cors_configuration

Type object({ cors_rules = list(object({ allowed_methods = list(string) allowed_origins = list(string) allowed_headers = optional(list(string), []) expose_headers = optional(list(string), []) max_age_seconds = optional(number) })) })
Default null
Module s3-bucket

CORS configuration for cross-origin access. Set to null to disable CORS. cors_rules is a list of objects with: - allowed_methods: HTTP methods allowed (GET, PUT, POST, DELETE, HEAD) - required - allowed_origins: Origins allowed to make requests - required - allowed_headers: Headers allowed in preflight requests (optional) - expose_headers: Headers exposed to the browser (optional) - max_age_seconds: Cache duration for preflight responses (optional)

Overview

Cross-Origin Resource Sharing (CORS) configuration allows web applications in one domain to access resources in your S3 bucket from another domain.

Default Value

cors_configuration = null

Configuration Structure

cors_configuration = {
  cors_rules = [
    {
      allowed_headers = ["*"]
      allowed_methods = ["GET", "PUT", "POST"]
      allowed_origins = ["https://example.com"]
      expose_headers  = ["ETag"]
      max_age_seconds = 3600
    }
  ]
}

Parameters

ParameterDescriptionRequired
allowed_headersHeaders allowed in preflight requestsNo
allowed_methodsHTTP methods allowed (GET, PUT, POST, DELETE, HEAD)Yes
allowed_originsOrigins allowed to make requestsYes
expose_headersHeaders exposed to the browserNo
max_age_secondsCache duration for preflight responsesNo

Common Patterns

Static Website Assets

cors_configuration = {
  cors_rules = [{
    allowed_methods = ["GET", "HEAD"]
    allowed_origins = ["https://www.example.com"]
    max_age_seconds = 86400
  }]
}

Direct Upload from Browser

cors_configuration = {
  cors_rules = [{
    allowed_headers = ["*"]
    allowed_methods = ["GET", "PUT", "POST"]
    allowed_origins = ["https://app.example.com"]
    expose_headers  = ["ETag", "x-amz-meta-*"]
  }]
}

Best Practices

  • Avoid using wildcard (*) for origins in production
  • Use specific allowed methods and headers
  • Set appropriate max_age_seconds to reduce preflight requests
  • Test CORS configuration thoroughly before deployment

Full Module Example

module "s3_bucket" {
  source  = "registry.patterneddesigns.ca/essentials/s3-bucket/aws"
  version = "0.1.0"

  # cors_configuration
  cors_configuration = "..."

  # Other required inputs
  bucket_name = "..."
}
Other Inputs
bucket_name req versioning_enabled encryption_type kms_key_arn lifecycle_rules access_logging tags