diff --git a/.github/settings.yml b/.github/settings.yml
index a52d225..0038c01 100644
--- a/.github/settings.yml
+++ b/.github/settings.yml
@@ -2,7 +2,7 @@
_extends: .github
repository:
name: terraform-aws-tfstate-backend
- description: Terraform module that provision an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
+ description: Terraform module that provisions an S3 bucket to store the `terraform.tfstate` file and a DynamoDB table to lock the state file to prevent concurrent modifications and state corruption.
homepage: https://cloudposse.com/accelerate
topics: terraform, terraform-module, aws, tfstate, dynamodb, locking, aws-dynamodb, terraform-modules, dynamodb-table, s3-bucket, backend, terraform-state, remote-state, hcl2
diff --git a/README.md b/README.md
index 11b6672..af6947a 100644
--- a/README.md
+++ b/README.md
@@ -292,7 +292,7 @@ Available targets:
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM replication role | `string` | `""` | no |
-| [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Prevent uploads of unencrypted objects to S3 | `bool` | `true` | no |
+| [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Enforce requirement to specify encryption key when uploading content to the S3 bucket.
The name of this variable is a little misleading. Since a default encryption key is created
for the bucket by this module, contents are always encrypted at rest.
Setting this variable to `true` (the default) will require that uploads to the bucket will need
to be initiated with a specific encryption key.
If this variable is set to `true` and an upload is attempted without specifying an encryption key
(including using the S3 Console), an "Access Denied" error will be thrown by AWS. | `bool` | `true` | no |
| [profile](#input\_profile) | AWS profile name as set in the shared credentials file | `string` | `""` | no |
| [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units when using provisioned mode | `number` | `5` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 8debad9..db21248 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -86,7 +86,7 @@
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| [permissions\_boundary](#input\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IAM replication role | `string` | `""` | no |
-| [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Prevent uploads of unencrypted objects to S3 | `bool` | `true` | no |
+| [prevent\_unencrypted\_uploads](#input\_prevent\_unencrypted\_uploads) | Enforce requirement to specify encryption key when uploading content to the S3 bucket.
The name of this variable is a little misleading. Since a default encryption key is created
for the bucket by this module, contents are always encrypted at rest.
Setting this variable to `true` (the default) will require that uploads to the bucket will need
to be initiated with a specific encryption key.
If this variable is set to `true` and an upload is attempted without specifying an encryption key
(including using the S3 Console), an "Access Denied" error will be thrown by AWS. | `bool` | `true` | no |
| [profile](#input\_profile) | AWS profile name as set in the shared credentials file | `string` | `""` | no |
| [read\_capacity](#input\_read\_capacity) | DynamoDB read capacity units when using provisioned mode | `number` | `5` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
index bb1e49d..fe72789 100644
--- a/examples/complete/variables.tf
+++ b/examples/complete/variables.tf
@@ -1,160 +1,6 @@
variable "region" {
- type = string
-}
-
-variable "arn_format" {
- type = string
- default = "arn:aws"
- description = "ARN format to be used. May be changed to support deployment in GovCloud/China regions."
-}
-
-variable "acl" {
- type = string
- description = "The canned ACL to apply to the S3 bucket"
- default = "private"
-}
-
-variable "billing_mode" {
- default = "PROVISIONED"
- description = "DynamoDB billing mode"
-}
-
-variable "read_capacity" {
- default = 5
- description = "DynamoDB read capacity units"
-}
-
-variable "write_capacity" {
- default = 5
- description = "DynamoDB write capacity units"
-}
-
-variable "force_destroy" {
- type = bool
- description = "A boolean that indicates the S3 bucket can be destroyed even if it contains objects. These objects are not recoverable"
- default = false
-}
-
-variable "mfa_delete" {
- type = bool
- description = "A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 )"
- default = false
-}
-
-variable "enable_point_in_time_recovery" {
- type = bool
- description = "Enable DynamoDB point-in-time recovery"
- default = true
-}
-
-variable "enable_server_side_encryption" {
- type = bool
- description = "Enable DynamoDB server-side encryption"
- default = true
-}
-
-variable "enable_public_access_block" {
- type = bool
- description = "Enable Bucket Public Access Block"
- default = true
-}
-
-variable "block_public_acls" {
- type = bool
- description = "Whether Amazon S3 should block public ACLs for this bucket"
- default = true
-}
-
-variable "ignore_public_acls" {
- type = bool
- description = "Whether Amazon S3 should ignore public ACLs for this bucket"
- default = true
-}
-
-variable "block_public_policy" {
- description = "Whether Amazon S3 should block public bucket policies for this bucket"
- default = true
-}
-
-variable "restrict_public_buckets" {
- type = bool
- description = "Whether Amazon S3 should restrict public bucket policies for this bucket"
- default = true
-}
-
-variable "prevent_unencrypted_uploads" {
- type = bool
- default = true
- description = "Prevent uploads of unencrypted objects to S3"
-}
-
-variable "profile" {
- type = string
- default = ""
- description = "AWS profile name as set in the shared credentials file"
-}
-
-variable "role_arn" {
- type = string
- default = ""
- description = "The role to be assumed"
-}
-
-variable "terraform_backend_config_file_name" {
- type = string
- default = "terraform.tf"
- description = "Name of terraform backend config file"
-}
-
-variable "terraform_backend_config_file_path" {
type = string
- default = ""
- description = "Directory for the terraform backend config file, usually `.`. The default is to create no file."
-}
-
-variable "terraform_backend_config_template_file" {
- type = string
- default = ""
- description = "The path to the template used to generate the config file"
-}
-
-variable "terraform_version" {
- type = string
- default = "0.12.2"
- description = "The minimum required terraform version"
-}
-
-variable "terraform_state_file" {
- type = string
- default = "terraform.tfstate"
- description = "The path to the state file inside the bucket"
-}
-
-variable "s3_bucket_name" {
- type = string
- default = ""
- description = "S3 bucket name. If not provided, the name will be generated by the label module in the format namespace-stage-name"
-}
-
-variable "s3_replication_enabled" {
- type = bool
- default = false
- description = "Set this to true and specify `s3_replica_bucket_arn` to enable replication"
-}
-
-variable "s3_replica_bucket_arn" {
- type = string
- default = ""
- description = "The ARN of the S3 replica bucket (destination)"
-}
-
-variable "logging" {
- type = object({
- bucket_name = string
- prefix = string
- })
- default = null
- description = "Bucket access logging configuration."
+ description = "AWS region"
}
variable "bucket_enabled" {
diff --git a/variables.tf b/variables.tf
index ddd4fee..16021bb 100644
--- a/variables.tf
+++ b/variables.tf
@@ -92,7 +92,15 @@ variable "restrict_public_buckets" {
variable "prevent_unencrypted_uploads" {
type = bool
default = true
- description = "Prevent uploads of unencrypted objects to S3"
+ description = <<-EOT
+ Enforce requirement to specify encryption key when uploading content to the S3 bucket.
+ The name of this variable is a little misleading. Since a default encryption key is created
+ for the bucket by this module, contents are always encrypted at rest.
+ Setting this variable to `true` (the default) will require that uploads to the bucket will need
+ to be initiated with a specific encryption key.
+ If this variable is set to `true` and an upload is attempted without specifying an encryption key
+ (including using the S3 Console), an "Access Denied" error will be thrown by AWS.
+ EOT
}
variable "profile" {