6 +145,7 @@ resource "aws_s3_bucket" "default" {
}
resource "aws_s3_bucket_public_access_block" "default" {
+ count = var.enable_public_access_block ? 1 : 0
bucket = aws_s3_bucket.default.id
block_public_acls = var.block_public_acls
ignore_public_acls = var.ignore_public_acls
diff --git a/variables.tf b/variables.tf
index a13a622..05a8003 100644
--- a/variables.tf
+++ b/variables.tf
@@ -138,6 +138,12 @@ variable "enable_server_side_encryption" {
default = true
}
+variable "enable_public_access_block" {
+ type = bool
+ description = "Enable Bucket Public Access Block"
+ default = true
+}
+
variable "block_public_acls" {
type = bool
description = "Whether Amazon S3 should block public ACLs for this bucket"